Details
| Translated title of the contribution | Erkennen von IT-Security Schwachstellen durch Hilfe von CLone Detection und Community Wissen |
|---|---|
| Original language | English |
| Number of pages | 8 |
| Publication status | Published - 2019 |
| Event | 31st International Conference on Software Engineering and Knowledge Engineering, SEKE 2019 - Lisbon, Portugal Duration: 10 Jul 2019 → 12 Jul 2019 |
Conference
| Conference | 31st International Conference on Software Engineering and Knowledge Engineering, SEKE 2019 |
|---|---|
| Country/Territory | Portugal |
| City | Lisbon |
| Period | 10 Jul 2019 → 12 Jul 2019 |
Abstract
Faced with the severe financial and reputation implications associated with data breaches, enterprises now recognize security as a top concern for software analysis tools. While software engineers are typically not equipped with the required expertise to identify vulnerabilities in code, community knowledge in the form of publicly available vulnerability databases could come to their rescue. For example, the Common Vulnerabilities and Exposures Database (CVE) contains data about already reported weaknesses. However, the support with available examples in these databases is scarce. CVE entries usually do not contain example code for a vulnerability, its exploit or patch. They just link to reports or repositories that provide this information. Manually searching these sources for relevant information is time-consuming and error-prone. In this paper, we propose a vulnerability detection approach based on community knowledge and clone detection. The key idea is to harness available example source code of software weaknesses, from a large-scale vulnerability database, which are matched to code fragments using clone detection. We leverage a clone detection technique from the literature, which we adapted to make it applicable to vulnerability databases. In an evaluation based on 20 reports and affected projects, our approach showed good precision and recall.
Keywords
- Code clones, Information systems, Security
ASJC Scopus subject areas
- Computer Science(all)
- Software
Cite this
- Standard
- Harvard
- Apa
- Vancouver
- BibTeX
- RIS
2019. Paper presented at 31st International Conference on Software Engineering and Knowledge Engineering, SEKE 2019, Lisbon, Portugal.
Research output: Contribution to conference › Paper › Research › peer review
}
TY - CONF
T1 - Detecting Security Vulnerabilities using Clone Detection and Community Knowledge
AU - Viertel, Fabien Patrick
AU - Brunotte, Wasja
AU - Strüber, Daniel
AU - Schneider, Kurt
N1 - Funding Information: This work was supported by the German Research Foundation (DFG) under SecVolution (2016 – 2019).
PY - 2019
Y1 - 2019
N2 - Faced with the severe financial and reputation implications associated with data breaches, enterprises now recognize security as a top concern for software analysis tools. While software engineers are typically not equipped with the required expertise to identify vulnerabilities in code, community knowledge in the form of publicly available vulnerability databases could come to their rescue. For example, the Common Vulnerabilities and Exposures Database (CVE) contains data about already reported weaknesses. However, the support with available examples in these databases is scarce. CVE entries usually do not contain example code for a vulnerability, its exploit or patch. They just link to reports or repositories that provide this information. Manually searching these sources for relevant information is time-consuming and error-prone. In this paper, we propose a vulnerability detection approach based on community knowledge and clone detection. The key idea is to harness available example source code of software weaknesses, from a large-scale vulnerability database, which are matched to code fragments using clone detection. We leverage a clone detection technique from the literature, which we adapted to make it applicable to vulnerability databases. In an evaluation based on 20 reports and affected projects, our approach showed good precision and recall.
AB - Faced with the severe financial and reputation implications associated with data breaches, enterprises now recognize security as a top concern for software analysis tools. While software engineers are typically not equipped with the required expertise to identify vulnerabilities in code, community knowledge in the form of publicly available vulnerability databases could come to their rescue. For example, the Common Vulnerabilities and Exposures Database (CVE) contains data about already reported weaknesses. However, the support with available examples in these databases is scarce. CVE entries usually do not contain example code for a vulnerability, its exploit or patch. They just link to reports or repositories that provide this information. Manually searching these sources for relevant information is time-consuming and error-prone. In this paper, we propose a vulnerability detection approach based on community knowledge and clone detection. The key idea is to harness available example source code of software weaknesses, from a large-scale vulnerability database, which are matched to code fragments using clone detection. We leverage a clone detection technique from the literature, which we adapted to make it applicable to vulnerability databases. In an evaluation based on 20 reports and affected projects, our approach showed good precision and recall.
KW - Code clones
KW - Information systems
KW - Security
UR - http://www.scopus.com/inward/record.url?scp=85071370456&partnerID=8YFLogxK
U2 - 10.18293/SEKE2019-183
DO - 10.18293/SEKE2019-183
M3 - Paper
T2 - 31st International Conference on Software Engineering and Knowledge Engineering, SEKE 2019
Y2 - 10 July 2019 through 12 July 2019
ER -