research-article

Using semantic templates to study vulnerabilities recorded in large software repositories

Authors:

Yan Wu,

Robin A. Gandhi,

Harvey SiyAuthors Info & Claims

SESS '10: Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure Systems

Pages 22 - 28

https://doi.org/10.1145/1809100.1809104

Published: 02 May 2010 Publication History

Get Access

Abstract

Software repositories are rich sources of information about vulnerabilities that occur during a product's lifecycle. Although available, such information is scattered across numerous databases. Furthermore, in large software repositories, a single vulnerability may span across multiple components and have multidimensional interactions with other vulnerabilities. Thus, identifying the patterns of vulnerability occurrence in a larger context of software development continues to be an open problem. Here we present findings from our study of vulnerable software components using an ontology-guided analysis of vulnerabilities recorded in a software project's code repository. In this approach, a semantic template for each type of vulnerability is created from information in the Common Weakness Enumeration dictionary. Next, known vulnerabilities and related concepts in the repository are tagged with concepts from the template. Based on the characteristics of the resources affected by these vulnerabilities, other similar resources in the software can be identified for closer inspection and verification. We present results from our study of vulnerabilities in the Apache web server.

References

[1]

Bevan, J., Whitehead, E. J., Kim, S., Godfrey, M., "Facilitating Software Evolution Research with Kenyon." Proc. of 13th Foundations of Software Engg., Sept. 2005.

Digital Library

Google Scholar

[2]

CAN-2004-0492, Common Vulnerability Enumeration Description, cve.mitre.org

Google Scholar

[3]

Christey, S. M, Harris, C. O., Kenderdine, J. E., Miles, B., "Common Weaknesses Enumeration v 1.6," cwe.mitre.org.

Google Scholar

[4]

Common Vulnerability Enumeration, cve.mitre.org

Google Scholar

[5]

Gennari, J., Musen, M., et al., "The evolution of Protégé-2000: An environment for knowledge-based systems development." Human-Computer Studies, 58(1), 2003.

Digital Library

Google Scholar

[6]

Gruber. T., "A Translation Approach to Portable Ontologies," Knowledge Acquisition 5, 2, 199--299, 1993.

Digital Library

Google Scholar

[7]

Kiefer, C., Bernstein, A., Tappolet. J., "Mining software repositories using iSPARQL and a software evolution ontology." 4th Int'l Workshop on Mining Soft. Repo. 2007.

Digital Library

Google Scholar

[8]

Kim, S., et al. "TA-RE: an Exchange Language for Mining Software Repositories." 3rd Int'l Workshop on Mining Soft. Repo. 2006.

Digital Library

Google Scholar

[9]

Pan, K., Kim, S., Whitehead, E. J., "Toward an understanding of bug fix patterns." Empirical Software Engineering 14:286--315, 2009.

Digital Library

Google Scholar

[10]

Riley, H. N., "The von Neumann Architecture of Computer Systems," Computer Science Department, California State Polytechnic University, September, 1987.

Google Scholar

[11]

vanVleck, T., "Three questions about each bug you find." SIGSOFT Softw. Eng. Notes 14, 5 (Jul. 1989), 62--63.

Digital Library

Google Scholar

[12]

Viega, J., McGraw, G., "Building Secure Software: How to Avoid Security Problems the Right Way", Addison Wesley, 2002

Digital Library

Google Scholar

[13]

W3C. OWL Web Ontology Language reference. W3C Recommendation, Feb. 2004.

Google Scholar

Cited By

View all

Koscinski VMirakhorli MFilkov VRay BZhou M(2024)Formally Modeled Common Weakness Enumerations (CWEs)Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops10.1145/3691621.3694938(88-93)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691621.3694938
Rodrigues EPereira JMontecchi L(2023)A Model-Driven Approach for the Management and Enforcement of Coding ConventionsIEEE Access10.1109/ACCESS.2023.325688611(25735-25754)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3256886
Al-Boghdady AEl-Ramly MWassif K(2022)iDetect for vulnerability detection in internet of things operating systems using machine learningScientific Reports10.1038/s41598-022-21325-x12:1Online publication date: 12-Oct-2022
https://doi.org/10.1038/s41598-022-21325-x
Show More Cited By

Index Terms

Using semantic templates to study vulnerabilities recorded in large software repositories
1. Information systems
  1. Information retrieval
  2. Information storage systems
2. Software and its engineering
  1. Software creation and management

Recommendations

Using semantic templates to study vulnerabilities recorded in large software repositories
On Privacy Weaknesses and Vulnerabilities in Software Systems
ICSE '23: Proceedings of the 45th International Conference on Software Engineering

In this digital era, our privacy is under constant threat as our personal data and traceable online/offline activities are frequently collected, processed and transferred by many software applications. Privacy attacks are often formed by exploiting ...
ThreatZoom: neural network for automated vulnerability mitigation
HotSoS '19: Proceedings of the 6th Annual Symposium on Hot Topics in the Science of Security

Increasing the variety and quantity of cyber threats becoming the evident that traditional human-in-loop approaches are no longer sufficient to keep systems safe. To address this momentous moot point, forward-thinking pioneers propose new cyber security ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

SESS '10: Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure Systems

May 2010

83 pages

ISBN:9781605589657

DOI:10.1145/1809100

General Chairs:
Seok-Won Lee
University of North Carolina at Charlotte
,
Mattia Monga
Università degli Studi di Milano, Italy
,
Jan Jürjens
Technical University Dortmund, Germany

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 May 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

ICSE '10

Sponsor:

SIGSOFT

ICSE '10: 32nd International Conference on Software Engineering

May 2, 2010

Cape Town, South Africa

Acceptance Rates

Overall Acceptance Rate 8 of 11 submissions, 73%

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

20
Total Citations
View Citations
409
Total Downloads

Downloads (Last 12 months)7
Downloads (Last 6 weeks)2

Reflects downloads up to 01 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Koscinski VMirakhorli MFilkov VRay BZhou M(2024)Formally Modeled Common Weakness Enumerations (CWEs)Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops10.1145/3691621.3694938(88-93)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691621.3694938
Rodrigues EPereira JMontecchi L(2023)A Model-Driven Approach for the Management and Enforcement of Coding ConventionsIEEE Access10.1109/ACCESS.2023.325688611(25735-25754)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3256886
Al-Boghdady AEl-Ramly MWassif K(2022)iDetect for vulnerability detection in internet of things operating systems using machine learningScientific Reports10.1038/s41598-022-21325-x12:1Online publication date: 12-Oct-2022
https://doi.org/10.1038/s41598-022-21325-x
Al-Boghdady AWassif KEl-Ramly M(2021)The Presence, Trends, and Causes of Security Vulnerabilities in Operating Systems of IoT’s Low-End DevicesSensors10.3390/s2107232921:7(2329)Online publication date: 26-Mar-2021
https://doi.org/10.3390/s21072329
Rodrigues EMontecchi L(2019)Towards a Structured Specification of Coding Conventions2019 IEEE 24th Pacific Rim International Symposium on Dependable Computing (PRDC)10.1109/PRDC47002.2019.00047(168-16809)Online publication date: Dec-2019
https://doi.org/10.1109/PRDC47002.2019.00047
Xiao HXing ZLi XGuo H(2019)Embedding and Predicting Software Security Entity Relationships: A Knowledge Graph Based ApproachNeural Information Processing10.1007/978-3-030-36718-3_5(50-63)Online publication date: 9-Dec-2019
https://doi.org/10.1007/978-3-030-36718-3_5
Ruohonen JLeppänen V(2018)Toward Validation of Textual Information Retrieval Techniques for Software WeaknessesDatabase and Expert Systems Applications10.1007/978-3-319-99133-7_22(265-277)Online publication date: 7-Aug-2018
https://doi.org/10.1007/978-3-319-99133-7_22
Santos JTarrit KMirakhorli M(2017)A Catalog of Security Architecture Weaknesses2017 IEEE International Conference on Software Architecture Workshops (ICSAW)10.1109/ICSAW.2017.25(220-223)Online publication date: Apr-2017
https://doi.org/10.1109/ICSAW.2017.25
Kaur LMishra A(2017)Software component and the semantic WebJournal of Systems and Software10.1016/j.jss.2016.11.028125:C(152-169)Online publication date: 1-Mar-2017
https://dl.acm.org/doi/10.1016/j.jss.2016.11.028
Bojanova IBlack PYesha YWu Y(2016)The Bugs Framework (BF): A Structured Approach to Express Bugs2016 IEEE International Conference on Software Quality, Reliability and Security (QRS)10.1109/QRS.2016.29(175-182)Online publication date: Aug-2016
https://doi.org/10.1109/QRS.2016.29
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Using semantic templates to study vulnerabilities recorded in large software repositories

On Privacy Weaknesses and Vulnerabilities in Software Systems

ThreatZoom: neural network for automated vulnerability mitigation