Learning From Flaws
Stephan Neuhaus
Everything begins with a flaw: a program exhibits a security hole that is used by attackers to gain unauthorized access. This hole is then plugged by the software vendor, who strives to put out a fixed version of his software as soon as possible. All this activity is being systematically recorded in databases, and it is these databases that the researchers from Saarbrücken found particularly interesting.
"First of all, we determined where the vulnerabilities are in the program's source code", says Stephan Neuhaus, PhD student at the chair for Software Engineering. "What we get is a map that shows us just where the vulnerable components are: the redder a component, the more vulnerabilities it has had in the past." Such a map allows programmers to identify vulnerable components and to inspect them more closely.
But this is not all: the approach from Saarbrücken is able to predict automatically where the next vulnerabilities will probably be found. "We examine those components with which vulnerable components cooperate", says Thomas Zimmermann who developed the approach together with Stephan Neuhaus. "We found out that vulnerable components cooperate with similar components." In the words of Professor Andreas Zeller, leader of the project, "Tell me with whom you cooperate and I'll tell you how vulnerable you are."
In this way, the researchers from Saarbrücken can pinpoint exactly where vulnerabilities were in the past and where they are most likely to appear in the future. "To put it simply, if your component implements some aspect of JavaScript, it will be much more vulnerable than other components", says Stephan Neuhaus. This is not particularly surprising for Internet professionals. The nice thing about the approach from Saarbrücken is however that it works fully automatically. "All that we need is vulnerability and version histories, and this is created automatically by standard tools that are being used in the software development process anyway. From this we can prodict where the next vulnerabilities will lie", says Andreas Zeller.
In January 2007, the team from Saarbrücken prepared a list of ten source code files that according to their approach were most likely to contain new vulnerabilities. Five of those ten files had to be fixed within the next six months because of security flaws. This shows the practical strength of the approach.
Security experts agree with that assessment: the approach will be presented in November at one of the most prestigious computer security conferences, the ACM Computer and Communication Security in Virginia, USA. The program committee accepted 55 out of 303 submissions; the contribution from Saarbrücken is the only accepted paper by a German research group.
Questions are answered by:
Prof. Dr. Andreas Zeller
Tel. 0681/302-64011
Friederike Meyer zu Tittingdorf
Tel. 0681/302-58099
