Do #ifdefs Influence the occurrence of vulnerabilities? An empirical study of the Linux kernel

Gabriel Ferreira, Momin Malik, Christian Kästner, Jürgen Pfeffer, Sven Apel

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

22 Scopus citations

Abstract

Preprocessors support the diversification of software products with #ifdefs, but also require additional effort from developers to maintain and understand variable code. We conjecture that #ifdefs cause developers to produce more vulnerable code because they are required to reason about multiple features simultaneously and maintain complex mental models of dependencies of configurable code. We extracted a variational call graph across all configurations of the Linux kernel, and used configuration complexity metrics to compare vulnerable and non-vulnerable functions considering their vulnerability history. Our goal was to learn about whether we can observe a measurable influence of configuration complexity on the occurrence of vulnerabilities. Our results suggest, among others, that vulnerable functions have higher variability than non-vulnerable ones and are also constrained by fewer configuration options. This suggests that developers are inclined to notice functions appear in frequently-compiled product variants. We aim to raise developers' awareness to address variability more systematically, since configuration complexity is an important, but often ignored aspect of software product lines.

Original languageEnglish
Title of host publicationProceedings - 20th International Systems and Software Product Line Conference, SPLC 2016
EditorsEbrahim Bagheri, Hong Mei, Xin Peng, Antonio Ruiz Cortes, Bran Selic, Yingfei Xiong, Rick Rabiser, Norbert Siegmund, Christoph Elsner, Jun Wei, Bing Xie, Jesper Andersson, Andrzej Wasowski, Li Zhang, Yun Xie, Krzysztof Czarnecki, Thorsten Berger, Jocelyn Simmonds
PublisherAssociation for Computing Machinery
Pages65-73
Number of pages9
ISBN (Electronic)9781450340502
DOIs
StatePublished - 16 Sep 2016
Externally publishedYes
Event20th International Systems and Software Product Line Conference, SPLC 2016 - Beijing, China
Duration: 16 Sep 201623 Sep 2016

Publication series

NameACM International Conference Proceeding Series
Volume16-23-September-2016

Conference

Conference20th International Systems and Software Product Line Conference, SPLC 2016
Country/TerritoryChina
CityBeijing
Period16/09/1623/09/16

Fingerprint

Dive into the research topics of 'Do #ifdefs Influence the occurrence of vulnerabilities? An empirical study of the Linux kernel'. Together they form a unique fingerprint.

Cite this