Do #ifdefs influence the occurrence of vulnerabilities? an empirical study of the linux kernel

Ferreira, Gonçalo Cordeiro; Malik, Momin M.; Kästner, Christian; Apel, Sven

doi:10.1145/2934466.2934467

Cited by 24 publications

(12 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It can be verified that the coefficients of the equations 1 and 2 are low values, since the flaw rates are also low. It is uncommon to find buggy functions in Linux (Ferreira et al, 2016). So, when this already low value is divided by the number of modules, which tends to increase over time, we get very low values for the flaw rates.…”

Section: Resultsmentioning

confidence: 94%

Predicting Software Flaws with Low Complexity Models based on Static Analysis Data

Kanashiro

Ribeiro

Schwartz

et al. 2018

Journal of Information Systems Engineering & Management

View full text Add to dashboard Cite

Due to the constant evolution of technology, each day brings new programming languages, development paradigms, and ways of evaluating processes. This is no different with source code metrics, where there is always new metric classes. To use a software metric to support decisions, it is necessary to understand how to perform the metric collection, calculation, interpretation, and analysis. The tasks of collecting and calculating source code metrics are most often automated, but how should we monitor them during the software development cycle? Our research aims to assist the software engineer to monitor metrics of vulnerability threats present in the source code through a reference prediction model, considering that real world software have non-functional security requirements, which implies the need to know how to monitor these requirements during the software development cycle. As a first result, this paper presents an empirical study on the evolution of the Linux project. Based on static analysis data, we propose low complexity models to study flaws in the Linux source code. About 391 versions of the project were analyzed by mining the official Linux repository using an approach that can be reproduced to perform similar studies. Our results show that it is possible to predict the number of warnings triggered by a static analyzer for a given software project revision as long as the software is continuously monitored.

show abstract

Section: Resultsmentioning

confidence: 94%

Predicting Software Flaws with Low Complexity Models based on Static Analysis Data

Kanashiro

Ribeiro

Schwartz

et al. 2018

Journal of Information Systems Engineering & Management

View full text Add to dashboard Cite

show abstract

“…As we see in Figure 1, however, this configurability also obscures software defects. Previous studies show that such configurable code is dangerous: it has been correlated with more bugs [2] and shown to be more difficult for developers to debug [3]. We use our simulation framework to find variability bugs.…”

Section: What Are Variability Bugs?mentioning

confidence: 99%

“…We have made our framework and dataset publicly available. 2 The contributions of this paper are the following:…”

Section: Introductionmentioning

confidence: 99%

An empirical study of real-world variability bugs detected by variability-oblivious tools

Mordahl¹,

Koç

et al. 2019

Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of

View full text Add to dashboard Cite

Many critical software systems developed in C utilize compiletime configurability. The many possible configurations of this software make bug detection through static analysis difficult. While variability-aware static analyses have been developed, there remains a gap between those and state-of-the-art static bug detection tools. In order to collect data on how such tools may perform and to develop real-world benchmarks, we present a way to leverage configuration sampling, off-the-shelf łvariability-obliviousž bug detectors, and automatic feature identification techniques to simulate a variability-aware analysis. We instantiate our approach using four popular static analysis tools on three highly configurable, real-world C projects, obtaining 36,061 warnings, 80% of which are variability warnings. We analyze the warnings we collect from these experiments, finding that most results are variability warnings of a variety of kinds such as NULL dereference. We then manually investigate these warnings to produce a benchmark of 77 confirmed true bugs (52 of which are variability bugs) useful for future development of variability-aware analyses. CCS CONCEPTS • General and reference → Empirical studies; • Software and its engineering → Automated static analysis; Software testing and debugging.

show abstract

“…For example, when evolving HCSSs in VCSs, developers often commit unrelated or loosely related implementations of features [13]. Then, evolving a particular feature requires to find the implementation artifacts over many #ifdefs, compromising code comprehension and complicating maintenance and evolution tasks [9].…”

Section: Introductionmentioning

confidence: 99%

Mining Feature Revisions in Highly-Configurable Software Systems

Michelon

Obermann

Assunção

et al. 2020

Proceedings of the 24th ACM International Systems and Software Product Line Conference - Volume B

View full text Add to dashboard Cite

Highly-Configurable Software Systems (HCSSs) support the systematic evolution of systems in space, i.e., the inclusion of new features, which then allow users to configure software products according to their needs. However, HCSSs also change over time, e.g., when adapting existing features to new hardware or platforms. In practice, HCSSs are thus developed using both version control systems (VCSs) and preprocessor directives (#ifdefs). However, the use of a preprocessor as variability mechanism has been criticized regarding the separation of concerns and code obfuscation, which complicates the analysis of HCSS evolution in VCSs. For instance, a single commit may contain changes of totally unrelated features, which may be scattered over many variation points (#ifdefs), thus making the evolution history hard to understand. This complexity often leads to error-prone changes and high costs for maintenance and evolution. In this paper, we propose an automated approach to mine HCSS features taking into account evolution in space and time. Our approach uses constraint satisfaction problem solving to mine newly introduced, removed and changed features. It finds a configuration containing the feature revisions which are needed to activate a specific program location. Furthermore, it increments the revision number of each changed feature. Thus, our approach enables to analyze when and which features often change over time, as well as their interactions, for every single commit of a HCSS. Our approach can contribute to future research on understanding the characteristics of HCSS and supporting developers during maintenance and evolution tasks.

show abstract

Do #ifdefs influence the occurrence of vulnerabilities? an empirical study of the linux kernel

Cited by 24 publications

References 33 publications

Predicting Software Flaws with Low Complexity Models based on Static Analysis Data

Predicting Software Flaws with Low Complexity Models based on Static Analysis Data

An empirical study of real-world variability bugs detected by variability-oblivious tools

Mining Feature Revisions in Highly-Configurable Software Systems

Contact Info

Product

Resources

About