Do #ifdefs influence the occurrence of vulnerabilities? an empirical study of the linux kernel
| Title | Do #ifdefs influence the occurrence of vulnerabilities? an empirical study of the linux kernel |
| Publication Type | Conference Proceedings |
| Year of Publication | 2016 |
| Authors | Gabriel Ferreira, Momin Malik, Christian Kästner, Jurgen Pfeffer, Sven Apel |
| Conference Name | SPLC '16 Proceedings of the 20th International Systems and Software Product Line Conference |
| Pagination | 65-73 |
| Date Published | 09/2016 |
| Publisher | ACM New York, NY, USA ©2016 |
| Conference Location | Beijing, China |
| ISBN Number | 978-1-4503-4050-2 |
| Keywords | CMU, Oct'16 |
| Abstract | Preprocessors support the diversification of software products with #ifdefs, but also require additional effort from developers to maintain and understand variable code. We conjecture that #ifdefs cause developers to produce more vulnerable code because they are required to reason about multiple features simultaneously and maintain complex mental models of dependencies of configurable code. We extracted a variational call graph across all configurations of the Linux kernel, and used configuration complexity metrics to compare vulnerable and non-vulnerable functions considering their vulnerability history. Our goal was to learn about whether we can observe a measurable influence of configuration complexity on the occurrence of vulnerabilities. Our results suggest, among others, that vulnerable functions have higher variability than non-vulnerable ones and are also constrained by fewer configuration options. This suggests that developers are inclined to notice functions appear in frequently-compiled product variants. We aim to raise developers' awareness to address variability more systematically, since configuration complexity is an important, but often ignored aspect of software product lines. |
| DOI | 10.1145/2934466.2934467 |
| Citation Key | node-30357 |
| Attachment | Size |
|---|---|
| bytes |