Mining Bug Databases for Unidentified Software Vulnerabilities
Identifying software vulnerabilities is becoming more important as critical and sensitive systems increasingly rely on complex software systems. It has been suggested in previous work that some bugs are only identified as vulnerabilities long after the bug has been made public. These vulnerabilities are known as hidden impact vulnerabilities. This paper discusses the feasibility and necessity to mine common publicly available bug databases for vulnerabilities that are yet to be identified. We present bug database analysis of two well known and frequently used software packages, namely Linux kernel and MySQL. It is shown that for both Linux and MySQL, a significant portion of vulnerabilities that were discovered for the time period from January 2006 to April 2011 were hidden impact vulnerabilities. It is also shown that the percentage of hidden impact vulnerabilities has increased in the last two years, for both software packages. We then propose an improved hidden impact vulnerability identification methodology based on text mining bug databases, and conclude by discussing a few potential problems faced by such a classifier.
- Research Organization:
- Idaho National Lab. (INL), Idaho Falls, ID (United States)
- Sponsoring Organization:
- USDOE
- DOE Contract Number:
- DE-AC07-05ID14517
- OSTI ID:
- 1062190
- Report Number(s):
- INL/CON-12-24903
- Resource Relation:
- Conference: 5th International Conference on Human System Interaction,Perth, Australia,06/06/2012,06/08/2012
- Country of Publication:
- United States
- Language:
- English
Similar Records
Empirical Estimates of 0Day Vulnerabilities in Control Systems
Software Quality Assurance for EBR-II Fuels Irradiation and Physics Database (FIPD)