- Restrictions on Access:
- Restricted (Penn State Only).
- Todays software systems are increasingly relying on the power of the crowd to identify newsecurity vulnerabilities. And yet, it is not well understood how reproducible the crowd-reportedvulnerabilities are. In this study, we perform the first empirical analysis on a wide range of realworldsecurity vulnerabilities (368 in total) with the goal of quantifying their reproducibility. Followinga carefully controlled workflow, we organize a focused group of security analysts to carryout reproduction experiments. With 3600 man-hours spent, we obtain quantitative evidence onthe prevalence of missing information in vulnerability reports and the low reproducibility of thevulnerabilities. We find that relying on a single vulnerability report from a popular security forumis generally difficult to succeed due to the incomplete information. By widely crowdsourcingthe information gathering, security analysts could increase the reproduction success rate, but stillface key challenges to troubleshoot the non-reproducible cases. To further explore solutions, wesurveyed hackers, researchers, and engineers who have extensive domain expertise in software security(N=43). Going beyond Internet-scale crowdsourcing, we find that, security professionalsheavily rely on manual debugging and speculative guessing to infer the missed information. Ourresult suggests that there is not only a necessity to overhaul the way a security forum collectsvulnerability reports, but also a need for automated mechanisms to collect information commonlymissing in a report.
- Dissertation Note:
- B.S. Pennsylvania State University, 2018.
- Technical Details:
- The full text of the dissertation is available as an Adobe Acrobat .pdf file ; Adobe Acrobat Reader required to view the file.
View MARC record | catkey: 23431047