%0 Conference Paper %1 Perl:2015:VFP:2810103.2813604 %A Perl, Henning %A Dechand, Sergej %A Smith, Matthew %A Arp, Daniel %A Yamaguchi, Fabian %A Rieck, Konrad %A Fahl, Sascha %A Acar, Yasemin %B Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security %C New York, NY, USA %D 2015 %I ACM %K CVE SVM audit codeaudit machinelearning myown security vulnerabilities %P 426-437 %T VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assist Code Audits. %U http://doi.acm.org/10.1145/2810103.2813604 %X Despite the security community's best effort, the number of serious vulnerabilities discovered in software is increasing rapidly. In theory, security audits should find and remove the vulnerabilities before the code ever gets deployed. However, due to the enormous amount of code being produced, as well as a the lack of manpower and expertise, not all code is suffciently audited. Thus, many vulnerabilities slip into production systems. A best-practice approach is to use a code metric analysis tool, such as Flawfinder, to tag potentially dangerous code so that it can receive special attention. However, because these tools have a very high false-positive rate, the manual effort needed to end vulnerabilities remains overwhelming. In this paper, we present a new method of finding potentially dangerous code in code repositories with a significantly lower false-positive rate than comparable systems. We combine code-metric analysis with metadata gathered from code repositories to help code review teams prioritize their work. The paper makes three contributions. First, we conducted the first large-scale mapping of CVEs to GitHub commits in order to create a vulnerable commit database. Second, based on this database, we trained a SVM classifier to tag suspicious commits. Compared to Flawfinder, our approach reduces the amount of false alarms by over 99 % at the same level of recall. Finally, we present a thorough quantitative and qualitative analysis of our approach and discuss lessons learned from the results. We will share the database as a benchmark for future research and will also provide our analysis tool as a web service.

@inproceedings{Perl:2015:VFP:2810103.2813604, abstract = {Despite the security community's best effort, the number of serious vulnerabilities discovered in software is increasing rapidly. In theory, security audits should find and remove the vulnerabilities before the code ever gets deployed. However, due to the enormous amount of code being produced, as well as a the lack of manpower and expertise, not all code is suffciently audited. Thus, many vulnerabilities slip into production systems. A best-practice approach is to use a code metric analysis tool, such as Flawfinder, to tag potentially dangerous code so that it can receive special attention. However, because these tools have a very high false-positive rate, the manual effort needed to end vulnerabilities remains overwhelming. In this paper, we present a new method of finding potentially dangerous code in code repositories with a significantly lower false-positive rate than comparable systems. We combine code-metric analysis with metadata gathered from code repositories to help code review teams prioritize their work. The paper makes three contributions. First, we conducted the first large-scale mapping of CVEs to GitHub commits in order to create a vulnerable commit database. Second, based on this database, we trained a SVM classifier to tag suspicious commits. Compared to Flawfinder, our approach reduces the amount of false alarms by over 99 % at the same level of recall. Finally, we present a thorough quantitative and qualitative analysis of our approach and discuss lessons learned from the results. We will share the database as a benchmark for future research and will also provide our analysis tool as a web service.}, added-at = {2016-01-12T12:11:58.000+0100}, address = {New York, NY, USA}, author = {Perl, Henning and Dechand, Sergej and Smith, Matthew and Arp, Daniel and Yamaguchi, Fabian and Rieck, Konrad and Fahl, Sascha and Acar, Yasemin}, biburl = {https://www.bibsonomy.org/bibtex/2ba5dd075477d3881331bbfdbf73c630f/smithl3s}, booktitle = {Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security}, interhash = {ea23ce7fddc32eedeb2da8ccf28ddc2a}, intrahash = {ba5dd075477d3881331bbfdbf73c630f}, keywords = {CVE SVM audit codeaudit machinelearning myown security vulnerabilities}, pages = {426-437}, publisher = {ACM}, series = {CCS '15}, timestamp = {2020-04-17T12:10:53.000+0200}, title = {VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assist Code Audits.}, url = {http://doi.acm.org/10.1145/2810103.2813604}, year = 2015 }