Predicting Vulnerable Software Components – CCS 2007

by Stephan Neuhaus, Thomas Zimmermann, Christian Holler, Andreas Zeller

We introduce Vulture, a new approach and tool to predict vulnerable components in large software systems. Vulture relates a software project's version archive to its vulnerability database to find those components that had vulnerabilities in the past. It then analyzes the import structure of software components and uses a support vector machine to learn and predict which imports are most important for a component to be vulnerable. We evaluated Vulture on the C++ codebase of Mozilla and found that Vulture correctly identifies about two thirds of all vulnerable components. This allows developers and project managers to focus their testing and inspection efforts: "We should look at nsXPInstallManager more closely, because it is likely to contain yet unknown vulnerabilities."

Download as PDF.
See also:


Stephan Neuhaus, Thomas Zimmermann, Christian Holler, Andreas Zeller. Predicting Vulnerable Software Components. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007), Alexandria, VA, USA, October 2007, pp. 529-540.

BibTeX Entry

    title = "Predicting Vulnerable Software Components",
    author = "Stephan Neuhaus and Thomas Zimmermann and Christian Holler and Andreas Zeller",
    year = "2007",
    month = "October",
    booktitle = "Proceedings of the 14th ACM Conference on Computer and Communications Security",
    location = "Alexandria, VA, USA",
    pages = "529--540",