Using semantic templates to study vulnerabilities recorded in large software repositories

Yan Wu, Robin A. Gandhi, Harvey Siy

Research output: Chapter in Book/Report/Conference proceedingConference contribution

17 Scopus citations

Abstract

Software repositories are rich sources of information about vulnerabilities that occur during a product's lifecycle. Although available, such information is scattered across numerous databases. Furthermore, in large software repositories, a single vulnerability may span across multiple components and have multidimensional interactions with other vulnerabilities. Thus, identifying the patterns of vulnerability occurrence in a larger context of software development continues to be an open problem. Here we present findings from our study of vulnerable software components using an ontology-guided analysis of vulnerabilities recorded in a software project's code repository. In this approach, a semantic template for each type of vulnerability is created from information in the Common Weakness Enumeration dictionary. Next, known vulnerabilities and related concepts in the repository are tagged with concepts from the template. Based on the characteristics of the resources affected by these vulnerabilities, other similar resources in the software can be identified for closer inspection and verification. We present results from our study of vulnerabilities in the Apache web server.

Original languageEnglish (US)
Title of host publication2010 ICSE Workshop on Software Engineering for Secure Systems, SESS 2010, in Conjunction with the 32nd ACM/IEEE International Conference on Software Engineering, ICSE 2010
Pages22-28
Number of pages7
DOIs
StatePublished - 2010
Event2010 ICSE Workshop on Software Engineering for Secure Systems, SESS 2010, in Conjunction with the 32nd ACM/IEEE International Conference on Software Engineering, ICSE 2010 - Cape Town, South Africa
Duration: May 2 2010May 8 2010

Publication series

NameProceedings - International Conference on Software Engineering
ISSN (Print)0270-5257

Conference

Conference2010 ICSE Workshop on Software Engineering for Secure Systems, SESS 2010, in Conjunction with the 32nd ACM/IEEE International Conference on Software Engineering, ICSE 2010
CountrySouth Africa
CityCape Town
Period5/2/105/8/10

Keywords

  • CVE
  • CWE
  • buffer overflow
  • fix patterns
  • ontology
  • semantic template
  • software repository
  • vulnerability

ASJC Scopus subject areas

  • Software

Fingerprint Dive into the research topics of 'Using semantic templates to study vulnerabilities recorded in large software repositories'. Together they form a unique fingerprint.

  • Cite this

    Wu, Y., Gandhi, R. A., & Siy, H. (2010). Using semantic templates to study vulnerabilities recorded in large software repositories. In 2010 ICSE Workshop on Software Engineering for Secure Systems, SESS 2010, in Conjunction with the 32nd ACM/IEEE International Conference on Software Engineering, ICSE 2010 (pp. 22-28). (Proceedings - International Conference on Software Engineering). https://doi.org/10.1145/1809100.1809104