Computer Science ›› 2017, Vol. 44 ›› Issue (11): 41-49.doi: 10.11896/j.issn.1002-137X.2017.11.007

Previous Articles     Next Articles

Empirical Study of Reopened Security Bugs on Mozilla

ZHANG Kai, SUN Xiao-bing, PENG Xin and ZHAO Wen-yun   

  • Online:2018-12-01 Published:2018-12-01

Abstract: Compared to other types of bugs,security bug reopens more often,moreover,they need more development resources to fix it,which adds an extra cost to fix them.Hence,the empirical study of reopened security bugs is important.Our study collected the reopened security bugs from the Mozilla project,and analyzed them from the times of their reopening and commits,files which were modified to fix them,lines of added and deleted code,and comparison of the original fixing and reopened fixing.The empirical results show that security bug reopening often happen and it relates to the complexity of recognizing the reason that a security bug happens and fixing bugs.In addition,the locality of the files and code in the original security bug fixing is one of the causes to influence its re-fixing for bug reopens,and using more complex and effective fixing process can help reduce the security bug reopens.Finally,we summarized several causes for security bug reopens to help developers more easily identify the reopens of different types of security bugs.

Key words: Security bug,Reopens,Bug fixing,Empirical study

[1] TAN L,LIU C,LI Z M,et al.Bug characteristics in open source software[J].Empirical Software Engineering,2014,19(6):1665-1705.
[2] HALEY C B,LANEY R,MOFFETT J D,et al.Security Requirements Engineering:A Framework for Representation and Analysis[J].IEEE Transactions on Software Engineering,2008,34(1):133-153.
[3] VIEGA J,MCGRAW G.Building secure software:how to avoid security problems the right way[M].Addison-Wesley,New York,2001.
[4] ZAMAN S,ADAMS B,HASSAN A E.Security versus per-formance bugs:a case study on Firefox[C]∥Proceedings of the 8th Working Conference on Mining Software Repositories.New York,NY,USA:ACM,2011:93-102.
[5] ZELLER A.Why Programs Fail:A Guide to System atic Debugging[M].San Francisco,CA,USA:Morgan Kaufmann PublishersInc.,2005.
[6] MCGRAW G.Software security:building security in[J].IEEESecurity & Privacy,2006,2(3):6.
[7] BHATTACHARYA P,ULANOVA L,N EAMTIU I,et al.An Empirical Analysis of Bug Reports and Bug Fixing in Open Source Android Apps[C]∥Proceedings of 17th European Conference on Software Maintenance & Reengineering.Washington DC,USA:IEEE,2013:133-143.
[8] GEGICK M,ROTELLA P,XIE T.Identifying security bug reports via text mining:An industrial case study[C]∥Proceedings of the 7th International Working Conference on Mining Software Repositories.Washington DC,USA:IEEE,2010:11-20.
[9] DING Y,ZOU W,WEI T.Research summarize of classification of security bugs in software[C]∥Proceedings of the 5th Con-ference on Vulnerability Analysis and Risk Assessment.2012.(in Chinese) 丁羽,邹维,韦韬.软件安全漏洞分类研究综述[C]∥信息安全漏洞分析与风险评估大会.2012.
[10] LI Z M,TAN L,WANG X H,et al.Have things changed now? an empirical study of bug characteristics in modern open source software[C]∥Proceedings of The Workshop on Architectural and System Support for Improving Software Dependability.Washington DC,USA:IEEE,2010:11-20.
[11] SHIN Y,WILLIAMS L.An Empirical Model to Predict Security Vulnerabilities using Code Complexity Metrics[C]∥Procee-dings of International Symposium on Empirical Software Engineering and Measurement.New York,NY,USA:ACM,2008:315-317.
[12] ZIMMERMANN T,NAGAPPAN N,GUO P,et al.Characterizing and predicting which bugs get reopened[C]∥Proceedings of the 34th International Conference on Software Engineering.Washington DC,USA:IEEE,2012:1074-1083.
[13] GUAN M.The research of software security bug detection technology based on the analysis of application[D].Xi’an:NorthWestern Polytechnical University,2007.(in Chinese) 管铭.基于程序分析的软件安全漏洞检测技术研究[D].西安:西北工业大学,2007.
[14] ZHANG L,ZENG Q K.The static detection technology of software security bug[J].Software Engineering,2008,34(12):157-159.(in Chinese) 张林,曾庆凯.软件安全漏洞的静态检测技术[J].计算机工程,2008,34(12):157-159.
[15] THOME J,SHAR L K,BRIAND L.Security slicing for auditing XML,XPath,and SQL injection vulnerabilities[C]∥Procee-dings of the 26th IEEE International Symposium on Software Reliability Engineering.Washington DC,USA:IEEE,2015:553-564.
[16] SHAR L K,TAN H B K,BRIAND L.Mining SQL injection andcross site scripting vulnerabilities using hybrid program analysis[C]∥Proceedings of the 35th International Conference on Software Engineering.Washington DC,USA:IEEE,2013,4:642-651.
[17] LV W M,LIU J.The classification and analysis of the security bugs in C/C++ programs[J].Computer Engineering and Applications,2005,41(5):123-125.(in Chinese) 吕维梅,刘坚.C/C++程序安全漏洞的分类与分析[J].计算机工程与应用,2005,41(5):123-125.
[18] MA H T.The principles and defense methods of security bug in computer software[J].Science & Technology Association Forum,2009(6):49.(in Chinese) 马海涛.计算机软件安全漏洞原理及防范方法[J].科协论坛,2009(6):49.
[19] NGUYEN P H,YSKOUT K,HEYMAN T,et al.SoSPa:A system of Security design Patterns for systematically engineering secure systems[C]∥Proceedings of the 18th ACM/IEEE International Conference on Model Driven Engineering Languages and Systems.Washington DC,USA:IEEE,2015.
[20] YSKOUT K,SCANDARIATO R,JOOSEN W.Do Security Patterns Really Help Designers?[C]∥Proceedings of the 37th IEEE/ACM International Conference on Software Engineering.Washington DC,USA:IEEE,2015:292-302.
[21] FELDERER M,ZEZH P,BREU R,et al.Model-based security testing:a taxonomy and systematic classification[J].Software Testing Verification & Reliability,2016,26(2):119-148.
[22] FELDERER M,BCHLER M,JOHNS M,et al.Security Testing:A Survey[M]∥Advances in Computers.2016:1-51.
[23] XIA X,LO D,SHIHAB E,et al.Automatic,high accuracy prediction of reopened bugs[J].Automated Software Engineering,2015,22(1):75-109.

No related articles found!
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!