research-article

An initial study on the use of execution complexity metrics as indicators of software vulnerabilities

Authors:

Laurie WilliamsAuthors Info & Claims

SESS '11: Proceedings of the 7th International Workshop on Software Engineering for Secure Systems

Pages 1 - 7

https://doi.org/10.1145/1988630.1988632

Published: 22 May 2011 Publication History

Abstract

Allocating code inspection and testing resources to the most problematic code areas is important to reduce development time and cost. While complexity metrics collected statically from software artifacts are known to be helpful in finding vulnerable code locations, some complex code is rarely executed in practice and has less chance of its vulnerabilities being detected. To augment the use of static complexity metrics, this study examines execution complexity metrics that are collected during code execution as indicators of vulnerable code locations. We conducted case studies on two large size, widely-used open source projects, the Mozilla Firefox web browser and the Wireshark network protocol analyzer. Our results indicate that execution complexity metrics are better indicators of vulnerable code locations than the most commonly-used static complexity metric, lines of source code. The ability of execution complexity metrics to discriminate vulnerable code locations from neutral code locations and to predict vulnerable code locations vary depending on projects. However, the vulnerability prediction models using execution complexity metrics are superior to the models using static complexity metrics in reducing inspection effort.

References

[1]

complexity. Dictionary.Com unabridged. http://dictionary.reference.com/browse/complexity.

[2]

Basili, V. R., Briand, L. C., and Melo, W. L. A validation of object-oriented design metrics as quality indicators. IEEE Trans. Software Eng. 22, 10 (1996), 751--761.

Digital Library

[3]

Cashell, B., Jackson, W. D., Jickling, M., and Webel, B. CRS Report for Congress: The Economic Impact of Cyber-Attacks. Congressional Research Service, 2004.

[4]

Curtis, B., Sheppard, S. B., Milliman, P., Borst, M. A., and Love, T. Measuring the Psychological Complexity of Software Maintenance Tasks with the Halstead and McCabe Metrics. IEEE Trans. Software Eng. SE-5, 2 (1979), 96--104.

Digital Library

[5]

Khoshgoftaar, T. M., Munson, J. C., and Lanning, D. L. Dynamic system complexity. {1993} Proceedings First International Software Metrics Symposium, 129--140.

[6]

Khoshgoftaar, T. M., Shan, R., and Allen, E. B. Using product, process, and execution metrics to predict fault-prone software modules with classification trees. Proc. Fifth Int'l Symp. on High Assurance Systems Engineering, 301--310.

[7]

McCabe, T. J. A Complexity Measure. IEEE Transactions on Software Engineering SE-2, 4 (1976), 308--320.

Digital Library

[8]

McGraw, G. Software Security: Building Security In. Addison-Wesley Professional, 2006.

Digital Library

[9]

Menzies, T., Greenwald, J., and Frank, A. Data Mining Static Code Attributes to Learn Defect Predictors. IEEE Transactions on Software Engineering 33, 1 (2007), 2--13.

Digital Library

[10]

Musa, J. D. Operational profiles in software-reliability engineering. IEEE Software 10, 2 (1993), 14--32.

Digital Library

[11]

Nagappan, N., Ball, T., and Zeller, A. Mining metrics to predict component failures. Proceeding of the 28th Int'l Conf. on Software Engineering, (2006), 452.

Digital Library

[12]

Shin, Y., Meneely, A., Williams, L., and Osborne, J. A. Evaluating Complexity, Code Churn, and Developer Activity Metrics as Indicators of Software Vulnerabilities. IEEE Transactions on Software Engineering (to appear), (2010).

Digital Library

[13]

Shin, Y. Investigating Complexity Metrics as Indicators of Software Vulnerability. Ph.D. Dissertation. 2010.

Digital Library

[14]

Witten, I. H. and Frank, E. Data Mining: Practical Machine Learning Tools and Techniques, Second Edition. Morgan Kaufmann, 2005.

Digital Library

[15]

Zimmermann, T., Nagappan, N., and Williams, L. Searching for a Needle in a Haystack: Predicting Security Vulnerabilities for Windows Vista. Third International Conference on Software Testing, Verification and Validation, (2010), 421--428.

Digital Library

[16]

Zimmermann, T. and Nagappan, N. Predicting defects using network analysis on dependency graphs. Proceedings of the 13th Int'l Conf. on Software Engineering, (2008), 531.

Digital Library

Cited By

Ilmi HPuspitaningtyas MWardani YPuspita KAlfebi FAdimas DMuhidin Hermawan AManik L(2024)Estimating Software Vulnerabilities from Git Project Open Source: A Machine Learning Approach2024 International Conference on Information Technology Research and Innovation (ICITRI)10.1109/ICITRI62858.2024.10699087(224-229)Online publication date: 5-Sep-2024
https://doi.org/10.1109/ICITRI62858.2024.10699087
Bassi DSingh H(2023)A Systematic Literature Review on Software Vulnerability Prediction ModelsIEEE Access10.1109/ACCESS.2023.331261311(110289-110311)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3312613
Althar RSamanta DPurushotham SSengar SHewage C(2023)Design and Development of Artificial Intelligence Knowledge Processing System for Optimizing Security of Software SystemSN Computer Science10.1007/s42979-023-01785-24:4Online publication date: 15-Apr-2023
https://dl.acm.org/doi/10.1007/s42979-023-01785-2
Show More Cited By

Index Terms

An initial study on the use of execution complexity metrics as indicators of software vulnerabilities

Recommendations

Evaluating and comparing complexity, coupling and a new proposed set of coupling metrics in cross-project vulnerability prediction
SAC '16: Proceedings of the 31st Annual ACM Symposium on Applied Computing

Software security is an important concern in the world moving towards Information Technology. Detecting software vulnerabilities is a difficult and resource consuming task. Therefore, automatic vulnerability prediction would help development teams to ...
An empirical model to predict security vulnerabilities using code complexity metrics
ESEM '08: Proceedings of the Second ACM-IEEE international symposium on Empirical software engineering and measurement

Complexity is often hypothesized to be the enemy of software security. If this hypothesis is true, complexity metrics may be used to predict the locale of security problems and can be used to prioritize inspection and testing efforts. We performed ...
Can complexity, coupling, and cohesion metrics be used as early indicators of vulnerabilities?
SAC '10: Proceedings of the 2010 ACM Symposium on Applied Computing

It is difficult to detect vulnerabilities until they manifest themselves as security failures in the operational stage of software, because the security concerns are not addressed or known sufficiently early during software development. Complexity, ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SESS '11: Proceedings of the 7th International Workshop on Software Engineering for Secure Systems

May 2011

62 pages

ISBN:9781450305815

DOI:10.1145/1988630

Program Chairs:
Jan Jürjens
Technical University Dortmund, Germany
,
Seok-Won Lee
University of Nebraska-Lincoln, USA
,
Mattia Monga
Università degli Studi di Milano, Italy

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 May 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ICSE11

Sponsor:

SIGSOFT

ICSE11: International Conference on Software Engineering

May 22, 2011

HI, Waikiki, Honolulu, USA

Acceptance Rates

SESS '11 Paper Acceptance Rate 8 of 11 submissions, 73%;

Overall Acceptance Rate 8 of 11 submissions, 73%

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

30
Total Citations
View Citations
599
Total Downloads

Downloads (Last 12 months)21
Downloads (Last 6 weeks)3

Reflects downloads up to 21 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ilmi HPuspitaningtyas MWardani YPuspita KAlfebi FAdimas DMuhidin Hermawan AManik L(2024)Estimating Software Vulnerabilities from Git Project Open Source: A Machine Learning Approach2024 International Conference on Information Technology Research and Innovation (ICITRI)10.1109/ICITRI62858.2024.10699087(224-229)Online publication date: 5-Sep-2024
https://doi.org/10.1109/ICITRI62858.2024.10699087
Bassi DSingh H(2023)A Systematic Literature Review on Software Vulnerability Prediction ModelsIEEE Access10.1109/ACCESS.2023.331261311(110289-110311)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3312613
Althar RSamanta DPurushotham SSengar SHewage C(2023)Design and Development of Artificial Intelligence Knowledge Processing System for Optimizing Security of Software SystemSN Computer Science10.1007/s42979-023-01785-24:4Online publication date: 15-Apr-2023
https://dl.acm.org/doi/10.1007/s42979-023-01785-2
Pakshad PShameli-Sendi AKhalaji Emamzadeh Abbasi B(2023)A security vulnerability predictor based on source code metricsJournal of Computer Virology and Hacking Techniques10.1007/s11416-023-00469-y19:4(615-633)Online publication date: 17-Feb-2023
https://doi.org/10.1007/s11416-023-00469-y
Prokhorenko VIslam CBabar M(2023)Analyzing the Evolution of Inter-package Dependencies in Operating Systems: A Case Study of UbuntuSoftware Architecture10.1007/978-3-031-42592-9_16(233-249)Online publication date: 8-Sep-2023
https://doi.org/10.1007/978-3-031-42592-9_16
Kotenko IIzrailov KBuinevich M(2022)Static Analysis of Information Systems for IoT Cyber Security: A Survey of Machine Learning ApproachesSensors10.3390/s2204133522:4(1335)Online publication date: 10-Feb-2022
https://doi.org/10.3390/s22041335
Li XWang LXin YYang YTang QChen Y(2021)Automated Software Vulnerability Detection Based on Hybrid Neural NetworkApplied Sciences10.3390/app1107320111:7(3201)Online publication date: 2-Apr-2021
https://doi.org/10.3390/app11073201
Venson ELam TClark BBoehm B(2021)Analyzing Software Security-related Size and its Relationship with Vulnerabilities in OSS2021 IEEE 21st International Conference on Software Quality, Reliability and Security (QRS)10.1109/QRS54544.2021.00105(956-965)Online publication date: Dec-2021
https://doi.org/10.1109/QRS54544.2021.00105
Althar RSamanta D(2021)The realist approach for evaluation of computational intelligence in software engineeringInnovations in Systems and Software Engineering10.1007/s11334-020-00383-2Online publication date: 28-Jan-2021
https://doi.org/10.1007/s11334-020-00383-2
Prana GSharma AShar LFoo DSantosa ASharma ALo D(2021)Out of sight, out of mind? How vulnerable dependencies affect open-source projectsEmpirical Software Engineering10.1007/s10664-021-09959-326:4Online publication date: 21-Apr-2021
https://doi.org/10.1007/s10664-021-09959-3
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents