Approximating Attack Surfaces with Stack Traces

Theisen, Christopher; Herzig, Kim; Morrison, Patrick; Murphy, Brendan; Williams, Laurie

doi:10.1109/icse.2015.148

Cited by 38 publications

(41 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We now give a brief overview of these algorithms and their use in this work. 1: Random Forest is shown to be relatively better than 21 other algorithms in the study by Lessmann et al [37] and it works well on imbalanced data [38]. Breiman [39] described Random Forest as a combination of tree predictors such that each tree depends on the values of a random vector sampled independently and with the same distribution for all trees in the forest.…”

Section: Machine Learning Algorithmsmentioning

confidence: 99%

Text Filtering and Ranking for Security Bug Report Prediction

Peters

Tun

et al. 2019

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

Abstract-Security bug reports can describe security critical vulnerabilities in software products. Bug tracking systems may contain thousands of bug reports, where relatively few of them are security related. Therefore finding unlabelled security bugs among them can be challenging. To help security engineers identify these reports quickly and accurately, text-based prediction models have been proposed. These can often mislabel security bug reports due to a number of reasons such as class imbalance, where the ratio of non-security to security bug reports is very high. More critically, we have observed that the presence of security related keywords in both security and non-security bug reports can lead to the mislabelling of security bug reports. This paper proposes FARSEC, a framework for filtering and ranking bug reports for reducing the presence of security related keywords. Before building prediction models, our framework identifies and removes non-security bug reports with security related keywords. We demonstrate that FARSEC improves the performance of text-based prediction models for security bug reports in 90% of cases. Specifically, we evaluate it with 45,940 bug reports from Chromium and four Apache projects. With our framework, we mitigate the class imbalance issue and reduce the number of mislabelled security bug reports by 38%.

show abstract

Section: Machine Learning Algorithmsmentioning

confidence: 99%

Text Filtering and Ranking for Security Bug Report Prediction

Peters

Tun

et al. 2019

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

show abstract

“…The crash features were used to approximate the attack surface and predict which parts of the software are more prone to be vulnerable. Theisen et al found that crash history is a strong indicator of vulnerabilities-48.4% of the "crashed" binaries in Windows contain 94.6% of known vulnerabilities [8], and 15.8% of the "crashed" source code files in Mozilla Firefox contain 73.6% of known vulnerabilities [29]. The advantage of this approach is that it does not require the labeling of training data.…”

Section: Unsupervised Methodsmentioning

confidence: 99%

“…Using this data, we explore four research questions to see whether HARMLESS can better resolve the aforementioned limitations of traditional VPMs: RQ1: Can human inspection effort be saved by applying HARMLESS to find a certain percentage of vulnerabilities? Simulated on the Mozilla Firefox data without prior known vulnerabilities as training data, we show that 60, 70, 80, 90, 95, 99% of the known vulnerabilities can be found by inspecting around 6,8,10,16,20, 34% of the source code files, respectively. These results show that a good amount of human effort can be saved by applying HARMLESS.…”

Section: Introductionmentioning

confidence: 94%

“…• Software metrics: followed by the work of Shin et al [16], SciTools' Understand 6 is used to measure the static features of software. • Crash features: followed by the work of Theisen et al [8], the crash features measure the number of time each source code file has crashed. Such information is extracted from the crash dump stack trace data.…”

Section: Feature Extractionmentioning

confidence: 99%

“…Although the state-of-the-art VPMs have shown promising results on finding vulnerabilities with reduced human inspection effort [5], [6], [7], [8], [9], these approaches have limitations: • VPMs learn models using training data which describes known vulnerabilities. Prior to the initial release, such data may not be available 1 .…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Improving Vulnerability Inspection Efficiency Using Active Learning

Theisen

Williams

2021

IIEEE Trans. Software Eng.

Self Cite

View full text Add to dashboard Cite

Software engineers can find vulnerabilities with less effort if they are directed towards code that might contain more vulnerabilities. HARMLESS is an incremental support vector machine tool that builds a vulnerability prediction model from the source code inspected to date, then suggests what source code files should be inspected next. In this way, HARMLESS can reduce the time and effort required to achieve some desired level of recall for finding vulnerabilities. The tool also provides feedback on when to stop (at that desired level of recall) while at the same time, correcting human errors by double-checking suspicious files.This paper evaluates HARMLESS on Mozilla Firefox vulnerability data. HARMLESS found 80, 90, 95, 99% of the vulnerabilities by inspecting 10, 16, 20, 34% of the source code files. When targeting 90, 95, 99% recall, HARMLESS could stop after inspecting 23, 30, 47% of the source code files. Even when human reviewers fail to identify half of the vulnerabilities (50% false negative rate), HARMLESS could detect 96% of the missing vulnerabilities by double-checking half of the inspected files.Our results serve to highlight the very steep cost of protecting software from vulnerabilities (in our case study that cost is, for example, the human effort of inspecting 28,750 × 20% = 5,750 source code files to identify 95% of the vulnerabilities). While this result could benefit the mission-critical projects where human resources are available for inspecting thousands of source code files, the research challenge for future work is how to further reduce that cost. The conclusion of this paper discusses various ways that goal might be achieved.

show abstract

CASFinder: Detecting Common Attack Surface

Zhang

Yue

Wang

et al. 2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Code reusing is a common practice in software development due to its various benefits. Such a practice, however, may also cause large scale security issues since one vulnerability may appear in many different software due to cloned code fragments. The well known concept of relying on software diversity for security may also be compromised since seemingly different software may in fact share vulnerable code fragments. Although there exist efforts on detecting cloned code fragments, there lack solutions for formally characterizing their specific impact on security. In this paper, we revisit the concept of software diversity from a security viewpoint. Specifically, we define the novel concept of common attack surface to model the relative degree to which a pair of software may be sharing potentially vulnerable code fragments. To implement the concept, we develop an automated tool, CASFinder, in order to efficiently identify common attack surface between any given pair of software with minimum human intervention. Finally, we conduct experiments by applying our tool to real world open source software applications. Our results demonstrate many seemingly unrelated software applications indeed share significant common attack surface.

show abstract

Approximating Attack Surfaces with Stack Traces

Cited by 38 publications

References 33 publications

Text Filtering and Ranking for Security Bug Report Prediction

Text Filtering and Ranking for Security Bug Report Prediction

Improving Vulnerability Inspection Efficiency Using Active Learning

CASFinder: Detecting Common Attack Surface

Contact Info

Product

Resources

About