Researchers from Saarland University Predict Flaws from Vulnerability History
 
Security flaws in software cause enormous damages.  An FBI study from 2005 estimates the losses from computer crime at a staggering $67 billion.  Most losses were due to insecure software.  Researchers at Saarland University have now introduced a new approach that learns from previous flaws and predicts just how vulnerable a software component is.
    
    
    Everything begins with a flaw: a program exhibits a security hole that is used by attackers to gain unauthorized access.  This hole is then plugged by the software vendor, who strives to put out a fixed version of his software as soon as possible.  All this activity is being systematically recorded in databases, and it is these databases that the researchers from Saarbrücken found particularly interesting. 
"First of all, we determined where the vulnerabilities are in the program's source code", says Stephan Neuhaus, PhD student at the chair for Software Engineering.  "What we get is a map that shows us just where the vulnerable components are: the redder a component, the more vulnerabilities it has had in the past."  Such a map allows programmers to identify vulnerable components and to inspect them more closely. 
But this is not all: the approach from Saarbrücken is able to predict automatically where the next vulnerabilities will probably be found. "We examine those components with which vulnerable components cooperate", says Thomas Zimmermann who developed the approach together with Stephan Neuhaus.  "We found out that vulnerable components cooperate with similar components."  In the words of Professor Andreas Zeller, leader of the project, "Tell me with whom you cooperate and I'll tell you how vulnerable you are." 
In this way, the researchers from Saarbrücken can pinpoint exactly where vulnerabilities were in the past and where they are most likely to appear in the future.  "To put it simply, if your component implements some aspect of JavaScript, it will be much more vulnerable than other components", says Stephan Neuhaus.  This is not particularly surprising for Internet professionals.  The nice thing about the approach from Saarbrücken is however that it works fully automatically.  "All that we need is vulnerability and version histories, and this is created automatically by standard tools that are being used in the software development process anyway.  From this we can prodict where the next vulnerabilities will lie", says Andreas Zeller. 
In January 2007, the team from Saarbrücken prepared a list of ten source code files that according to their approach were most likely to contain new vulnerabilities.  Five of those ten files had to be fixed within the next six months because of security flaws. This shows the practical strength of the approach. 
Security experts agree with that assessment: the approach will be presented in November at one of the most prestigious computer security conferences, the ACM Computer and Communication Security in Virginia, USA.  The program committee accepted 55 out of 303 submissions; the contribution from Saarbrücken is the only accepted paper by a German research group.  
Questions are answered by: 
Prof. Dr. Andreas Zeller
Tel. 0681/302-64011
Friederike Meyer zu Tittingdorf
Tel. 0681/302-58099
    
    Criteria of this press release: 
     
     Information technology
     transregional, national
     Research projects, Research results
 English  
    

You can combine search terms with and, or and/or not, e.g. Philo not logy.
You can use brackets to separate combinations from each other, e.g. (Philo not logy) or (Psycho and logy).
Coherent groups of words will be located as complete phrases if you put them into quotation marks, e.g. “Federal Republic of Germany”.
You can also use the advanced search without entering search terms. It will then follow the criteria you have selected (e.g. country or subject area).
If you have not selected any criteria in a given category, the entire category will be searched (e.g. all subject areas or all countries).