Skip to main content
USENIX
  • Conferences
  • Students
Sign in
  • Home
  • Attend
    • Registration Information
    • Registration Discounts
    • Venue, Hotel, and Travel
    • Co-located Workshops
  • Program
    • Workshop Program
  • Participate
    • Instructions for Participants
    • Call for Papers
  • Sponsorship
  • About
    • Workshop Organizers
    • Services
    • Questions
    • Help Promote!
    • Past Workshops
  • Home
  • Attend
  • Program
  • Participate
    • Instructions for Participants
    • Call for Papers
  • Sponsorship
  • About
    • Workshop Organizers
    • Services
    • Questions
    • Help Promote!
    • Past Workshops

sponsors

Media Sponsor

help promote

CSET '16 button

connect with us


  •  Twitter
  •  Facebook
  •  LinkedIn
  •  Google+
  •  YouTube

twitter

Tweets by @usenix

usenix conference policies

  • Event Code of Conduct
  • Conference Network Policy
  • Statement on Environmental Responsibility Policy

You are here

Home » Finding Bugs in Source Code Using Commonly Available Development Metadata
Tweet

connect with us

Finding Bugs in Source Code Using Commonly Available Development Metadata

Authors: 

Devin Cook and Yung Ryn Choe, Sandia National Laboratories; John A. Hamilton, Jr., Mississippi State University

Abstract: 

Developers and security analysts have been using static analysis for a long time to analyze programs for defects and vulnerabilities. Generally a static analysis tool is run on the source code for a given program, flagging areas of code that need to be further inspected by a human analyst. These tools tend to work fairly well – every year they find many important bugs. These tools are more impressive considering the fact that they only examine the source code, which may be very complex. Now consider the amount of data available that these tools do not analyze. There are many additional pieces of information available that would prove useful for finding bugs in code, such as a history of bug reports, a history of all changes to the code, information about committers, etc. By leveraging all this additional data, it is possible to find more bugs with less user interaction, as well as track useful metrics such as number and type of defects injected by committer. This paper provides a method for leveraging development metadata to find bugs that would otherwise be difficult to find using standard static analysis tools. We showcase two case studies that demonstrate the ability to find new vulnerabilities in large and small software projects by finding new vulnerabilities in the cpython and Roundup open source projects.

Devin Cook, Sandia National Laboratories

Yung Ryn Choe, Sandia National Laboratories

John A. Hamilton, Jr., Mississippi State University

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {191665,
author = {Devin Cook and Yung Ryn Choe and John A. Hamilton, Jr.},
title = {Finding Bugs in Source Code Using Commonly Available Development Metadata},
booktitle = {8th Workshop on Cyber Security Experimentation and Test (CSET 15)},
year = {2015},
address = {Washington, D.C.},
url = {https://www.usenix.org/conference/cset15/workshop-program/presentation/cook},
publisher = {USENIX Association},
month = aug,
}
Download
Cook PDF
View the slides
  • Log in or    Register to post comments

Media Sponsors & Industry Partners

© USENIX

  • Privacy Policy
  • Contact Us