Header

UZH-Logo

Maintenance Infos

An Exploratory Study on Regression Vulnerabilities


Braz, Larissa; Fregnan, Enrico; Arora, Vivek; Bacchelli, Alberto (2022). An Exploratory Study on Regression Vulnerabilities. In: ESEM '22: ACM / IEEE International Symposium on Empirical Software Engineering and Measurement, Helsinki Finland, 19 October 2022 - 23 October 2022. ACM, 12-22.

Abstract

Background: Security regressions are vulnerabilities introduced in a previously unaffected software system. They often happen as a result of code changes (e.g., a bug fix) and can have severe effects.

Aims: We aim to increase the understanding of security regressions.

Method: To this aim, we perform an exploratory, mixed-method case study of Mozilla. First, we analyze 78 regression vulnerabilities and 72 bug reports where a bug fix introduced a regression vulnerability at Mozilla. We investigate how developers interact in these bug reports, how they perform the changes, and under what conditions they introduce these regressions. Second, we conduct five semi-structured interviews with as many Mozilla developers involved in the vulnerability-inducing fixes.

Results: Security is not discussed during bug fixes. Developers’ main concerns are the complexity of the bug at hand and the community pressure to fix it. Developers do not to worry about regression vulnerabilities and assume tools will detect them. Indeed, dynamic analysis tools helped finding around 30% of these regressions.

Conclusions: Although tool support helps identify regression vulnerabilities, it may not be enough to ensure security during bug fixes. Furthermore, our results call for further work on the security tooling support and their integration during bug fixes.

Abstract

Background: Security regressions are vulnerabilities introduced in a previously unaffected software system. They often happen as a result of code changes (e.g., a bug fix) and can have severe effects.

Aims: We aim to increase the understanding of security regressions.

Method: To this aim, we perform an exploratory, mixed-method case study of Mozilla. First, we analyze 78 regression vulnerabilities and 72 bug reports where a bug fix introduced a regression vulnerability at Mozilla. We investigate how developers interact in these bug reports, how they perform the changes, and under what conditions they introduce these regressions. Second, we conduct five semi-structured interviews with as many Mozilla developers involved in the vulnerability-inducing fixes.

Results: Security is not discussed during bug fixes. Developers’ main concerns are the complexity of the bug at hand and the community pressure to fix it. Developers do not to worry about regression vulnerabilities and assume tools will detect them. Indeed, dynamic analysis tools helped finding around 30% of these regressions.

Conclusions: Although tool support helps identify regression vulnerabilities, it may not be enough to ensure security during bug fixes. Furthermore, our results call for further work on the security tooling support and their integration during bug fixes.

Statistics

Citations

Altmetrics

Downloads

13 downloads since deposited on 10 Mar 2023
8 downloads since 12 months
Detailed statistics

Additional indexing

Item Type:Conference or Workshop Item (Paper), not_refereed, original work
Communities & Collections:03 Faculty of Economics > Department of Informatics
Dewey Decimal Classification:000 Computer science, knowledge & systems
Scopus Subject Areas:Physical Sciences > Computer Science Applications
Physical Sciences > Software
Scope:Discipline-based scholarship (basic research)
Language:English
Event End Date:23 October 2022
Deposited On:10 Mar 2023 11:00
Last Modified:06 Mar 2024 14:39
Publisher:ACM
ISBN:9781450394277
OA Status:Hybrid
Publisher DOI:https://doi.org/10.1145/3544902.3546250
Official URL:https://dl.acm.org/doi/10.1145/3544902.3546250
Other Identification Number:merlin-id:23370
  • Content: Published Version
  • Language: English