Back to publication list
S. R. Tate, M. Bollinadi, and J. Moore.
Characterizing Vulnerabilities in a Major Linux Distribution," in
Proceedings of the 32nd International Conference on Software
Engineering \& Knowledge Engineering (SEKE), 2020, pp. 538-543.
Abstract:
This paper reports on a careful
study of vulnerabilities in open-source software, performing both a
longitudinal study over 7 years of data and an in-depth exploration of
a particular type of vulnerability. First, data was mined from Ubuntu
security notices from 2012 to 2019, specifically pulling security
notices published within the first year of each of the four stable
releases during that time. This provided a dataset covering 3,232
security vulnerabilities, which were cross-referenced with other
information, allowing us to identify trends in types of
vulnerabilities over the past 7 years. Within these results, we see
that out-of-bounds memory access (which includes the classic "buffer
overflow" vulnerability) has consistently been the most pernicious
security weakness, so in the second part of this research we performed
an in-depth study of a random sample of 30 recent out-of-bounds access
vulnerabilities. Beginning by evaluating each vulnerability in terms
of seven features, we identified trends and patterns and expanded the
analysis to a total of eleven features. These results help further
understanding of how out-of-bounds access vulnerabilities occur in
real software, which can help both researchers looking to improve
tools for vulnerability analysis and developers learning how to avoid
common pitfalls.
Download:
Conference Paper -- Local copy
Conference site
Project web site