TY - GEN
T1 - Do #ifdefs Influence the occurrence of vulnerabilities? An empirical study of the Linux kernel
AU - Ferreira, Gabriel
AU - Malik, Momin
AU - Kästner, Christian
AU - Pfeffer, Jürgen
AU - Apel, Sven
N1 - Publisher Copyright:
© 2016 ACM.
PY - 2016/9/16
Y1 - 2016/9/16
N2 - Preprocessors support the diversification of software products with #ifdefs, but also require additional effort from developers to maintain and understand variable code. We conjecture that #ifdefs cause developers to produce more vulnerable code because they are required to reason about multiple features simultaneously and maintain complex mental models of dependencies of configurable code. We extracted a variational call graph across all configurations of the Linux kernel, and used configuration complexity metrics to compare vulnerable and non-vulnerable functions considering their vulnerability history. Our goal was to learn about whether we can observe a measurable influence of configuration complexity on the occurrence of vulnerabilities. Our results suggest, among others, that vulnerable functions have higher variability than non-vulnerable ones and are also constrained by fewer configuration options. This suggests that developers are inclined to notice functions appear in frequently-compiled product variants. We aim to raise developers' awareness to address variability more systematically, since configuration complexity is an important, but often ignored aspect of software product lines.
AB - Preprocessors support the diversification of software products with #ifdefs, but also require additional effort from developers to maintain and understand variable code. We conjecture that #ifdefs cause developers to produce more vulnerable code because they are required to reason about multiple features simultaneously and maintain complex mental models of dependencies of configurable code. We extracted a variational call graph across all configurations of the Linux kernel, and used configuration complexity metrics to compare vulnerable and non-vulnerable functions considering their vulnerability history. Our goal was to learn about whether we can observe a measurable influence of configuration complexity on the occurrence of vulnerabilities. Our results suggest, among others, that vulnerable functions have higher variability than non-vulnerable ones and are also constrained by fewer configuration options. This suggests that developers are inclined to notice functions appear in frequently-compiled product variants. We aim to raise developers' awareness to address variability more systematically, since configuration complexity is an important, but often ignored aspect of software product lines.
UR - http://www.scopus.com/inward/record.url?scp=84991721021&partnerID=8YFLogxK
U2 - 10.1145/2934466.2934467
DO - 10.1145/2934466.2934467
M3 - Conference contribution
AN - SCOPUS:84991721021
T3 - ACM International Conference Proceeding Series
SP - 65
EP - 73
BT - Proceedings - 20th International Systems and Software Product Line Conference, SPLC 2016
A2 - Bagheri, Ebrahim
A2 - Mei, Hong
A2 - Peng, Xin
A2 - Ruiz Cortes, Antonio
A2 - Selic, Bran
A2 - Xiong, Yingfei
A2 - Rabiser, Rick
A2 - Siegmund, Norbert
A2 - Elsner, Christoph
A2 - Wei, Jun
A2 - Xie, Bing
A2 - Andersson, Jesper
A2 - Wasowski, Andrzej
A2 - Zhang, Li
A2 - Xie, Yun
A2 - Czarnecki, Krzysztof
A2 - Berger, Thorsten
A2 - Simmonds, Jocelyn
PB - Association for Computing Machinery
T2 - 20th International Systems and Software Product Line Conference, SPLC 2016
Y2 - 16 September 2016 through 23 September 2016
ER -