Using semantic templates to study vulnerabilities recorded in large software repositories

Yan Wu, Robin A. Gandhi, Harvey Siy

Research output: Chapter in Book/Report/Conference proceedingConference contribution

16 Citations (Scopus)

Abstract

Software repositories are rich sources of information about vulnerabilities that occur during a product's lifecycle. Although available, such information is scattered across numerous databases. Furthermore, in large software repositories, a single vulnerability may span across multiple components and have multidimensional interactions with other vulnerabilities. Thus, identifying the patterns of vulnerability occurrence in a larger context of software development continues to be an open problem. Here we present findings from our study of vulnerable software components using an ontology-guided analysis of vulnerabilities recorded in a software project's code repository. In this approach, a semantic template for each type of vulnerability is created from information in the Common Weakness Enumeration dictionary. Next, known vulnerabilities and related concepts in the repository are tagged with concepts from the template. Based on the characteristics of the resources affected by these vulnerabilities, other similar resources in the software can be identified for closer inspection and verification. We present results from our study of vulnerabilities in the Apache web server.

Original languageEnglish (US)
Title of host publication2010 ICSE Workshop on Software Engineering for Secure Systems, SESS 2010, in Conjunction with the 32nd ACM/IEEE International Conference on Software Engineering, ICSE 2010
Pages22-28
Number of pages7
DOIs
StatePublished - Jul 20 2010
Event2010 ICSE Workshop on Software Engineering for Secure Systems, SESS 2010, in Conjunction with the 32nd ACM/IEEE International Conference on Software Engineering, ICSE 2010 - Cape Town, South Africa
Duration: May 2 2010May 8 2010

Publication series

NameProceedings - International Conference on Software Engineering
ISSN (Print)0270-5257

Conference

Conference2010 ICSE Workshop on Software Engineering for Secure Systems, SESS 2010, in Conjunction with the 32nd ACM/IEEE International Conference on Software Engineering, ICSE 2010
CountrySouth Africa
CityCape Town
Period5/2/105/8/10

Fingerprint

Semantics
Glossaries
Ontology
Software engineering
Servers
Inspection

Keywords

  • CVE
  • CWE
  • buffer overflow
  • fix patterns
  • ontology
  • semantic template
  • software repository
  • vulnerability

ASJC Scopus subject areas

  • Software

Cite this

Wu, Y., Gandhi, R. A., & Siy, H. (2010). Using semantic templates to study vulnerabilities recorded in large software repositories. In 2010 ICSE Workshop on Software Engineering for Secure Systems, SESS 2010, in Conjunction with the 32nd ACM/IEEE International Conference on Software Engineering, ICSE 2010 (pp. 22-28). (Proceedings - International Conference on Software Engineering). https://doi.org/10.1145/1809100.1809104

Using semantic templates to study vulnerabilities recorded in large software repositories. / Wu, Yan; Gandhi, Robin A.; Siy, Harvey.

2010 ICSE Workshop on Software Engineering for Secure Systems, SESS 2010, in Conjunction with the 32nd ACM/IEEE International Conference on Software Engineering, ICSE 2010. 2010. p. 22-28 (Proceedings - International Conference on Software Engineering).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Wu, Y, Gandhi, RA & Siy, H 2010, Using semantic templates to study vulnerabilities recorded in large software repositories. in 2010 ICSE Workshop on Software Engineering for Secure Systems, SESS 2010, in Conjunction with the 32nd ACM/IEEE International Conference on Software Engineering, ICSE 2010. Proceedings - International Conference on Software Engineering, pp. 22-28, 2010 ICSE Workshop on Software Engineering for Secure Systems, SESS 2010, in Conjunction with the 32nd ACM/IEEE International Conference on Software Engineering, ICSE 2010, Cape Town, South Africa, 5/2/10. https://doi.org/10.1145/1809100.1809104
Wu Y, Gandhi RA, Siy H. Using semantic templates to study vulnerabilities recorded in large software repositories. In 2010 ICSE Workshop on Software Engineering for Secure Systems, SESS 2010, in Conjunction with the 32nd ACM/IEEE International Conference on Software Engineering, ICSE 2010. 2010. p. 22-28. (Proceedings - International Conference on Software Engineering). https://doi.org/10.1145/1809100.1809104
Wu, Yan ; Gandhi, Robin A. ; Siy, Harvey. / Using semantic templates to study vulnerabilities recorded in large software repositories. 2010 ICSE Workshop on Software Engineering for Secure Systems, SESS 2010, in Conjunction with the 32nd ACM/IEEE International Conference on Software Engineering, ICSE 2010. 2010. pp. 22-28 (Proceedings - International Conference on Software Engineering).
@inproceedings{4a0a4e7e0d22433eb98a79b22323122f,
title = "Using semantic templates to study vulnerabilities recorded in large software repositories",
abstract = "Software repositories are rich sources of information about vulnerabilities that occur during a product's lifecycle. Although available, such information is scattered across numerous databases. Furthermore, in large software repositories, a single vulnerability may span across multiple components and have multidimensional interactions with other vulnerabilities. Thus, identifying the patterns of vulnerability occurrence in a larger context of software development continues to be an open problem. Here we present findings from our study of vulnerable software components using an ontology-guided analysis of vulnerabilities recorded in a software project's code repository. In this approach, a semantic template for each type of vulnerability is created from information in the Common Weakness Enumeration dictionary. Next, known vulnerabilities and related concepts in the repository are tagged with concepts from the template. Based on the characteristics of the resources affected by these vulnerabilities, other similar resources in the software can be identified for closer inspection and verification. We present results from our study of vulnerabilities in the Apache web server.",
keywords = "CVE, CWE, buffer overflow, fix patterns, ontology, semantic template, software repository, vulnerability",
author = "Yan Wu and Gandhi, {Robin A.} and Harvey Siy",
year = "2010",
month = "7",
day = "20",
doi = "10.1145/1809100.1809104",
language = "English (US)",
isbn = "9781605589657",
series = "Proceedings - International Conference on Software Engineering",
pages = "22--28",
booktitle = "2010 ICSE Workshop on Software Engineering for Secure Systems, SESS 2010, in Conjunction with the 32nd ACM/IEEE International Conference on Software Engineering, ICSE 2010",

}

TY - GEN

T1 - Using semantic templates to study vulnerabilities recorded in large software repositories

AU - Wu, Yan

AU - Gandhi, Robin A.

AU - Siy, Harvey

PY - 2010/7/20

Y1 - 2010/7/20

N2 - Software repositories are rich sources of information about vulnerabilities that occur during a product's lifecycle. Although available, such information is scattered across numerous databases. Furthermore, in large software repositories, a single vulnerability may span across multiple components and have multidimensional interactions with other vulnerabilities. Thus, identifying the patterns of vulnerability occurrence in a larger context of software development continues to be an open problem. Here we present findings from our study of vulnerable software components using an ontology-guided analysis of vulnerabilities recorded in a software project's code repository. In this approach, a semantic template for each type of vulnerability is created from information in the Common Weakness Enumeration dictionary. Next, known vulnerabilities and related concepts in the repository are tagged with concepts from the template. Based on the characteristics of the resources affected by these vulnerabilities, other similar resources in the software can be identified for closer inspection and verification. We present results from our study of vulnerabilities in the Apache web server.

AB - Software repositories are rich sources of information about vulnerabilities that occur during a product's lifecycle. Although available, such information is scattered across numerous databases. Furthermore, in large software repositories, a single vulnerability may span across multiple components and have multidimensional interactions with other vulnerabilities. Thus, identifying the patterns of vulnerability occurrence in a larger context of software development continues to be an open problem. Here we present findings from our study of vulnerable software components using an ontology-guided analysis of vulnerabilities recorded in a software project's code repository. In this approach, a semantic template for each type of vulnerability is created from information in the Common Weakness Enumeration dictionary. Next, known vulnerabilities and related concepts in the repository are tagged with concepts from the template. Based on the characteristics of the resources affected by these vulnerabilities, other similar resources in the software can be identified for closer inspection and verification. We present results from our study of vulnerabilities in the Apache web server.

KW - CVE

KW - CWE

KW - buffer overflow

KW - fix patterns

KW - ontology

KW - semantic template

KW - software repository

KW - vulnerability

UR - http://www.scopus.com/inward/record.url?scp=77954606254&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=77954606254&partnerID=8YFLogxK

U2 - 10.1145/1809100.1809104

DO - 10.1145/1809100.1809104

M3 - Conference contribution

AN - SCOPUS:77954606254

SN - 9781605589657

T3 - Proceedings - International Conference on Software Engineering

SP - 22

EP - 28

BT - 2010 ICSE Workshop on Software Engineering for Secure Systems, SESS 2010, in Conjunction with the 32nd ACM/IEEE International Conference on Software Engineering, ICSE 2010

ER -