SecureChange: An automated framework to guide programmers in fixing vulnerability

Sayem Mohammad Imtiaz, Kazi Zakia Sultana, Tanmay Bhowmik

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

When developers fix a defect, they may change multiple files. The number of files changed for resolving the defect depends on how strongly the files are coupled with each other. In earlier works, researchers leveraged this coupling for better understanding and analyzing software as well as for guiding developers to quickly find all probable code areas to complete fixing a defect. In some studies, researchers generated association rules reflecting the coupling among files and built tools to automate the discovery of the related changes in the files. Such tools, however, do not consider the type of defects resolved earlier for generating the rules as a result of which many unrelated files may come up while changing a file in later releases for resolving a specific type of defect. Therefore, in our study, we consider only security defects or vulnerabilities to generate the rules and then automate the finding process of other related files while fixing a vulnerability. Our tool “SecureChange” suggests the developers a number of related files that might need to be changed while fixing a particular vulnerability based on the mined association rules from the revision history. This approach will have a significant role in guiding the developers in fixing a vulnerability. Furthermore, this will be an effective endeavor for training new developers based on the vulnerability history of a system, which will in turn help them to develop secure code. The proposed approach will also be helpful in educating new developers about software vulnerabilities. Finding all the related files which have been modified to fix a vulnerability, the new developers will be able to learn how the faults in a file can be the root cause of a vulnerability and how it can propagate to other related files and ultimately emerge as a vulnerability to the outside world. As a demonstration of our approach, we generate association rules based on the revision history of three systems: Android, Mozilla Firefox, and Apache Tomcat. The average precision and recall of 44% and 44% respectively for three systems indicate the feasibility of our approach.

Original languageEnglish
Title of host publicationSEKE 2020 - Proceedings of the 32nd International Conference on Software Engineering and Knowledge Engineering
PublisherKnowledge Systems Institute Graduate School
Pages560-565
Number of pages6
ISBN (Electronic)1891706500
DOIs
StatePublished - 2020
Event32nd International Conference on Software Engineering and Knowledge Engineering, SEKE 2020 - Pittsburgh, Virtual, United States
Duration: 9 Jul 202019 Jul 2020

Publication series

NameProceedings of the International Conference on Software Engineering and Knowledge Engineering, SEKE
VolumePartF162440
ISSN (Print)2325-9000
ISSN (Electronic)2325-9086

Conference

Conference32nd International Conference on Software Engineering and Knowledge Engineering, SEKE 2020
Country/TerritoryUnited States
CityPittsburgh, Virtual
Period9/07/2019/07/20

Fingerprint

Dive into the research topics of 'SecureChange: An automated framework to guide programmers in fixing vulnerability'. Together they form a unique fingerprint.

Cite this