research-article

Empirical results on the study of software vulnerabilities (NIER track)

Authors:
Yan Wu

University of Nebraska at Omaha, Omaha, NE, USA

University of Nebraska at Omaha, Omaha, NE, USA
View Profile

,
Harvey Siy

University of Nebraska at Omaha, Omaha, NE, USA

University of Nebraska at Omaha, Omaha, NE, USA
View Profile

,
Robin Gandhi

University of Nebraska at Omaha, Omaha, NE, USA

University of Nebraska at Omaha, Omaha, NE, USA
View Profile

ICSE '11: Proceedings of the 33rd International Conference on Software EngineeringMay 2011Pages 964–967https://doi.org/10.1145/1985793.1985960

Published:21 May 2011Publication History

ICSE '11: Proceedings of the 33rd International Conference on Software Engineering

Pages 964–967

ABSTRACT

While the software development community has put a significant effort to capture the artifacts related to a discovered vulnerability in organized repositories, much of this information is not amenable to meaningful analysis and requires a deep and manual inspection. In the software assurance community a body of knowledge that provides an enumeration of common weaknesses has been developed, but it is not readily usable for the study of vulnerabilities in specific projects and user environments. We propose organizing the information in project repositories around semantic templates. In this paper, we present preliminary results of an experiment conducted to evaluate the effectiveness of using semantic templates as an aid to studying software vulnerabilities.

References

Abbott, R. P., Chin, J. S. et al. The RISOS Project. Lawrence Livermore Lab TR NBSIR-76-1041,1976.Google Scholar
Aslam. Y. A Taxonomy of Security Faults in the UNIX Operating System. Purdue University, August 1995.Google Scholar
Bisbey, R. and Hollingworth, D. Protection Analysis: Final Report. ARPA ORDER NO. 2223, ISI/SR-78-13 May 1978.Google Scholar
Bishop, M. A Taxonomy of UNIX System and Network Vulnerabilities. UC Davis, CSE-95-10, May 1995.Google Scholar
CVE - Common Vulnerabilities and Exposures. http://cve.mitre.org.Google Scholar
CWE - Common Weakness Enumeration Version 1.6. 29 Oct. 2009. The MITRE Corporation. http://cwe.mitre.org/.Google Scholar
Gandhi, R. A. Siy, H., and Wu, Y. Studying Software Vulnerabilities. CrossTalk, September/October 2010.Google Scholar
Gandhi, R. A. Studying Software Vulnerabilities (companion Website). http://faculty.ist.unomaha.edu/rgandhi/st/Google Scholar
Howard, M, LeBlanc, D., Viega. J. 19 Deadly Sins of Software Security Programming Flaws and How to Fix Them, 2005. Google ScholarDigital Library
Judd, C., et al. Research Methods in Social Relations. 1991.Google Scholar
Landwehr, C., et al. A Taxonomy of Computer Program Security Flaws with Examples. ACM Computing Surveys 26, 3, Sept., 1994 Google ScholarDigital Library
National Vulnerability Database. http://nvd.nist.gov/Google Scholar
Shapiro, S. et al. An analysis of variance test for normality, 1965.Google Scholar
The Apache HTTP Server Project. http://httpd.apache.orgGoogle Scholar
The Ten Most Critical Web Application Security Vulnerabilities. The Open Web Application Security Project (OWASP), 2007.Google Scholar
Web Application Security Consortium 2005.Google Scholar
Weber, S. et al. A Software Flaw Taxonomy: Aiming Tools at Security. (SESS'05) St. Louis, Missouri, June 2005. Google ScholarDigital Library
Wu,Y., Gandhi, R. A., and Siy, H. Using Semantic Templates to Study Vulnerabilities Recorded in Large Software Repositories. In Proc. 6th Intl. Workshop on Software Engineering for Secure Systems (SESS'10), South Africa, Cape Town. 2010. Google ScholarDigital Library

Index Terms

Empirical results on the study of software vulnerabilities (NIER track)
1. Information systems
  1. Information retrieval
  2. Information storage systems
2. Software and its engineering
  1. Software creation and management

Recommendations

Using semantic templates to study vulnerabilities recorded in large software repositories
SESS '10: Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure Systems

Software repositories are rich sources of information about vulnerabilities that occur during a product's lifecycle. Although available, such information is scattered across numerous databases. Furthermore, in large software repositories, a single ...
Read More
An Analysis Model of Buffer Overflow Vulnerability Based on FSM
ICGDA '19: Proceedings of the 2019 2nd International Conference on Geoinformatics and Data Analysis

Buffer overflow vulnerabilities have been the most common form of software vulnerabilities. It is very difficult and time consuming to detect possible types of vulnerabilities from a program. This paper proposes an analysis model of buffer overflow ...
Read More
Pinpointing Vulnerabilities
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

Memory-based vulnerabilities are a major source of attack vectors. They allow attackers to gain unauthorized access to computers and their data. Previous research has made significant progress in detecting attacks. However, developers still need to ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ICSE '11: Proceedings of the 33rd International Conference on Software Engineering
May 2011
1258 pages
ISBN:9781450304450
DOI:10.1145/1985793
General Chair:
Richard N. Taylor
UC Irvine, USA
,
Program Chairs:
Harald Gall
University of Zurich, Switzerland
,
Nenad Medvidović
University of Southern California, USA
Copyright © 2011 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 21 May 2011
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
buffer overflow
experiment
repository
software vulnerability
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate276of1,856submissions,15%

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 6
  Total Citations
  View Citations
- 394
  Total Downloads
- Downloads (Last 12 months)7
- Downloads (Last 6 weeks)3
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Empirical results on the study of software vulnerabilities (NIER track)

ICSE '11: Proceedings of the 33rd International Conference on Software Engineering

ABSTRACT

References

Cited By

Index Terms

Recommendations

Using semantic templates to study vulnerabilities recorded in large software repositories

An Analysis Model of Buffer Overflow Vulnerability Based on FSM

Pinpointing Vulnerabilities