12. eROSE
Related Changes
(ICSE 2004, TSE 2005)
Tom Zimmermann • Saarland University
Peter Weißgerber • University of Trier
Stephan Diehl • University of Trier
Andreas Zeller • Saarland University
18. eROSE: Guiding Developers
Developers who
Customers who
changed this function
bought this item also
also changed...
bought...
Version
Purchase
Archive
History
42. Evaluation
EROSE predicts 33% of all changed entities.
GIMP
(files: 44%)
In 70% of all transactions, EROSE’s topmost
three suggestions contain a changed entity.
PostgreSQL
(files: 72%)
KOffice
jEdit
43. Evaluation
EROSE predicts 33% of all changed entities.
GIMP
(files: 44%)
In 70% of all transactions, EROSE’s topmost
three suggestions contain a changed entity.
PostgreSQL
(files: 72%)
EROSE learns quickly (within 30 days).
KOffice
jEdit
44. eROSE
Related Changes
(ICSE 2004, TSE 2005)
guides developers
non-program elements
(documentation)
learns quickly
45. BugCache
Predicting Defects
(ASE 2006, ICSE 2007)
`
Sung Kim • MIT
Tom Zimmermann • Saarland University
Jim Whitehead • Univ. of California SC
Andreas Zeller • Saarland University
46. The Problem
How should we
allocate our resources
for quality assurance?
47. One Solution
List with elements that
(will) have defects
List is adaptive, i.e.,
it changes over time
48. One Solution
List with elements that
(will) have defects
Cache
List is adaptive, i.e.,
it changes over time
49. The BugCache Model
What is loaded in the
cache?
Cache size: 2
Hypothesis: Temporal locality between defects
50. The BugCache Model
What is loaded in the
cache?
Cache size: 2
Hypothesis: Temporal locality between defects
51. The BugCache Model
What is loaded in the
cache?
Cache size: 2
Hypothesis: Temporal locality between defects
52. The BugCache Model
What is loaded in the
cache?
Cache size: 2
Hypothesis: Temporal locality between defects
53. The BugCache Model
What is loaded in the
cache?
Cache size: 2
Hypothesis: Temporal locality between defects
54. The BugCache Model
What is loaded in the
cache?
Cache size: 2
Miss
Hypothesis: Temporal locality between defects
55. The BugCache Model
What is loaded in the
cache?
Cache size: 2
Miss
Hypothesis: Temporal locality between defects
68. Loading Elements
Temporal locality – as shown before
Spatial locality – load “nearby” elements
(i.e., co-changed before)
Changed-entity locality – load changed elements
New-entity locality – load new elements
Initial pre-fetch – start with a loaded cache
74. BugCache
Predicting Defects
(ASE 2006, ICSE 2007)
temporal locality
adaptive
hit rates of 71%~95%
75. Vulture
Predicting
Security Vulnerabilities
(Work in Progress)
Stephan Neuhaus • Saarland University
Tom Zimmermann • Saarland University
Andreas Zeller • Saarland University
81. Vulnerabilities
Security Advisory 2005-12
Title: Livefeed bookmarks can steal cookies
Impact: High
Products: Firefox
Description: Earlier versions of Firefox allowed
javascript: and data: URLs as Livefeed bookmarks.
When they updated the URL would be run in the
context of the current page and could be used to
steal cookies or data displayed on the page. If the
user were on a page with elevated privileges (for
example, about:config) when the Livefeed was
updated, the feed URL could potentially run
arbitrary code on the user's machine.
0
Vulnerabilities
83. Vulnerabilities
Security Advisory 2005-13
Title: Window Injection Spoofing
Severity: Low
Products: Firefox, Mozilla Suite
Description: A website can inject content into a
popup opened by another site if the target name
of the popup window is known. An attacker who
knows you are going to visit that other site could
spoof the contents of the popup.
0
Vulnerabilities
84. Vulnerabilities
Security Advisory 2005-15
2005-41
2005-16
2006-76
2005-14
Title: Heap overflow possible security dialogs
Title: Spoofing escalation via DOM property
XSS quot;secure sitequot;window's Function
Privilege download and in UTF8 to object
SSL using outer indicator spoofing
Impact: Moderate
Unicode conversion
overrides High
with overlapping windows
Severity:
Products:Critical 2.0
Severity: High
Products: Firefox Mozilla Suite
Firefox,
Description:Various schemesdemonstrated
Products: Firefox, Thunderbird, Mozilla Suitethat
Description: moz_bug_r_a4 were reported
Mozilla Suite
Description: It thepossible forreportedstringin
the Function prototype regressionlock icon to with
that could causeMichael Kraxsitequot; UTF8 several
moz_bug_r_a4 a described
is quot;secure demonstrates that
the download dialog trigger details overflow be
bug 355161 couldto and security dialogs the
exploitsand show attacker the ability tothe wrong
invalid sequences certificate a heap bypass can of
appear giving an be exploited to for install
malicious could be data. by requiring would
spoofed byUnicode cross Exploitability only
convertedcode or steal data,phishers to an that
site. These against used site script (XSS)
protections partially covering them with make
injection, which could be used to particularly a
the user do commonplace users get click onin
overlapping window. Some actionsstealthe string
depend on the attackers abilityto may not notice
their spoofs look more legitimate, like credentials
or the buggyhide the and browser or perform
link or window from arbitrary sitescommon
thesensitive the context menu. Theshowing the
intoOS opendataborderaddress barweb content is
windows that converter. General statusbar
destructive actions on privileged rule out
cause in what appears to be of a logged-in and
bisectingeach case was behalf a single dialog,user.
converted elsewhere but we can'tUI code the be
true location.
(quot;chromequot;) being overly attack.
convinced by the spoofing text of the top-most
possibility of a successfultrusting of DOM nodes
from the content window.
window to click on the quot;Allowquot; or quot;Openquot; button
of the window below.
0
Vulnerabilities
111. Research Questions
• How well do imports predict vulnerabilities?
• Can imports be used for
− classification (vulnerable or not) and for
− regression (number of vulnerabilities)?
112. Input Data
nsCOMArray 0
nsIDocument.h 1
nspr_md.h 0
nsDOMClassInfo 10
EmbedGTKTools 0
MozillaControl.cpp 0
nsDOMClassInfo has had 10
vulnerability-related bug reports
113. Input Data
e. am t.h
h
e.
re Fr c
bt ack nne
e
or
St o
di h
s/fi h
m
ns PC
st le.
9, h
ut o.h
sy pl.
9
il.h
IX
Im
05
ns
ss
nsCOMArray 0 1 0 0 0 1 0 0
nsIDocument.h 1 0 0 1 0 0 1 0
nspr_md.h 0 0 1 1 0 0 1 0
nsDOMClassInfo 10 0 0 1 0 1 0 0
EmbedGTKTools 0 0 0 0 0 1 0 0
MozillaControl.cpp 0 0 1 0 1 0 0 0
nsDOMClassInfo has had 10 nsDOMClassInfo imports
vulnerability-related bug reports “nsIXPConnect.h”
114. Distribution
ibution of MFSAs Distribution of Bug Reports
300
Number of Components
20 50
5
12
5 7 9 11 13 13579 13 17 24
umber of MFSAs Number of Bug Reports
115. Experiments
• 40 randomtraining set, 3,484 rows in validation set
splits
6,968 rows in
• Classification recall and precision
Train SVM, compute
• Regression rank correlation on top 1%
Train SVM, compute
• SVM: linear kernel10GB ofdefault parameters
with
R implementation (up to main memory)