Visible to the public Do #ifdefs influence the occurrence of vulnerabilities? an empirical study of the linux kernelConflict Detection Enabled

TitleDo #ifdefs influence the occurrence of vulnerabilities? an empirical study of the linux kernel
Publication TypeConference Proceedings
Year of Publication2016
AuthorsGabriel Ferreira, Momin Malik, Christian Kästner, Jurgen Pfeffer, Sven Apel
Conference NameSPLC '16 Proceedings of the 20th International Systems and Software Product Line Conference
Date Published09/2016
PublisherACM New York, NY, USA ©2016
Conference LocationBeijing, China
ISBN Number978-1-4503-4050-2
KeywordsCMU, Oct'16

Preprocessors support the diversification of software products with #ifdefs, but also require additional effort from developers to maintain and understand variable code. We conjecture that #ifdefs cause developers to produce more vulnerable code because they are required to reason about multiple features simultaneously and maintain complex mental models of dependencies of configurable code.

We extracted a variational call graph across all configurations of the Linux kernel, and used configuration complexity metrics to compare vulnerable and non-vulnerable functions considering their vulnerability history. Our goal was to learn about whether we can observe a measurable influence of configuration complexity on the occurrence of vulnerabilities.

Our results suggest, among others, that vulnerable functions have higher variability than non-vulnerable ones and are also constrained by fewer configuration options. This suggests that developers are inclined to notice functions appear in frequently-compiled product variants. We aim to raise developers' awareness to address variability more systematically, since configuration complexity is an important, but often ignored aspect of software product lines.

Citation Keynode-30357

Other available formats:

Ferreira_do_ifdefs_influence_CK.pdfPDF document1.04 MBDownloadPreview