Zobraziť v EDS

Investigating the Effects of T-Wise Interaction Sampling for Vulnerability Discovery in Highly-Configurable Software Systems

Uložené v:
Podrobná bibliografia
Názov: Investigating the Effects of T-Wise Interaction Sampling for Vulnerability Discovery in Highly-Configurable Software Systems
Autori: Tim Bächle, Erik Hofmayer, Christoph König, Tobias Pett, Ina Schaefer
Zdroj: Proceedings of the 29th ACM International Systems and Software Product Line Conference - Volume A. :45-56
Informácie o vydavateľovi: ACM, 2025.
Rok vydania: 2025
Predmety: T-Wise Interaction Sampling, Static Analysis, Combinatorial Interaction Testing, Vulnerability Discovery, Software Product Lines
Popis: Empirical evidence has shown that variability bugs, i.e., bugs that only manifest if certain features of a configurable software system are selected, are not only a theoretical concept. Many variability bugs involve an intricate interplay of multiple features, turning them into so-called feature-interaction bugs. The strategy of t-wise interaction sampling can be used to identify variability bugs in highly-configurable systems. In this regard, the number of findings, as well as the overall sample size, typically increase with stronger interaction sampling (i.e., higher t values). In this paper, we aim to confirm these observations for vulnerabilities. We use the static source code analysis platform Vari-Joern to analyze real-world highly-configurable software systems for the presence of vulnerability patterns using t-wise interaction sampling of varying strength and compare the number of findings and associated sample sizes. We analyze the feature configurations associated with the vulnerability warnings raised by our approach to evaluate the presence of feature interaction vulnerabilities. Our results show that stronger interaction sampling produces a greater number of findings at a higher computational cost, also for vulnerabilities. The increase in findings can be attributed to the identification of feature-interaction vulnerabilities involving an interplay of a greater number of features.
Druh dokumentu: Article
DOI: 10.1145/3744915.3748462
DOI: 10.5445/ir/1000184707
Rights: CC BY
Prístupové číslo: edsair.doi.dedup.....edab9d92d3a76a4df88b8e5677bf9d03
Databáza: OpenAIRE
Popis
Abstrakt:Empirical evidence has shown that variability bugs, i.e., bugs that only manifest if certain features of a configurable software system are selected, are not only a theoretical concept. Many variability bugs involve an intricate interplay of multiple features, turning them into so-called feature-interaction bugs. The strategy of t-wise interaction sampling can be used to identify variability bugs in highly-configurable systems. In this regard, the number of findings, as well as the overall sample size, typically increase with stronger interaction sampling (i.e., higher t values). In this paper, we aim to confirm these observations for vulnerabilities. We use the static source code analysis platform Vari-Joern to analyze real-world highly-configurable software systems for the presence of vulnerability patterns using t-wise interaction sampling of varying strength and compare the number of findings and associated sample sizes. We analyze the feature configurations associated with the vulnerability warnings raised by our approach to evaluate the presence of feature interaction vulnerabilities. Our results show that stronger interaction sampling produces a greater number of findings at a higher computational cost, also for vulnerabilities. The increase in findings can be attributed to the identification of feature-interaction vulnerabilities involving an interplay of a greater number of features.
DOI:10.1145/3744915.3748462