Till sidans topp

Sidansvarig: Webbredaktion
Sidan uppdaterades: 2012-09-11 15:12

Tipsa en vän

Detecting security vulner… - Göteborgs universitet Till startsida
Till innehåll Läs mer om hur kakor används på gu.se

Detecting security vulnerabilities using clone detection and community knowledge

Paper i proceeding
Författare Fabien Patrick Viertel
Wasja Brunotte
Daniel Strüber
Kurt Schneider
Publicerad i Proceedings of the International Conference on Software Engineering and Knowledge Engineering, SEKE
ISSN 2325-9000
Publiceringsår 2019
Publicerad vid Institutionen för data- och informationsteknik, Software Engineering (GU)
Språk en
Länkar dx.doi.org/10.18293/SEKE2019-183
Ämnesord Code clones, Information systems, Security
Ämneskategorier Programvaruteknik


© 2019 Knowledge Systems Institute Graduate School. All rights reserved. Faced with the severe financial and reputation implications associated with data breaches, enterprises now recognize security as a top concern for software analysis tools. While software engineers are typically not equipped with the required expertise to identify vulnerabilities in code, community knowledge in the form of publicly available vulnerability databases could come to their rescue. For example, the Common Vulnerabilities and Exposures Database (CVE) contains data about already reported weaknesses. However, the support with available examples in these databases is scarce. CVE entries usually do not contain example code for a vulnerability, its exploit or patch. They just link to reports or repositories that provide this information. Manually searching these sources for relevant information is time-consuming and error-prone. In this paper, we propose a vulnerability detection approach based on community knowledge and clone detection. The key idea is to harness available example source code of software weaknesses, from a large-scale vulnerability database, which are matched to code fragments using clone detection. We leverage a clone detection technique from the literature, which we adapted to make it applicable to vulnerability databases. In an evaluation based on 20 reports and affected projects, our approach showed good precision and recall.

Sidansvarig: Webbredaktion|Sidan uppdaterades: 2012-09-11

På Göteborgs universitet använder vi kakor (cookies) för att webbplatsen ska fungera på ett bra sätt för dig. Genom att surfa vidare godkänner du att vi använder kakor.  Vad är kakor?