计算机科学 ›› 2017, Vol. 44 ›› Issue (11): 41-49.doi: 10.11896/j.issn.1002-137X.2017.11.007
张凯,孙小兵,彭鑫,赵文耘
ZHANG Kai, SUN Xiao-bing, PENG Xin and ZHAO Wen-yun
摘要: 相较于其他类型的漏洞,安全性漏洞更容易发生再修复,这使得安全性漏洞需要更多的开发资源,从而增加了这些安全性漏洞修复的成本。因此,减少安全性漏洞再修复的发生的重要性不言而喻。对安全性漏洞再修复的经验研究有助于减少再修复的发生。首先,通过对Mozilla工程中一些发生再修复的安全性漏洞的安全性漏洞类型、发生再修复的原因、再修复的次数、修改的提交数、修改的文件数、修改的代码行数的增减、初始修复和再修复的对比等数据进行分析,发现了安全性漏洞发生再修复是普遍存在的,且与漏洞发生原因的识别的复杂程度和漏洞修复的复杂程度这两个因素有关;其次,初始修复涉及的文件、代码的集中程度是影响再修复的原因之一,而使用更复杂、更有效的修复过程可有效避免再修复的发生;最后,总结了几种安全性漏洞发生再修复的原因,使开发人员有效地识别不同类型的安全性漏洞再修复。
| [1] TAN L,LIU C,LI Z M,et al.Bug characteristics in open source software[J].Empirical Software Engineering,2014,19(6):1665-1705. [2] HALEY C B,LANEY R,MOFFETT J D,et al.Security Requirements Engineering:A Framework for Representation and Analysis[J].IEEE Transactions on Software Engineering,2008,34(1):133-153. [3] VIEGA J,MCGRAW G.Building secure software:how to avoid security problems the right way[M].Addison-Wesley,New York,2001. [4] ZAMAN S,ADAMS B,HASSAN A E.Security versus per-formance bugs:a case study on Firefox[C]∥Proceedings of the 8th Working Conference on Mining Software Repositories.New York,NY,USA:ACM,2011:93-102. [5] ZELLER A.Why Programs Fail:A Guide to System atic Debugging[M].San Francisco,CA,USA:Morgan Kaufmann PublishersInc.,2005. [6] MCGRAW G.Software security:building security in[J].IEEESecurity & Privacy,2006,2(3):6. [7] BHATTACHARYA P,ULANOVA L,N EAMTIU I,et al.An Empirical Analysis of Bug Reports and Bug Fixing in Open Source Android Apps[C]∥Proceedings of 17th European Conference on Software Maintenance & Reengineering.Washington DC,USA:IEEE,2013:133-143. [8] GEGICK M,ROTELLA P,XIE T.Identifying security bug reports via text mining:An industrial case study[C]∥Proceedings of the 7th International Working Conference on Mining Software Repositories.Washington DC,USA:IEEE,2010:11-20. [9] DING Y,ZOU W,WEI T.Research summarize of classification of security bugs in software[C]∥Proceedings of the 5th Con-ference on Vulnerability Analysis and Risk Assessment.2012.(in Chinese) 丁羽,邹维,韦韬.软件安全漏洞分类研究综述[C]∥信息安全漏洞分析与风险评估大会.2012. [10] LI Z M,TAN L,WANG X H,et al.Have things changed now? an empirical study of bug characteristics in modern open source software[C]∥Proceedings of The Workshop on Architectural and System Support for Improving Software Dependability.Washington DC,USA:IEEE,2010:11-20. [11] SHIN Y,WILLIAMS L.An Empirical Model to Predict Security Vulnerabilities using Code Complexity Metrics[C]∥Procee-dings of International Symposium on Empirical Software Engineering and Measurement.New York,NY,USA:ACM,2008:315-317. [12] ZIMMERMANN T,NAGAPPAN N,GUO P,et al.Characterizing and predicting which bugs get reopened[C]∥Proceedings of the 34th International Conference on Software Engineering.Washington DC,USA:IEEE,2012:1074-1083. [13] GUAN M.The research of software security bug detection technology based on the analysis of application[D].Xi’an:NorthWestern Polytechnical University,2007.(in Chinese) 管铭.基于程序分析的软件安全漏洞检测技术研究[D].西安:西北工业大学,2007. [14] ZHANG L,ZENG Q K.The static detection technology of software security bug[J].Software Engineering,2008,34(12):157-159.(in Chinese) 张林,曾庆凯.软件安全漏洞的静态检测技术[J].计算机工程,2008,34(12):157-159. [15] THOME J,SHAR L K,BRIAND L.Security slicing for auditing XML,XPath,and SQL injection vulnerabilities[C]∥Procee-dings of the 26th IEEE International Symposium on Software Reliability Engineering.Washington DC,USA:IEEE,2015:553-564. [16] SHAR L K,TAN H B K,BRIAND L.Mining SQL injection andcross site scripting vulnerabilities using hybrid program analysis[C]∥Proceedings of the 35th International Conference on Software Engineering.Washington DC,USA:IEEE,2013,4:642-651. [17] LV W M,LIU J.The classification and analysis of the security bugs in C/C++ programs[J].Computer Engineering and Applications,2005,41(5):123-125.(in Chinese) 吕维梅,刘坚.C/C++程序安全漏洞的分类与分析[J].计算机工程与应用,2005,41(5):123-125. [18] MA H T.The principles and defense methods of security bug in computer software[J].Science & Technology Association Forum,2009(6):49.(in Chinese) 马海涛.计算机软件安全漏洞原理及防范方法[J].科协论坛,2009(6):49. [19] NGUYEN P H,YSKOUT K,HEYMAN T,et al.SoSPa:A system of Security design Patterns for systematically engineering secure systems[C]∥Proceedings of the 18th ACM/IEEE International Conference on Model Driven Engineering Languages and Systems.Washington DC,USA:IEEE,2015. [20] YSKOUT K,SCANDARIATO R,JOOSEN W.Do Security Patterns Really Help Designers?[C]∥Proceedings of the 37th IEEE/ACM International Conference on Software Engineering.Washington DC,USA:IEEE,2015:292-302. [21] FELDERER M,ZEZH P,BREU R,et al.Model-based security testing:a taxonomy and systematic classification[J].Software Testing Verification & Reliability,2016,26(2):119-148. [22] FELDERER M,BCHLER M,JOHNS M,et al.Security Testing:A Survey[M]∥Advances in Computers.2016:1-51. [23] XIA X,LO D,SHIHAB E,et al.Automatic,high accuracy prediction of reopened bugs[J].Automated Software Engineering,2015,22(1):75-109. |
| No related articles found! |
|
||
首页