Presentation is loading. Please wait.

Presentation is loading. Please wait.

Department of Computer Science, Graduate School of Information Science & Technology, Osaka University An Empirical Study of Out-dated Third-party Code.

Published byJeffry Richardson Modified over 8 years ago

Similar presentations

Presentation on theme: "Department of Computer Science, Graduate School of Information Science & Technology, Osaka University An Empirical Study of Out-dated Third-party Code."— Presentation transcript:

1 Department of Computer Science, Graduate School of Information Science & Technology, Osaka University An Empirical Study of Out-dated Third-party Code in Open Source Software Pei Xia Inoue Lab 2013/02/12 1

2 Department of Computer Science, Graduate School of Information Science & Technology, Osaka University Third-party Code in OSS Developers reuse 3rd-party code from existing open source projects [1] [1] S.Haefliger, G.Krogh, S.Spaeth, 2008. “Code Reuse in Open Source Software”, Management Science, Vol.54 No.1 Jan.2008 reuse zlib libpng libjpeg libxml2 …… openssl 2 User project

3 Department of Computer Science, Graduate School of Information Science & Technology, Osaka University Out-dated Third-Party Code Third-party code of older versions containing known defects such as software vulnerabilities that should be fixed by upgrading them to a newer version reuse v1.0 v1.1 v1.2v2.0 v2.1 Timeline 3rd-party project bug 3 User project No Existing Research

4 Department of Computer Science, Graduate School of Information Science & Technology, Osaka University Research Questions What is the proportion of out-dated 3rd-party code reused in the open source software? What are the potential defects caused by such reuse? How do user projects manage those out- dated 3rd-party code? Be helpful in understanding OSS reuse activities, evaluating the quality of OSS and predicting some of the potential defects 4

5 Department of Computer Science, Graduate School of Information Science & Technology, Osaka University Study Approach Overview 5 rep v1.0 v1.1 v1.2v2.0 v2.1 Timeline 3rd-party project bug 1.Defects Information Collection 2.Projects Searching 3.Version Identifying 4.Management Information Collection

6 Department of Computer Science, Graduate School of Information Science & Technology, Osaka University Step 1 : Defects Information Collection Home page announcement National Vulnerability Database [2]  The U.S. Government repository of standards based vulnerability management data [2] National Vulnerability Database, http://nvd.nist.gov/ 6

7 Department of Computer Science, Graduate School of Information Science & Technology, Osaka University Step 2 : Projects Searching Using OpenCCFinder [3] to Search [3] P. Xia, Y. Manabe, N. Yoshida, and K. Inoue. Development of a code clone search tool for open source repositories. Technical report, IPSJ SIG Technical Reports, Vol.2011-SE-174, No2,pp.1-8, 2011. 7

8 Department of Computer Science, Graduate School of Information Science & Technology, Osaka University v2.1 Step 3 : Version Identifying rep v1.0 v1.1 v1.2v2.0 V2.1 Timeline Third-party project Tokenized file hash 197770261 1786259145 917292968 849110879 197770261 1786259145 917292968 706253673 197770261 1786259145 527652421 706253673 598032372 1786259145 527652421 706253673 598032372 1191396480 527652421 706253673 // some comment public static void main(){ int a=0; a=a+1; } publicstaticvoid$(){int$=$;$=$+$;} 197770261 rep User project 1 User project 2 Latest ver. 197770261 1786259145 917292968 706253673 598032372 1786259145 527652421 706253673 match Tokenization Hashing v1.1 v2.0 8

9 Department of Computer Science, Graduate School of Information Science & Technology, Osaka University Step 4 : Management Information Collection Questions on reused 3rd-party code  Modified or Copy&Paste?  Keep updating?  Well managed? Manual investigation  Directory structure and file name  Repository commit history  readme.txt  changelog.txt 9

10 Department of Computer Science, Graduate School of Information Science & Technology, Osaka University Case study Subject Project NameDomainProject History zlibData compression1995-current libcurlFile transfer1999-current libpngGraphics1995-current 10

11 Department of Computer Science, Graduate School of Information Science & Technology, Osaka University Case Study Result (1/5) What is the proportion of out-dated 3rd-party code reused in the open source software? 11 libpng (50) Reused Versions of 3 rd -party code # Projects using 3 rd -party code Vulnerabilities reported Warning from hompageNo defects reported

12 Department of Computer Science, Graduate School of Information Science & Technology, Osaka University Case Study Result (2/5) What is the proportion of out-dated 3rd-party code reused in the open source software? # investigated projects # projects contain out- dated 3rd-party code Out-date code Percentage zlib451431.11% libcurl282485.71% libpng504692.00% total1238468.30% 12

13 Department of Computer Science, Graduate School of Information Science & Technology, Osaka University Case Study Result (3/5) What are the potential defects caused by such reuse? zlib versionReported defects v1.1.3CVE-2002-0059 VU#368819 CA-2002-07 v1.1.4CVE-2003-0107 VU#142121 v1.2.1 v1.2.2CVE-2004-0797 VU#238687 v1.2.1 v1.2.2CVE-2005-2096 VU#680620 v1.2.2CVE-2005-1849 v1.2.4Bug Fixed. Update suggestion from project homepage Example CVE-2005-1849: inftrees.h in zlib 1.2.2 allows remote attackers to cause a denial of service (application crash) via an invalid file that causes a large dynamic tree to be produced. 13

14 Department of Computer Science, Graduate School of Information Science & Technology, Osaka University Case Study Result (4/5) How do user projects manage those out- dated 3rd-party code? 14

15 Department of Computer Science, Graduate School of Information Science & Technology, Osaka University Case Study Result (5/5) How do user projects manage those out- dated 3rd-party code?  96 (78.0%) of user projects reused the third- party code with copy and paste  6 (4.9%) of user projects changed directory names or mix the third-party code with other code 15

16 Department of Computer Science, Graduate School of Information Science & Technology, Osaka University Conclusion In this study, 68.3% of open source software are reusing out-dated third-party code which contain critical defects. More than half of the open source projects did not manage the third-party code very well. 16

17 Department of Computer Science, Graduate School of Information Science & Technology, Osaka University Future work Develop a 3rd-party code manage system  Version identifying  Defects prediction  Automatically Updating 17

18 Department of Computer Science, Graduate School of Information Science & Technology, Osaka University Q&A 18

Download ppt "Department of Computer Science, Graduate School of Information Science & Technology, Osaka University An Empirical Study of Out-dated Third-party Code."

Similar presentations

Intro to Version Control Have you ever …? Had an application crash and lose ALL of your work Made changes to a file for the worse and wished you could.

Intro to Version Control Have you ever …? Had an application crash and lose ALL of your work Made changes to a file for the worse and wished you could.
Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Identifying Source.

Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Identifying Source.
Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Extraction of.

Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Extraction of.
SAFETYCHECK Eric Hatch | David Allen |Bailee Lucas| Austin Rhodes.

SAFETYCHECK Eric Hatch | David Allen |Bailee Lucas| Austin Rhodes.
Choosing SATE Test Cases Based on CVEs Sue Wang October 1, 2010 The SAMATE Project 1SATE 2010 Workshop.

Choosing SATE Test Cases Based on CVEs Sue Wang October 1, 2010 The SAMATE Project 1SATE 2010 Workshop.
Benjamin J. Deaver Advisor – Dr. LiGuo Huang Department of Computer Science and Engineering Southern Methodist University.

Benjamin J. Deaver Advisor – Dr. LiGuo Huang Department of Computer Science and Engineering Southern Methodist University.
Removing Spyware Cleaning Up Your Computer. Pin Point the Problem Is Your Computer Not Running Properly? Are You Sure That the Problem is Spyware? Observe.

Removing Spyware Cleaning Up Your Computer. Pin Point the Problem Is Your Computer Not Running Properly? Are You Sure That the Problem is Spyware? Observe.
Applied Software Project Management Andrew Stellman & Jennifer Greene Applied Software Project Management Applied Software.

Applied Software Project Management Andrew Stellman & Jennifer Greene Applied Software Project Management Applied Software.
1 Detecting Logic Vulnerabilities in E- Commerce Applications Presenter: Liu Yin Slides Adapted from Fangqi Sun Computer Science Department College of.

1 Detecting Logic Vulnerabilities in E- Commerce Applications Presenter: Liu Yin Slides Adapted from Fangqi Sun Computer Science Department College of.
Revision Control Practices in Software Engineering Surekha, Kotiyala Madhuri, Komuravelly Suchitra, Yerramalla.

Revision Control Practices in Software Engineering Surekha, Kotiyala Madhuri, Komuravelly Suchitra, Yerramalla.
Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Measuring Copying.

Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Measuring Copying.
Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Industrial Application.

Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Industrial Application.
Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Where Does This.

Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Where Does This.
Lecturer: Ghadah Aldehim

Lecturer: Ghadah Aldehim
Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University CoxR: Open Source.

Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University CoxR: Open Source.
Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Finding Similar.

Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Finding Similar.
Yuki Manabe*, Daniel M. German†,‡ and Katsuro Inoue†

Yuki Manabe*, Daniel M. German†,‡ and Katsuro Inoue†
Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University What Kinds of.

Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University What Kinds of.
University of Maryland Bug Driven Bug Finding Chadd Williams.

University of Maryland Bug Driven Bug Finding Chadd Williams.
Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University A Criterion for.

Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University A Criterion for.

Similar presentations

Ads by Google