A Large-Scale Empirical Study on Vulnerability Distribution within Projects and the Lessons Learned

The number of vulnerabilities increases rapidly in recent years, due to advances in vulnerability discovery solutions. It enables a thorough analysis on the vulnerability distribution and provides support for correlation analysis and prediction of vulnerabilities. Previous research either focuses on...

Full description

Saved in:
Bibliographic Details
Published in:2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE) pp. 1547 - 1559
Main Authors: Liu, Bingchang, Meng, Guozhu, Zou, Wei, Gong, Qi, Li, Feng, Lin, Min, Sun, Dandan, Huo, Wei, Zhang, Chao
Format: Conference Proceeding
Language:English
Published: ACM 01.10.2020
Subjects:
Crawlers
Empirical Study
Fuzzing
Manuals
Security
Semantics
Software engineering
Static analysis
Vulnerability Distribution
ISSN:1558-1225
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:The number of vulnerabilities increases rapidly in recent years, due to advances in vulnerability discovery solutions. It enables a thorough analysis on the vulnerability distribution and provides support for correlation analysis and prediction of vulnerabilities. Previous research either focuses on analyzing bugs rather than vulnerabilities, or only studies general vulnerability distribution among projects rather than the distribution within each project. In this paper, we collected a large vulnerability dataset, consisting of all known vulnerabilities associated with five representative open source projects, by utilizing automated crawlers and spending months of manual efforts. We then analyzed the vulnerability distribution within each project over four dimensions, including files, functions, vulnerability types and responsible developers. Based on the results analysis, we presented 12 practical insights on the distribution of vulnerabilities. Finally, we applied such insights on several vulnerability discovery solutions (including static analysis and dynamic fuzzing), and helped them find 10 zero-day vulnerabilities in target projects, showing that our insights are useful.
ISSN:1558-1225
DOI:10.1145/3377811.3380923