A Large-Scale Empirical Study on Vulnerability Distribution within Projects and the Lessons LearnedTechnical
The number of vulnerabilities increases rapidly in recent years, due to the advances in vulnerability discovery solutions. It enables a thorough analysis on the vulnerability distribution and provides support for correlation analysis and prediction of vulnerabilities. Previous research either focuses on analyzing bugs rather than vulnerabilities, or only studies general vulnerability distribution among projects rather than the distribution within each project. In this paper, we collected a large vulnerability dataset, consisting of all known vulnerabilities associated to a set of representative open source projects, by utilizing automated crawlers and spending months of manual efforts. We then analyzed the vulnerability distribution within each project over several dimensions, including files, functions, vulnerability types and liable developers. Based on the analysis results, we presented several practical insights on the distribution of vulnerabilities. Finally, we applied such insights on several vulnerability discovery solutions (including static analysis and dynamic fuzzing), and helped them found 10 zero-day vulnerabilities in target projects, proving that our insights are useful.
Fri 10 JulDisplayed time zone: (UTC) Coordinated Universal Time change
08:05 - 09:05 | I22-TestingTechnical Papers / Demonstrations at Baekje Chair(s): Phil McMinn University of Sheffield | ||
08:05 3mTalk | FuRong: Fusing Report of Automated Android Testing on Multi-DevicesDemo Demonstrations Yuanhan Tian Nanjing University, Shengcheng Yu Nanjing University, China, Chunrong Fang Nanjing University, Peiyuan Li Nanjing University | ||
08:08 12mTalk | MemLock: Memory Usage Guided Fuzzing Technical Papers Cheng Wen Xidian University, Haijun Wang Ant Financial Services Group, China; CSSE, Shenzhen University, China, Yuekang Li Nanyang Technological University, Shengchao Qin University of Teesside, Yang Liu Nanyang Technological University, Singapore, Zhiwu Xu Shenzhen University, Hongxu Chen Research Associate, Xiaofei Xie Nanyang Technological University, Geguang Pu East China Normal University, Ting Liu Xi'an Jiaotong University DOI Pre-print Media Attached | ||
08:20 12mTalk | Symbolic Verification of Message Passing Interface Programs Technical Papers Hengbiao Yu National University of Defense Technology, Zhenbang Chen College of Computer, National University of Defense Technology, Changsha, PR China, Xianjin Fu National University of Defense Technology, Ji Wang School of Computer, National University of Defense Technology, China, Zhendong Su ETH Zurich, Switzerland, Jun Sun Singapore Management University, Chun Huang National University of Defense Technology, Wei Dong School of Computer, National University of Defense Technology, China Pre-print | ||
08:32 12mTalk | SAVER: Scalable, Precise, and Safe Memory-Error Repair Technical Papers Seongjoon Hong Korea University, Junhee Lee Korea University, South Korea, Jeongsoo Lee Korea University, Hakjoo Oh Korea University, South Korea | ||
08:44 12mTalk | A Large-Scale Empirical Study on Vulnerability Distribution within Projects and the Lessons LearnedTechnical Technical Papers Bingchang Liu Key Laboratory of Network Assessment Technology, Institute of Information Engineering, Chinese Academy of Sciences, China; School of CyberSpace Security at University of Chinese Academy of Sciences, China, Guozhu Meng Institute of Information Engineering, Chinese Academy of Sciences, Chao Zhang Institute for Network Sciences and Cyberspace of Tsinghua University, Feng Li Key Laboratory of Network Assessment Technology, Institute of Information Engineering, Chinese Academy of Sciences, China; School of CyberSpace Security at University of Chinese Academy of Sciences, China, Qi Gong Key Laboratory of Network Assessment Technology, Institute of Information Engineering, Chinese Academy of Sciences, China, Min Lin Institute for Network Sciences and Cyberspace of Tsinghua University, Dandan Sun Key Laboratory of Network Assessment Technology, Institute of Information Engineering, Chinese Academy of Sciences, China, Wei Huo Institute of Information Engineering, Chinese Academy of Sciences, Wei Zou Key Laboratory of Network Assessment Technology, Institute of Information Engineering, Chinese Academy of Sciences, China; School of CyberSpace Security at University of Chinese Academy of Sciences, China | ||
08:56 3mTalk | MPI-SV: A Symbolic Verifier for MPI ProgramsDemo Demonstrations Zhenbang Chen College of Computer, National University of Defense Technology, Changsha, PR China, Hengbiao Yu National University of Defense Technology, Xianjin Fu National University of Defense Technology, Ji Wang School of Computer, National University of Defense Technology, China Pre-print | ||