Visible to the public Biblio

Filters: Author is Malik, Momin  [Clear All Filters]
2017-03-20
Ferreira, Gabriel, Malik, Momin, Kästner, Christian, Pfeffer, Jürgen, Apel, Sven.  2016.  Do İfdefs Influence the Occurrence of Vulnerabilities? An Empirical Study of the Linux Kernel Proceedings of the 20th International Systems and Software Product Line Conference. :65–73.

Preprocessors support the diversification of software products with \#ifdefs, but also require additional effort from developers to maintain and understand variable code. We conjecture that \#ifdefs cause developers to produce more vulnerable code because they are required to reason about multiple features simultaneously and maintain complex mental models of dependencies of configurable code. We extracted a variational call graph across all configurations of the Linux kernel, and used configuration complexity metrics to compare vulnerable and non-vulnerable functions considering their vulnerability history. Our goal was to learn about whether we can observe a measurable influence of configuration complexity on the occurrence of vulnerabilities. Our results suggest, among others, that vulnerable functions have higher variability than non-vulnerable ones and are also constrained by fewer configuration options. This suggests that developers are inclined to notice functions appear in frequently-compiled product variants. We aim to raise developers' awareness to address variability more systematically, since configuration complexity is an important, but often ignored aspect of software product lines.

Ferreira, Gabriel, Malik, Momin, Kästner, Christian, Pfeffer, Jürgen, Apel, Sven.  2016.  Do İfdefs Influence the Occurrence of Vulnerabilities? An Empirical Study of the Linux Kernel Proceedings of the 20th International Systems and Software Product Line Conference. :65–73.

Preprocessors support the diversification of software products with \#ifdefs, but also require additional effort from developers to maintain and understand variable code. We conjecture that \#ifdefs cause developers to produce more vulnerable code because they are required to reason about multiple features simultaneously and maintain complex mental models of dependencies of configurable code. We extracted a variational call graph across all configurations of the Linux kernel, and used configuration complexity metrics to compare vulnerable and non-vulnerable functions considering their vulnerability history. Our goal was to learn about whether we can observe a measurable influence of configuration complexity on the occurrence of vulnerabilities. Our results suggest, among others, that vulnerable functions have higher variability than non-vulnerable ones and are also constrained by fewer configuration options. This suggests that developers are inclined to notice functions appear in frequently-compiled product variants. We aim to raise developers' awareness to address variability more systematically, since configuration complexity is an important, but often ignored aspect of software product lines.