计算机科学 ›› 2017, Vol. 44 ›› Issue (11): 41-49.doi: 10.11896/j.issn.1002-137X.2017.11.007

• 2016 年全国软件与应用学术会议 • 上一篇    下一篇

基于Mozilla的安全性漏洞再修复经验研究

张凯,孙小兵,彭鑫,赵文耘   

  1. 复旦大学软件学院 上海201203复旦大学上海市数据科学重点实验室 上海201203,复旦大学软件学院 上海201203复旦大学上海市数据科学重点实验室 上海201203,复旦大学软件学院 上海201203复旦大学上海市数据科学重点实验室 上海201203,复旦大学软件学院 上海201203复旦大学上海市数据科学重点实验室 上海201203
  • 出版日期:2018-12-01 发布日期:2018-12-01
  • 基金资助:
    本文受国家自然科学基金(61402396,61370079),中国博士后科学基金(2015M571489)资助

Empirical Study of Reopened Security Bugs on Mozilla

ZHANG Kai, SUN Xiao-bing, PENG Xin and ZHAO Wen-yun   

  • Online:2018-12-01 Published:2018-12-01

摘要: 相较于其他类型的漏洞,安全性漏洞更容易发生再修复,这使得安全性漏洞需要更多的开发资源,从而增加了这些安全性漏洞修复的成本。因此,减少安全性漏洞再修复的发生的重要性不言而喻。对安全性漏洞再修复的经验研究有助于减少再修复的发生。首先,通过对Mozilla工程中一些发生再修复的安全性漏洞的安全性漏洞类型、发生再修复的原因、再修复的次数、修改的提交数、修改的文件数、修改的代码行数的增减、初始修复和再修复的对比等数据进行分析,发现了安全性漏洞发生再修复是普遍存在的,且与漏洞发生原因的识别的复杂程度和漏洞修复的复杂程度这两个因素有关;其次,初始修复涉及的文件、代码的集中程度是影响再修复的原因之一,而使用更复杂、更有效的修复过程可有效避免再修复的发生;最后,总结了几种安全性漏洞发生再修复的原因,使开发人员有效地识别不同类型的安全性漏洞再修复。

关键词: 安全性漏洞,再修复,漏洞修复,经验研究

Abstract: Compared to other types of bugs,security bug reopens more often,moreover,they need more development resources to fix it,which adds an extra cost to fix them.Hence,the empirical study of reopened security bugs is important.Our study collected the reopened security bugs from the Mozilla project,and analyzed them from the times of their reopening and commits,files which were modified to fix them,lines of added and deleted code,and comparison of the original fixing and reopened fixing.The empirical results show that security bug reopening often happen and it relates to the complexity of recognizing the reason that a security bug happens and fixing bugs.In addition,the locality of the files and code in the original security bug fixing is one of the causes to influence its re-fixing for bug reopens,and using more complex and effective fixing process can help reduce the security bug reopens.Finally,we summarized several causes for security bug reopens to help developers more easily identify the reopens of different types of security bugs.

Key words: Security bug,Reopens,Bug fixing,Empirical study

[1] TAN L,LIU C,LI Z M,et al.Bug characteristics in open source software[J].Empirical Software Engineering,2014,19(6):1665-1705.
[2] HALEY C B,LANEY R,MOFFETT J D,et al.Security Requirements Engineering:A Framework for Representation and Analysis[J].IEEE Transactions on Software Engineering,2008,34(1):133-153.
[3] VIEGA J,MCGRAW G.Building secure software:how to avoid security problems the right way[M].Addison-Wesley,New York,2001.
[4] ZAMAN S,ADAMS B,HASSAN A E.Security versus per-formance bugs:a case study on Firefox[C]∥Proceedings of the 8th Working Conference on Mining Software Repositories.New York,NY,USA:ACM,2011:93-102.
[5] ZELLER A.Why Programs Fail:A Guide to System atic Debugging[M].San Francisco,CA,USA:Morgan Kaufmann PublishersInc.,2005.
[6] MCGRAW G.Software security:building security in[J].IEEESecurity & Privacy,2006,2(3):6.
[7] BHATTACHARYA P,ULANOVA L,N EAMTIU I,et al.An Empirical Analysis of Bug Reports and Bug Fixing in Open Source Android Apps[C]∥Proceedings of 17th European Conference on Software Maintenance & Reengineering.Washington DC,USA:IEEE,2013:133-143.
[8] GEGICK M,ROTELLA P,XIE T.Identifying security bug reports via text mining:An industrial case study[C]∥Proceedings of the 7th International Working Conference on Mining Software Repositories.Washington DC,USA:IEEE,2010:11-20.
[9] DING Y,ZOU W,WEI T.Research summarize of classification of security bugs in software[C]∥Proceedings of the 5th Con-ference on Vulnerability Analysis and Risk Assessment.2012.(in Chinese) 丁羽,邹维,韦韬.软件安全漏洞分类研究综述[C]∥信息安全漏洞分析与风险评估大会.2012.
[10] LI Z M,TAN L,WANG X H,et al.Have things changed now? an empirical study of bug characteristics in modern open source software[C]∥Proceedings of The Workshop on Architectural and System Support for Improving Software Dependability.Washington DC,USA:IEEE,2010:11-20.
[11] SHIN Y,WILLIAMS L.An Empirical Model to Predict Security Vulnerabilities using Code Complexity Metrics[C]∥Procee-dings of International Symposium on Empirical Software Engineering and Measurement.New York,NY,USA:ACM,2008:315-317.
[12] ZIMMERMANN T,NAGAPPAN N,GUO P,et al.Characterizing and predicting which bugs get reopened[C]∥Proceedings of the 34th International Conference on Software Engineering.Washington DC,USA:IEEE,2012:1074-1083.
[13] GUAN M.The research of software security bug detection technology based on the analysis of application[D].Xi’an:NorthWestern Polytechnical University,2007.(in Chinese) 管铭.基于程序分析的软件安全漏洞检测技术研究[D].西安:西北工业大学,2007.
[14] ZHANG L,ZENG Q K.The static detection technology of software security bug[J].Software Engineering,2008,34(12):157-159.(in Chinese) 张林,曾庆凯.软件安全漏洞的静态检测技术[J].计算机工程,2008,34(12):157-159.
[15] THOME J,SHAR L K,BRIAND L.Security slicing for auditing XML,XPath,and SQL injection vulnerabilities[C]∥Procee-dings of the 26th IEEE International Symposium on Software Reliability Engineering.Washington DC,USA:IEEE,2015:553-564.
[16] SHAR L K,TAN H B K,BRIAND L.Mining SQL injection andcross site scripting vulnerabilities using hybrid program analysis[C]∥Proceedings of the 35th International Conference on Software Engineering.Washington DC,USA:IEEE,2013,4:642-651.
[17] LV W M,LIU J.The classification and analysis of the security bugs in C/C++ programs[J].Computer Engineering and Applications,2005,41(5):123-125.(in Chinese) 吕维梅,刘坚.C/C++程序安全漏洞的分类与分析[J].计算机工程与应用,2005,41(5):123-125.
[18] MA H T.The principles and defense methods of security bug in computer software[J].Science & Technology Association Forum,2009(6):49.(in Chinese) 马海涛.计算机软件安全漏洞原理及防范方法[J].科协论坛,2009(6):49.
[19] NGUYEN P H,YSKOUT K,HEYMAN T,et al.SoSPa:A system of Security design Patterns for systematically engineering secure systems[C]∥Proceedings of the 18th ACM/IEEE International Conference on Model Driven Engineering Languages and Systems.Washington DC,USA:IEEE,2015.
[20] YSKOUT K,SCANDARIATO R,JOOSEN W.Do Security Patterns Really Help Designers?[C]∥Proceedings of the 37th IEEE/ACM International Conference on Software Engineering.Washington DC,USA:IEEE,2015:292-302.
[21] FELDERER M,ZEZH P,BREU R,et al.Model-based security testing:a taxonomy and systematic classification[J].Software Testing Verification & Reliability,2016,26(2):119-148.
[22] FELDERER M,BCHLER M,JOHNS M,et al.Security Testing:A Survey[M]∥Advances in Computers.2016:1-51.
[23] XIA X,LO D,SHIHAB E,et al.Automatic,high accuracy prediction of reopened bugs[J].Automated Software Engineering,2015,22(1):75-109.

No related articles found!
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
[1] 雷丽晖,王静. 可能性测度下的LTL模型检测并行化研究[J]. 计算机科学, 2018, 45(4): 71 -75, 88 .
[2] 夏庆勋,庄毅. 一种基于局部性原理的远程验证机制[J]. 计算机科学, 2018, 45(4): 148 -151, 162 .
[3] 厉柏伸,李领治,孙涌,朱艳琴. 基于伪梯度提升决策树的内网防御算法[J]. 计算机科学, 2018, 45(4): 157 -162 .
[4] 王欢,张云峰,张艳. 一种基于CFDs规则的修复序列快速判定方法[J]. 计算机科学, 2018, 45(3): 311 -316 .
[5] 孙启,金燕,何琨,徐凌轩. 用于求解混合车辆路径问题的混合进化算法[J]. 计算机科学, 2018, 45(4): 76 -82 .
[6] 张佳男,肖鸣宇. 带权混合支配问题的近似算法研究[J]. 计算机科学, 2018, 45(4): 83 -88 .
[7] 伍建辉,黄中祥,李武,吴健辉,彭鑫,张生. 城市道路建设时序决策的鲁棒优化[J]. 计算机科学, 2018, 45(4): 89 -93 .
[8] 刘琴. 计算机取证过程中基于约束的数据质量问题研究[J]. 计算机科学, 2018, 45(4): 169 -172 .
[9] 钟菲,杨斌. 基于主成分分析网络的车牌检测方法[J]. 计算机科学, 2018, 45(3): 268 -273 .
[10] 史雯隽,武继刚,罗裕春. 针对移动云计算任务迁移的快速高效调度算法[J]. 计算机科学, 2018, 45(4): 94 -99, 116 .