Using semantic templates to study vulnerabilities recorded in large software repositories

Yan Wu; Robin A. Gandhi; Harvey Siy

doi:10.1145/1809100.1809104

Using semantic templates to study vulnerabilities recorded in large software repositories

Yan Wu, Robin A. Gandhi, Harvey Siy

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

20 Scopus citations

Abstract

Software repositories are rich sources of information about vulnerabilities that occur during a product's lifecycle. Although available, such information is scattered across numerous databases. Furthermore, in large software repositories, a single vulnerability may span across multiple components and have multidimensional interactions with other vulnerabilities. Thus, identifying the patterns of vulnerability occurrence in a larger context of software development continues to be an open problem. Here we present findings from our study of vulnerable software components using an ontology-guided analysis of vulnerabilities recorded in a software project's code repository. In this approach, a semantic template for each type of vulnerability is created from information in the Common Weakness Enumeration dictionary. Next, known vulnerabilities and related concepts in the repository are tagged with concepts from the template. Based on the characteristics of the resources affected by these vulnerabilities, other similar resources in the software can be identified for closer inspection and verification. We present results from our study of vulnerabilities in the Apache web server.

Original language	English (US)
Title of host publication	2010 ICSE Workshop on Software Engineering for Secure Systems, SESS 2010, in Conjunction with the 32nd ACM/IEEE International Conference on Software Engineering, ICSE 2010
Pages	22-28
Number of pages	7
DOIs	https://doi.org/10.1145/1809100.1809104
State	Published - 2010
Event	2010 ICSE Workshop on Software Engineering for Secure Systems, SESS 2010, in Conjunction with the 32nd ACM/IEEE International Conference on Software Engineering, ICSE 2010 - Cape Town, South Africa Duration: May 2 2010 → May 8 2010

Publication series

Name	Proceedings - International Conference on Software Engineering
ISSN (Print)	0270-5257

Conference

Conference	2010 ICSE Workshop on Software Engineering for Secure Systems, SESS 2010, in Conjunction with the 32nd ACM/IEEE International Conference on Software Engineering, ICSE 2010
Country/Territory	South Africa
City	Cape Town
Period	5/2/10 → 5/8/10

Keywords

CVE
CWE
buffer overflow
fix patterns
ontology
semantic template
software repository
vulnerability

ASJC Scopus subject areas

Software

Access to Document

10.1145/1809100.1809104

Cite this

Wu, Y., Gandhi, R. A., & Siy, H. (2010). Using semantic templates to study vulnerabilities recorded in large software repositories. In 2010 ICSE Workshop on Software Engineering for Secure Systems, SESS 2010, in Conjunction with the 32nd ACM/IEEE International Conference on Software Engineering, ICSE 2010 (pp. 22-28). (Proceedings - International Conference on Software Engineering). https://doi.org/10.1145/1809100.1809104

Using semantic templates to study vulnerabilities recorded in large software repositories. / Wu, Yan; Gandhi, Robin A.; Siy, Harvey.
2010 ICSE Workshop on Software Engineering for Secure Systems, SESS 2010, in Conjunction with the 32nd ACM/IEEE International Conference on Software Engineering, ICSE 2010. 2010. p. 22-28 (Proceedings - International Conference on Software Engineering).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Wu, Y, Gandhi, RA & Siy, H 2010, Using semantic templates to study vulnerabilities recorded in large software repositories. in 2010 ICSE Workshop on Software Engineering for Secure Systems, SESS 2010, in Conjunction with the 32nd ACM/IEEE International Conference on Software Engineering, ICSE 2010. Proceedings - International Conference on Software Engineering, pp. 22-28, 2010 ICSE Workshop on Software Engineering for Secure Systems, SESS 2010, in Conjunction with the 32nd ACM/IEEE International Conference on Software Engineering, ICSE 2010, Cape Town, South Africa, 5/2/10. https://doi.org/10.1145/1809100.1809104

Wu Y, Gandhi RA, Siy H. Using semantic templates to study vulnerabilities recorded in large software repositories. In 2010 ICSE Workshop on Software Engineering for Secure Systems, SESS 2010, in Conjunction with the 32nd ACM/IEEE International Conference on Software Engineering, ICSE 2010. 2010. p. 22-28. (Proceedings - International Conference on Software Engineering). doi: 10.1145/1809100.1809104

Wu, Yan ; Gandhi, Robin A. ; Siy, Harvey. / Using semantic templates to study vulnerabilities recorded in large software repositories. 2010 ICSE Workshop on Software Engineering for Secure Systems, SESS 2010, in Conjunction with the 32nd ACM/IEEE International Conference on Software Engineering, ICSE 2010. 2010. pp. 22-28 (Proceedings - International Conference on Software Engineering).

@inproceedings{4a0a4e7e0d22433eb98a79b22323122f,

title = "Using semantic templates to study vulnerabilities recorded in large software repositories",

abstract = "Software repositories are rich sources of information about vulnerabilities that occur during a product's lifecycle. Although available, such information is scattered across numerous databases. Furthermore, in large software repositories, a single vulnerability may span across multiple components and have multidimensional interactions with other vulnerabilities. Thus, identifying the patterns of vulnerability occurrence in a larger context of software development continues to be an open problem. Here we present findings from our study of vulnerable software components using an ontology-guided analysis of vulnerabilities recorded in a software project's code repository. In this approach, a semantic template for each type of vulnerability is created from information in the Common Weakness Enumeration dictionary. Next, known vulnerabilities and related concepts in the repository are tagged with concepts from the template. Based on the characteristics of the resources affected by these vulnerabilities, other similar resources in the software can be identified for closer inspection and verification. We present results from our study of vulnerabilities in the Apache web server.",

keywords = "CVE, CWE, buffer overflow, fix patterns, ontology, semantic template, software repository, vulnerability",

author = "Yan Wu and Gandhi, {Robin A.} and Harvey Siy",

year = "2010",

doi = "10.1145/1809100.1809104",

language = "English (US)",

isbn = "9781605589657",

series = "Proceedings - International Conference on Software Engineering",

pages = "22--28",

booktitle = "2010 ICSE Workshop on Software Engineering for Secure Systems, SESS 2010, in Conjunction with the 32nd ACM/IEEE International Conference on Software Engineering, ICSE 2010",

note = "2010 ICSE Workshop on Software Engineering for Secure Systems, SESS 2010, in Conjunction with the 32nd ACM/IEEE International Conference on Software Engineering, ICSE 2010 ; Conference date: 02-05-2010 Through 08-05-2010",

}

TY - GEN

T1 - Using semantic templates to study vulnerabilities recorded in large software repositories

AU - Wu, Yan

AU - Gandhi, Robin A.

AU - Siy, Harvey

PY - 2010

Y1 - 2010

N2 - Software repositories are rich sources of information about vulnerabilities that occur during a product's lifecycle. Although available, such information is scattered across numerous databases. Furthermore, in large software repositories, a single vulnerability may span across multiple components and have multidimensional interactions with other vulnerabilities. Thus, identifying the patterns of vulnerability occurrence in a larger context of software development continues to be an open problem. Here we present findings from our study of vulnerable software components using an ontology-guided analysis of vulnerabilities recorded in a software project's code repository. In this approach, a semantic template for each type of vulnerability is created from information in the Common Weakness Enumeration dictionary. Next, known vulnerabilities and related concepts in the repository are tagged with concepts from the template. Based on the characteristics of the resources affected by these vulnerabilities, other similar resources in the software can be identified for closer inspection and verification. We present results from our study of vulnerabilities in the Apache web server.

AB - Software repositories are rich sources of information about vulnerabilities that occur during a product's lifecycle. Although available, such information is scattered across numerous databases. Furthermore, in large software repositories, a single vulnerability may span across multiple components and have multidimensional interactions with other vulnerabilities. Thus, identifying the patterns of vulnerability occurrence in a larger context of software development continues to be an open problem. Here we present findings from our study of vulnerable software components using an ontology-guided analysis of vulnerabilities recorded in a software project's code repository. In this approach, a semantic template for each type of vulnerability is created from information in the Common Weakness Enumeration dictionary. Next, known vulnerabilities and related concepts in the repository are tagged with concepts from the template. Based on the characteristics of the resources affected by these vulnerabilities, other similar resources in the software can be identified for closer inspection and verification. We present results from our study of vulnerabilities in the Apache web server.

KW - CVE

KW - CWE

KW - buffer overflow

KW - fix patterns

KW - ontology

KW - semantic template

KW - software repository

KW - vulnerability

UR - http://www.scopus.com/inward/record.url?scp=77954606254&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=77954606254&partnerID=8YFLogxK

U2 - 10.1145/1809100.1809104

DO - 10.1145/1809100.1809104

M3 - Conference contribution

AN - SCOPUS:77954606254

SN - 9781605589657

T3 - Proceedings - International Conference on Software Engineering

SP - 22

EP - 28

BT - 2010 ICSE Workshop on Software Engineering for Secure Systems, SESS 2010, in Conjunction with the 32nd ACM/IEEE International Conference on Software Engineering, ICSE 2010

T2 - 2010 ICSE Workshop on Software Engineering for Secure Systems, SESS 2010, in Conjunction with the 32nd ACM/IEEE International Conference on Software Engineering, ICSE 2010

Y2 - 2 May 2010 through 8 May 2010

ER -

Using semantic templates to study vulnerabilities recorded in large software repositories

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this