Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Forecasting the risk of software choices: A model to foretell security vulnerabilities from library dependencies and source code evolution

Carlos E. Budde, Ranindya Paramitha, Fabio Massacci

TL;DR

A model capable of vulnerability forecasting at library level is introduced, formalising source-code evolution in time together with library dependency, which can estimate the probability that a software project faces a CVE disclosure in a future time window.

Abstract

Software security mainly studies vulnerability detection: is my code vulnerable today? This hinders risk estimation, so new approaches are emerging to forecast the occurrence of future vulnerabilities. While useful, these approaches are coarse-grained and hard to employ for project-specific technical decisions. We introduce a model capable of vulnerability forecasting at library level. Formalising source-code evolution in time together with library dependency, our model can estimate the probability that a software project faces a CVE disclosure in a future time window. Our approach is white-box and lightweight, which we demonstrate via experiments involving 1255 CVEs and 768 Java libraries, made public as an open-source artifact. Besides probabilities estimation, e.g. to plan software updates, this formal model can be used to detect security-sensitive points in a project, or measure the health of a development ecosystem.

Forecasting the risk of software choices: A model to foretell security vulnerabilities from library dependencies and source code evolution

TL;DR

A model capable of vulnerability forecasting at library level is introduced, formalising source-code evolution in time together with library dependency, which can estimate the probability that a software project faces a CVE disclosure in a future time window.

Abstract

Software security mainly studies vulnerability detection: is my code vulnerable today? This hinders risk estimation, so new approaches are emerging to forecast the occurrence of future vulnerabilities. While useful, these approaches are coarse-grained and hard to employ for project-specific technical decisions. We introduce a model capable of vulnerability forecasting at library level. Formalising source-code evolution in time together with library dependency, our model can estimate the probability that a software project faces a CVE disclosure in a future time window. Our approach is white-box and lightweight, which we demonstrate via experiments involving 1255 CVEs and 768 Java libraries, made public as an open-source artifact. Besides probabilities estimation, e.g. to plan software updates, this formal model can be used to detect security-sensitive points in a project, or measure the health of a development ecosystem.

Paper Structure

This paper contains 30 sections, 2 equations, 13 figures, 1 table.

Table of Contents

  1. Introduction
  2. Research Questions and Objectives
  3. Terminology
  4. Motivating Example and Research Questions
  5. Background
  6. Related work on software vulnerabilities
  7. Attack tree analysis
  8. Common assumptions in the field
  9. Evolution of library dependencies in time: a formal model
  10. Evolution of a software codebase
  11. Different instances of the same library in a dependency tree
  12. Time dependency trees
  13. Estimating the probability of future vulnerabilities
  14. Environment preprocessing (clustering)
  15. Vulnerability data aggregation via PDF fitting
  16. ...and 15 more sections

Figures (13)

  • Figure 1: Update policies that disregard the probability of future vulnerabilities threaten the security of entire software projects
  • Figure 3: Update policies of $\ell$ need forecasting metrics to avoid future vulnerabilities from dependencies like $\ell$ (same as \ref{['fig:motivating_example']})
  • Figure 4: Forecasting vulnerabilities: probability of $\textsc{\larger{cve}}$ disclosure as a function of time and source code
  • Figure 5: Bijection between dependency trees (left) and $\textsc{\larger{at}}$s
  • Figure 6: Tracking different instances of the library $\ell$ in the dependency tree of the library $\ell$ across multiple versions
  • ...and 8 more figures

Theorems & Definitions (4)

  • Example 1
  • definition 1: c-chain
  • definition 2: d-matrix
  • definition 3: $\textsc{\larger{tdt}}$