D120.de/forum

Two topics are available on quantitative analysis of open-source software security. Specifically, we will look into several interesting attributes of vulnerabilities affecting software that is distributed in Debian GNU/Linux. We are looking for Linux-native people with knowledge/experience on security (showcased by lectures etc.) and great motivation for high-impact research.

[b]Topic 1: "Milk or Wine"[/b]
Back in 2006 Ozment and Schechter [USENIX Sec.'06] counted the age and lifetime of vulnerabilities in the OpenBSD kernel and concluded that it matures like wine, meaning it becomes better with age. We want to reproduce their study on a much bigger scale, for all packages of Debian GNU/Linux. This will require developing a tool that can pinpoint which version of the software was the first that contained a given vulnerability. Nguyen, Dashevskyi & Massacci [ESE'16] developed such a method in a smaller scale...

[b]Topic 2: "What can static analysis tell us?"[/b]
Edwards and Chen [CCS'12] showed some correlation between the number of issues flagged by static analysis tools and vulnerabilities discovered later. We want to investigate this hypothesis on a much bigger scale. We also want to find out which static analysis tools perform best by comparing a selection of them on our dataset.

Contact: Nikolaos Alexopoulos (alexopoulos at tk.tu-darmstadt.de)