|| powered by |
Learning From Flaws17.09.2007 - (idw) Universität des Saarlandes
Researchers from Saarland University Predict Flaws from Vulnerability History
Security flaws in software cause enormous damages. An FBI study from 2005 estimates the losses from computer crime at a staggering $67 billion. Most losses were due to insecure software. Researchers at Saarland University have now introduced a new approach that learns from previous flaws and predicts just how vulnerable a software component is.
Everything begins with a flaw: a program exhibits a security hole that is used by attackers to gain unauthorized access. This hole is then plugged by the software vendor, who strives to put out a fixed version of his software as soon as possible. All this activity is being systematically recorded in databases, and it is these databases that the researchers from Saarbrücken found particularly interesting.
"First of all, we determined where the vulnerabilities are in the program's source code", says Stephan Neuhaus, PhD student at the chair for Software Engineering. "What we get is a map that shows us just where the vulnerable components are: the redder a component, the more vulnerabilities it has had in the past." Such a map allows programmers to identify vulnerable components and to inspect them more closely.
But this is not all: the approach from Saarbrücken is able to predict automatically where the next vulnerabilities will probably be found. "We examine those components with which vulnerable components cooperate", says Thomas Zimmermann who developed the approach together with Stephan Neuhaus. "We found out that vulnerable components cooperate with similar components." In the words of Professor Andreas Zeller, leader of the project, "Tell me with whom you cooperate and I'll tell you how vulnerable you are."
In January 2007, the team from Saarbrücken prepared a list of ten source code files that according to their approach were most likely to contain new vulnerabilities. Five of those ten files had to be fixed within the next six months because of security flaws. This shows the practical strength of the approach.
Security experts agree with that assessment: the approach will be presented in November at one of the most prestigious computer security conferences, the ACM Computer and Communication Security in Virginia, USA. The program committee accepted 55 out of 303 submissions; the contribution from Saarbrücken is the only accepted paper by a German research group.
Questions are answered by:
Prof. Dr. Andreas Zeller
Friederike Meyer zu Tittingdorf
HTML-Code zum Verweis auf diese Seite:
<a href="http://www.uni-protokolle.de/nachrichten/id/143446/">Learning From Flaws </a>