Do bugs foreshadow vulnerabilities? a study of the chromium project

Authors: Felivel Camilo Andrew Meneely Meiyappan Nagappan

Venue: MSR   2015 IEEE/ACM 12th Working Conference on Mining Software Repositories, pp. 269--279, 2015

Year: 2015

Abstract: As developers face ever-increasing pressure to engineer secure software, researchers are building an understanding of security-sensitive bugs (i.e. Vulnerabilities). Research into mining software repositories has greatly increased our understanding of software quality via empirical study of bugs. However, conceptually vulnerabilities are different from bugs: they represent abusive functionality as opposed to wrong or insufficient functionality commonly associated with traditional, non-security bugs. In this study, we performed an in-depth analysis of the Chromium project to empirically examine the relationship between bugs and vulnerabilities. We mined 374,686 bugs and 703 post-release vulnerabilities over five Chromium releases that span six years of development. Using logistic regression analysis, we examined how various categories of pre-release bugs (e.g. Stability, compatibility, etc.) are associated with post-release vulnerabilities. While we found statistically significant correlations between pre-release bugs and post-release vulnerabilities, we also found the association to be weak. Number of features, SLOC, and number of pre-release security bugs are, in general, more closely associated with post-release vulnerabilities than any of our non-security bug categories. In a separate analysis, we found that the files with highest defect density did not intersect with the files of highest vulnerability density. These results indicate that bugs and vulnerabilities are empirically dissimilar groups, warranting the need for more research targeting vulnerabilities specifically.

BibTeX:

@inproceedings{felivelcamilo2015dbfvasotcp,
    author = "Felivel Camilo and Andrew Meneely and Meiyappan Nagappan",
    title = "Do bugs foreshadow vulnerabilities? a study of the chromium project",
    year = "2015",
    pages = "269--279",
    booktitle = "Proc. of 2015 IEEE/ACM 12th Working Conference on Mining Software Repositories"
}

Plain Text:

Felivel Camilo, Andrew Meneely, and Meiyappan Nagappan, "Do bugs foreshadow vulnerabilities? a study of the chromium project," 2015 IEEE/ACM 12th Working Conference on Mining Software Repositories, pp. 269--279