Characterizing the 'Security Vulnerability Likelihood' of Software Functions

	This Article
	Subscribers, please Login Purchase article: $19 PDF IEEE Xplore Subscribers RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/Endnote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Dan DaCosta Articles by Christopher Dahn Articles by Spiros Mancoridis Articles by Vassilis Prevelakis

19th IEEE International Conference on Software Maintenance (ICSM'03)

Amsterdam, The Netherlands

September 22-September 26

ISBN: 0-7695-1905-9

	ASCII Text	x
	Dan DaCosta, Christopher Dahn, Spiros Mancoridis, Vassilis Prevelakis, "Characterizing the 'Security Vulnerability Likelihood' of Software Functions," Software Maintenance, IEEE International Conference on, pp. 266, 19th IEEE International Conference on Software Maintenance (ICSM'03), 2003.

	BibTex	x
	@article{ 10.1109/ICSM.2003.1235429, author = {Dan DaCosta and Christopher Dahn and Spiros Mancoridis and Vassilis Prevelakis}, title = {Characterizing the 'Security Vulnerability Likelihood' of Software Functions}, journal ={Software Maintenance, IEEE International Conference on}, volume = {0}, year = {2003}, issn = {1063-6773}, pages = {266}, doi = {http://doi.ieeecomputersociety.org/10.1109/ICSM.2003.1235429}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - Software Maintenance, IEEE International Conference on TI - Characterizing the 'Security Vulnerability Likelihood' of Software Functions SN - 1063-6773 SP EP A1 - Dan DaCosta, A1 - Christopher Dahn, A1 - Spiros Mancoridis, A1 - Vassilis Prevelakis, PY - 2003 KW - null VL - 0 JA - Software Maintenance, IEEE International Conference on ER -

Dan DaCosta, Drexel University

Christopher Dahn, Drexel University

Spiros Mancoridis, Drexel University

Vassilis Prevelakis, Drexel University

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/ICSM.2003.1235429

Software maintainers and auditors would benefit from a tool to help them focus their attention on functions that are likely to be the source of security vulnerabilities. However, the existence of such a tool is predicated on the ability to characterize a function's 'security vulnerability likelihood.'

Our hypothesis is that functions near a source of input are most likely to contain a security vulnerability. These functions should be a small percentage of the total number of functions in the system. To validate this hypothesis, we performed an experiment involving thirty one vulnerabilities in thirty open source systems. This paper describes the experiment, its outcome, and the tools used to conduct it. It also describes the FLF Finder, which is a tool that was developed using knowledge gathered from the outcome of the experiment. This tool automates the detection of high-risk functions. To demonstrate the effectiveness of the FLF Finder, three open source applications with known vulnerabilities were tested. In addition to this test, a case study was performed on the privilege separation code in the OpenSSH server daemon.

Citation:

Dan DaCosta, Christopher Dahn, Spiros Mancoridis, Vassilis Prevelakis, "Characterizing the 'Security Vulnerability Likelihood' of Software Functions," icsm, pp.266, 19th IEEE International Conference on Software Maintenance (ICSM'03), 2003

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.