The beauty and the beast: Vulnerabilities in red hat's packages

Proceedings of the 2009 USENIX Annual Technical Conference

Volumn , Issue , 2019, Pages 383-396

  Neuhaus, Stephan ^a   Zimmermann, Thomas ^b  

^a UNIVERSITY OF TRENTO   (Italy)

^b MICROSOFT RESEARCH   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

RISK ASSESSMENT; SUPPORT VECTOR MACHINES; TESTING;

EMPIRICAL STUDIES; PREDICTION MODEL; RED HATS; SOFTWARE VULNERABILITIES; STATISTICAL HYPOTHESIS TESTING;

FORMAL CONCEPT ANALYSIS;

EID: 85077041914     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (38)

1. Rakesh Agrawal and Ramakrishnan Srikant. Fast algorithms for mining association rules in large databases. In VLDB'94: Proc. of 20th Int'l. Conf. on Very Large Data Bases, pages 487-499. Morgan Kaufmann, 1994.
2. Omar Alhazmi, Yashwant Malaiya, and Indrajit Ray. Security Vulnerabilities in Software Systems: A Quantitative Perspective, volume 3645/2005 of Lecture Notes in Computer Science, pages 281-294. Springer Verlag, Berlin, Heidelberg, August 2005.
3. Edward C. Bailey. Maximum RPM: Taking the red hat package manager to the limit. http://www.rpm.org/max-rpm/, 2000. Last accessed on August 22, 2008.
4. Victor R. Basili, Forrest Shull, and Filippo Lanubile. Building knowledge through families of experiments. IEEE Trans. Software Eng., 25(4):456-473, 1999.
5. Ladislav Bodnar. Is RPM doomed? http://distrowatch.com/dwres.php?resource=article-rpm, 2002. Last accessed: Aug. 2008.
6. Josh Bressers. Personal communication, March 2008.
7. Massimiliano Di Penta, Luigi Cerulo, and Lerina Aversano. The evolution and decay of statically detected source code vulnerabilities. In Proc. Int'l. Working Conf. on Source Code Analysis and Manipulation (SCAM), 2008.
8. Evgenia Dimitriadou, Kurt Hornik, Friedrich Leisch, David Meyer, and Andreas Weingessel. r-cran-e1071. http://mloss.org/software/view/94/, 2008.
9. Free Software Foundation. DDD data display debugger. http://www.gnu.org/software/ddd/, August 2008.
10. Bernhard Ganter and Rudolf Wille. Formal Concept Analysis: Mathematical Foundations. Springer, Berlin, 1999.
11. Michael Gegick, Pete Rotella, and Laurie William. Toward non-security failures as a predictor of security faults and failures. In Proc. Int'l. Symposium on Engineering Secure Software and Systems (ESSoS), 2009. To appear.
12. Michael Gegick, Laurie Williams, Jason Osborne, and Mladen Vouk. Prioritizing software security fortification throughcode-level metrics. In QoP '08: Proc. of the 4th ACM workshop on Quality of protection, pages 31-38. ACM, 2008.
13. Daniel M. Germán. Using software distributions to understand the relationship among free and open source software projects. In Proc. Int'l. Workshop on Mining Software Repositories (MSR), page 24, 2007.
14. Lawrence A. Gordon, Martin P. Loeb, William Lucyshyn, and Robert Richardson. CSI/FBI computer crime and security survey. Technical report, Computer Security Institute (CSI), 2005.
15. Jiawei Han and Micheline Kamber. Data Mining: Concepts and Techniques. Morgan Kaufmann, 2nd edition, 2005.
16. Int'l. Organization for Standardization and Int'l. Electrotechnical Commission. ISO/IEC 9899:TC3 committee draft. Technical report, Int'l. Organization for Standardization, September 2007.
17. Simon Josefsson. GNU SASL library-libgsasl. http://josefsson.org/gsasl, August 2008.
18. Zhenmin Li, Lin Tan, Xuanhui Wang, Shan Lu, Yuanyuan Zhou,, and Chengxiang Zhai. Have things changed now? an empirical study of bug characteristics in modern open source software. In Proc. Workshop on Architectural and System Support for Improving Software Dependability 2006, pages 25-33, October 2006.
19. Christian Lindig. Mining patterns and violations using concept analysis. http://www.st.cs.uni-sb.de/∼lindig/papers/lindig-2007-mining.pdf, 2007.
20. Heikki Mannila, Hannu Toivonen, and A. Inkeri Verkamo. Efficient algorithms for discovering association rules. In KDD'94: AAAI Workshop on Knowledge Discovery in Databases, pages 181-192, 1994.
21. John G. Myers. RFC 2222: Simple authentication and security layer (sasl). http://www.ietf.org/rfc/rfc2222.txt, October 1997.
22. Nachiappan Nagappan, Thomas Ball, and Andreas Zeller. Mining metrics to predict component failures. In Proc. 27th Int'l. Conf. on Software Engineering, New York, NY, USA, May 2005. ACM Press.
23. National Institute of Standards. CVE 2007-5135. http://nvd.nist.gov/nvd.cfm?cvename= CVE-2007-5135, September 2007.
24. Stephan Neuhaus. Repeating the Past: Experimental and Empirical Methodsin Software Security. PhD thesis, Universität des Saarlandes, Saarbrücken, February 2008.
25. Stephan Neuhaus, Thomas Zimmermann, Christian Holler, and Andreas Zeller. Predicting vulnerable software components. In Proc. 14th ACM Conf. on Computer and Communications Security (CCS), pages 529-540, October 2007.
26. Andy Ozment and Stuart E. Schechter. Milk or wine: Does software security improve with age? In Proc. 15th Usenix Security Symposium, August 2006.
27. Ross Quinlan. C4.5: Programs for Machine Learning. Morgan Kaufman Publishers, San Francisco, CA, USA, 1993.
28. R Development Core Team. R: A Language and Environment for Statistical Computing. R Foundation for Statistical Computing, Vienna, Austria, 2008. ISBN 3-900051-07-0.
29. RedHat Network. Errata. https://rhn.redhat.com/errata/, August 2008.
30. Gregorio Robles, Jesús M. González-Barahona, Martin Michlmayr, and Juan Jose Amor. Mining large software compilations over time: another perspective of software evolution. In Proc. Workshop on Mining Software Repositories, pages 3-9, 2006.
31. Adrian Schröter, Thomas Zimmermann, and Andreas Zeller. Predicting component failures at design time. In Proc. 5th Int'l. Symposium on Empirical Software Engineering, pages 18-27, New York, NY, USA, September 2006.
32. Yonghee Shin and Laurie Williams. Is complexity really the enemy of software security? In QoP'08: Proc. 4th ACM workshop on Quality of protection, pages 31-38. ACM, 2008.
33. Adam Shostack and Andrew Stewart. The New School of Information Security. Pearson Education, Inc., Boston, MA, USA, 2008.
34. Sidney Siegel and N. John Castellan, Jr. Nonparametric Statistics for the Behavioral Sciences. McGraw-Hill, 2nd edition, 1988.
35. Chris Tofts and Brian Monahan. Towards an analytic model of security flaws. Technical Report 2004-224, HP Trusted Systems Laboratory, Bristol, UK, December 2004.
36. Vladimir Naumovich Vapnik. The Nature of Statistical Learning Theory. Springer Verlag, Berlin, 1995.
37. Larry Wasserman. All of Statistics: A Concise Course in Statistical Inference. Springer, 2nd edition, 2004.
38. Jian Yin, Chunqiang Tang, Xiaolan Zhang, and Michael McIntosh. On estimating the security risks of composite software services. In Proc. PASSWORD Workshop, June 2006.