Predicting Vulnerable Software Components – Technical Report

by Stephan Neuhaus, Thomas Zimmermann, Andreas Zeller

We introduce Vulture, a new approach and tool to predict vulnerable components in large software systems. Vulture relates a software project's version archive to its vulnerability database to find those components that had vulnerabilities in the past. It then analyzes the import structure of software components and uses a support vector machine to learn and predict which imports are most important for a component to be vulnerable. We evaluated Vulture on the C++ codebase of Mozilla and found that Vulture correctly identifies about two thirds of all vulnerable components. This allows developers and project managers to focus their testing and inspection efforts: "We should look at nsXPInstallManager more closely, because it is likely to contain yet unknown vulnerabilities."

Download as PDF.
See also: http://pages.cpsc.ucalgary.ca/~zimmerth/publications/details/neuhaus-ccs-2007/

Reference

Stephan Neuhaus, Thomas Zimmermann, Andreas Zeller. Predicting Vulnerable Software Components. Technical Report, February 2007. Accepted at ACM CCS 2007. Please cite the conference paper.

BibTeX Entry

@techreport{neuhaus-tr-2007,
    title = "Predicting Vulnerable Software Components",
    author = "Stephan Neuhaus and Thomas Zimmermann and Andreas Zeller",
    year = "2007",
    month = "February",
    institution = "Universität des Saarlandes, Saarbrücken, Germany",
}