Security Vulnerabilities

Vulnerabilities in Red Hat’s packages

We show in an empirical study of 3241 Red Hat packages that software vulnerabilities correlate with dependencies between packages. With formal concept analysis and statistical hypothesis testing, we identify dependencies that decrease the risk of vulnerabilities or increase the risk.

Depending on kdelibs increases the risk of an application being vulnerable.

Using prediction models, we can classify Red Hat packages as vulnerable with a median precision of 83% and median recall of 65%. Our findings help developers to choose new dependencies wisely and make them aware of risky dependencies.

The Beauty and the Beast: Vulnerabilities in Red Hat’s Packages – USENIX 2009

Predicting vulnerable software components

Where do most vulnerabilities occur in software? Our Vulture tool automatically mines existing vulnerability databases and version archives to map past vulnerabilities to components. The resulting ranking of the most vulnerable components is a perfect base for further investigations on what makes components vulnerable.

Tell us what you import, and we’ll tell you how vulnerable you are.

In an investigation of the Mozilla vulnerability history, we surprisingly found that components that had a single vulnerability in the past were generally not likely to have further vulnerabilities. However, components that had similar imports or function calls were likely to be vulnerable. Based on this observation, we were able to extend Vulture by a simple predictor.

Two thirds of Vulture’s predictions are correct; it predicts half of all vulnerable components.

This allows developers and project managers to focus their their efforts where it is needed most: “We should look at nsXPInstallManager because it is likely to contain yet unknown vulnerabilities.”

Predicting Vulnerable Software Components – ACM CCS 2007