TU Darmstadt / ULB / TUbiblio

The Tip of the Iceberg: On the Merits of Finding Security Bugs

Alexopoulos, Nikolaos and Habib, Sheikh Mahbub and Schulz, Steffen and Mühlhäuser, Max (2020):
The Tip of the Iceberg: On the Merits of Finding Security Bugs.
In: ACM Transactions on Privacy and Security, 24 (1), Association for Computing Machinery, ISSN 2471-2566,
DOI: 10.1145/3406112,
[Article]

Abstract

In this article, we investigate a fundamental question regarding software security: Is the security of SW releases increasing over time? We approach this question with a detailed analysis of the large body of open-source software packaged in the popular Debian GNU/Linux distribution. Contrary to common intuition, we find no clear evidence that the vulnerability rate of widely used software decreases over time: Even in popular and “stable” releases, the fixing of bugs does not seem to reduce the rate of newly identified vulnerabilities. The intuitive conclusion is worrisome: Commonly employed development and validation procedures do not seem to scale with the increase of features and complexity—they are only chopping pieces off the top of an iceberg of vulnerabilities.To the best of our knowledge, this is the first investigation into the problem that studies a complete distribution of software, spanning multiple versions. Although we can not give a definitive answer, we show that several popular beliefs also cannot be confirmed given our dataset. We publish our Debian Vulnerability Analysis Framework (DVAF), an automated dataset creation and analysis process, to enable reproduction and further analysis of our results. Overall, we hope our contributions provide important insights into the vulnerability discovery process and help in identifying effective techniques for vulnerability analysis and prevention.

Item Type: Article
Erschienen: 2020
Creators: Alexopoulos, Nikolaos and Habib, Sheikh Mahbub and Schulz, Steffen and Mühlhäuser, Max
Title: The Tip of the Iceberg: On the Merits of Finding Security Bugs
Language: English
Abstract:

In this article, we investigate a fundamental question regarding software security: Is the security of SW releases increasing over time? We approach this question with a detailed analysis of the large body of open-source software packaged in the popular Debian GNU/Linux distribution. Contrary to common intuition, we find no clear evidence that the vulnerability rate of widely used software decreases over time: Even in popular and “stable” releases, the fixing of bugs does not seem to reduce the rate of newly identified vulnerabilities. The intuitive conclusion is worrisome: Commonly employed development and validation procedures do not seem to scale with the increase of features and complexity—they are only chopping pieces off the top of an iceberg of vulnerabilities.To the best of our knowledge, this is the first investigation into the problem that studies a complete distribution of software, spanning multiple versions. Although we can not give a definitive answer, we show that several popular beliefs also cannot be confirmed given our dataset. We publish our Debian Vulnerability Analysis Framework (DVAF), an automated dataset creation and analysis process, to enable reproduction and further analysis of our results. Overall, we hope our contributions provide important insights into the vulnerability discovery process and help in identifying effective techniques for vulnerability analysis and prevention.

Journal or Publication Title: ACM Transactions on Privacy and Security
Journal volume: 24
Number: 1
Place of Publication: New York, NY, USA
Publisher: Association for Computing Machinery
Uncontrolled Keywords: vulnerability discovery rate, Empirical study, debian GNU/Linux
Divisions: 20 Department of Computer Science
20 Department of Computer Science > Telecooperation
Profile Areas
Profile Areas > Cybersecurity (CYSEC)
LOEWE
LOEWE > LOEWE-Zentren
LOEWE > LOEWE-Zentren > CRISP - Center for Research in Security and Privacy
Event Location: New York, NY, USA
Date Deposited: 12 Oct 2020 09:30
DOI: 10.1145/3406112
Official URL: https://doi.org/10.1145/3406112
Corresponding Links:
Export:
Suche nach Titel in: TUfind oder in Google
Send an inquiry Send an inquiry

Options (only for editors)
Show editorial Details Show editorial Details