Filters








4 Hits in 3.7 sec

VCCFinder

Henning Perl, Sergej Dechand, Matthew Smith, Daniel Arp, Fabian Yamaguchi, Konrad Rieck, Sascha Fahl, Yasemin Acar
2015 Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security - CCS '15  
Cho et al. [14] use a combination of symbolic and concrete execution to build an abstract model of the analyzed application and find vulnerabilities in several open-source projects.  ...  In theory, security audits should find and remove the vulnerabilities before the code ever gets deployed.  ...  In order to support code reviewers in finding vulnerabilities, tools and methodologies that flag potentially dangerous code are used to narrow down the search.  ... 
doi:10.1145/2810103.2813604 dblp:conf/ccs/PerlD0AYRFA15 fatcat:g2rz32rz3nayjk6jkafhompcuu

A Large-Scale Empirical Study of Security Patches

Frank Li, Vern Paxson
2017 Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security - CCS '17  
In this work we conduct a large-scale empirical study of security patches, investigating more than 4,000 bug fixes for over 3,000 vulnerabilities that affected a diverse set of 682 open-source software  ...  Among our findings we identify that: security patches have a lower footprint in code bases than non-security bug patches; a third of all security issues were introduced more than 3 years prior to remediation  ...  The opinions expressed in this paper do not necessarily reflect those of the research sponsors.  ... 
doi:10.1145/3133956.3134072 dblp:conf/ccs/LiP17 fatcat:4bhj2vfafze3rnx22siqhbw2jq

Learning to Catch Security Patches [article]

Arthur D. Sawadogo and Tegawendé F. Bissyandé and Naouel Moha and Kevin Allix and Jacques Klein and Li Li and Yves Le Traon
2020 arXiv   pre-print
In practice, patching is prioritized following the nature of the code change that is committed in the code repository.  ...  In this paper, we propose a Co-Training-based approach to catch security patches as part of an automatic monitoring service of code repositories.  ...  The study further reports that 25% of open source software projects completely silently fix vulnerabilities without disclosing them to any official repository.  ... 
arXiv:2001.09148v1 fatcat:5lkslbrzhjdgpibbsio2mnlulu

Systematization of Vulnerability Discovery Knowledge: Review Protocol [article]

Nuthan Munaiah, Andrew Meneely
2019 arXiv   pre-print
In this report, we describe the review protocol that will guide the systematic review of the literature in metrics-based discovery of vulnerabilities.  ...  The protocol have been developed in adherence with the guidelines for performing Systematic Literature Reviews in Software Engineering prescribed by Kitchenham and Charters.  ...  in Open-Source Projects to Assist Code Audits [20] QGS14 To Fear or Not to Fear That is the Question: Code Characteristics of a Vulnerable Function with an Existing Exploit [30] Table 3 : 3 Data  ... 
arXiv:1902.03331v1 fatcat:6mdoslrpynebhlpft6k3dsmgai