Open Access   Article

Analyzing the Vulnerability in Open Source Software

Madanjit Singh1 , Munish Saini2 , Manevpreet Kaur3

Section:Research Paper, Product Type: Journal Paper
Volume-7 , Issue-2 , Page no. 8-15, Feb-2019

CrossRef-DOI:   https://doi.org/10.26438/ijcse/v7i2.815

Online published on Feb 28, 2019

Copyright © Madanjit Singh, Munish Saini, Manevpreet Kaur . This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

View this paper at   Google Scholar | DPI Digital Library

Citation

IEEE Style Citation: Madanjit Singh, Munish Saini, Manevpreet Kaur, “Analyzing the Vulnerability in Open Source Software”, International Journal of Computer Sciences and Engineering, Vol.7, Issue.2, pp.8-15, 2019.

MLA Style Citation: Madanjit Singh, Munish Saini, Manevpreet Kaur "Analyzing the Vulnerability in Open Source Software." International Journal of Computer Sciences and Engineering 7.2 (2019): 8-15.

APA Style Citation: Madanjit Singh, Munish Saini, Manevpreet Kaur, (2019). Analyzing the Vulnerability in Open Source Software. International Journal of Computer Sciences and Engineering, 7(2), 8-15.

VIEWS PDF XML
42 101 downloads 10 downloads
  
  
           

Abstract

Secure code is one of the key parameters which must be taken care while software is being developed. Inspecting the source code at the earlier stages is always a better approach. Inspection involves carefully examining the source code for any flaws which may cause problems in the later stage of the software life cycle. The Vulnerability is a kind of weakness or security flaws in code that can be exploited by an attacker to perform unauthorized actions. A vulnerable code will lead to severe threats to the security of software. In this paper, we have investigated the source code of a well-known open source software (OSS) projects written in C and C++ programming language and figure out the presence of vulnerability in the software. The results also indicate that the vulnerabilities in the source code have shown an increasing trend with the lines of code (LOC). It pointed to the fact that addition of new features or change request into the OSS project will cause an increase in the vulnerability as well. It gives significant implication to the developers or project managers of OSS projects to not deny the existence of security flaws in the software as the software evolves. The obtained results will also help the project managers and developers to measure the state of software.

Key-Words / Index Term

Open Source Software, Software Quality, Hits, Flawfinder, Vulnerability, Code Scanning tools

References

[1] Younan, Y., W. Joosen, and F. Piessens. "Code Injection in C and C++: A Survey of Vulnerabilities and Countermeasures (Tech. Rep. No. CW 386)." Leuven, Belgium: Departement Computerwetenschappen, Katholieke Universiteit Leuven (2004)
[2] Piessens, Frank. "A taxonomy of causes of software vulnerabilities in internet software." Supplementary Proceedings of the 13th International Symposium on Software Reliability Engineering. 2002.
[3] “Glossary.” Risk Management & Information Security Management Systems - ENISA, 20 Jan. 2016, www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/glossary#G52.
[4] Abbott, Robert P., et al. Security analysis and enhancements of computer operating systems. No. NBSIR-76-1041. NATIONAL BUREAU OF STANDARDS WASHINGTONDC INST FOR COMPUTER SCIENCES AND TECHNOLOGY, 1976.
[5] Aslam, Taimur. "A taxonomy of security faults in the unix operating system." Master`s thesis, Purdue University 199.5 (1995).
[6] Yamaguchi, Fabian, et al. "Chucky: Exposing missing checks in source code for vulnerability discovery." Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 2013.
[7] Ball, Thomas, et al. "Thorough static analysis of device drivers." ACM SIGOPS Operating Systems Review 40.4 (2006): 73-85.
[8] DeKok, Alan. "PScan: A limited problem scanner for C source files." (2013).
[9] Evans, David, and David Larochelle. "Improving security using extensible lightweight static analysis." IEEE software 1 (2002): 42-51.
[10] Kernighan, Brian W., and M. Dennis. "Ritchie. The C Programming Language." (1988).
[11] Stroustrup, Bjarne. The C++ programming language. Pearson Education India, 2000.
[12] HeapOverflow:https://www.owasp.org/index.php/Testing_for_Heap_Overflow,StackOverflow:https://www.owasp.org/index.php/Testing_for_Stack_Overflow,FormatString:https://www.owasp.org/index.php/Testing_for_Format_String .
[13] Conover, Matt. "w00w00 on heap overflows." (1999).
[14] Intel Corporation. IA-32 Intel Architecture Software Developer’s Manual Volume 1: Basic Architecture, 2001. Order Nr 245470.
[15] scut. Exploiting format string vulnerabilities. http://www.team-teso.net/articles/formatstring/, 2001
[16] IDA PRO, https://www.hex-rays.com/products/ida/overview.html
[17] Brumley, David, et al. "RICH: Automatically protecting against integer-based vulnerabilities." Department of Electrical and Computing Engineering (2007): 28.
[18] Zitser, Misha, Richard Lippmann, and Tim Leek. "Testing static analysis tools using exploitable buffer overflows from open source code." ACM SIGSOFT Software Engineering Notes. Vol. 29. No. 6. ACM, 2004.
[19] Viega, John, et al. "ITS4: A static vulnerability scanner for C and C++ code." Computer Security Applications, 2000. ACSAC`00. 16th Annual Conference. IEEE, 2000.
[20] Flawfindetr: https://dwheeler.com/flawfinder/flawfinder.pdf and A book entitled as “Secure Programming HOWTO” by David A. Wheeler.
[21] Fatima, Anum, Shazia Bibi, and Rida Hanif. "Comparative study on static code analysis tools for C/C++." Applied Sciences and Technology (IBCAST), 2018 15th International Bhurban Conference on. IEEE, 2018.
[22] GIT HUB, https://github.com/mysql/mysql-server.