Loading...
| Friend's email | |
| Your name | |
| Your email | |
| enter code | |
This page was sent successfuly
Improving real world vulnerability characterization with vulnerable slices
Salimi, S ; Sharif University of Technology | 2020
367
Viewed
- Type of Document: Article
- DOI: 10.1145/3416508.3417120
- Publisher: Association for Computing Machinery, Inc , 2020
- Abstract:
- Vulnerability detection is an important challenge in the security community. Many different techniques have been proposed, ranging from symbolic execution to fuzzing in order to help in identifying vulnerabilities. Even though there has been considerable improvement in these approaches, they perform poorly on a large scale code basis. There has also been an alternate approach, where software metrics are calculated on the overall code structure with the hope of predicting code segments more likely to be vulnerable. The logic has been that more complex code with respect to the software metrics, will be more likely to contain vulnerabilities. In this paper, we conduct an empirical study with a large dataset of vulnerable codes to discuss if we can change the way we measure metrics to improve vulnerability characterization. More specifically, we introduce vulnerable slices as vulnerable code units to measure the software metrics and then use these new measured metrics to characterize vulnerable codes. The result shows that vulnerable slices significantly increase the accuracy of vulnerability characterization. Further, we utilize vulnerable slices to analyze the dataset of known vulnerabilities, particularly to observe how by using vulnerable slices the size and complexity changes in real-world vulnerabilities.© 2020 ACM
- Keywords:
- Program slicing ; Static analysis ; Vulnerability characterization ; Vulnerability prediction ; Large dataset ; Predictive analytics ; Alternate approaches ; Code segments ; Code structure ; Empirical studies ; Security community ; Software metrics ; Symbolic execution ; Vulnerability detection ; Software engineering
- Source: PROMISE 2020 - Proceedings of the 16th ACM International Conference on Predictive Models and Data Analytics in Software Engineering, Co-located with ESEC/FSE 2020, 8 November 2020 through 9 November 2020 ; 2020 , Pages 11-20
- URL: https://dl.acm.org/doi/10.1145/3416508.3417120