Description:

There is a large and growing number of software vulnerabilities being discovered and reported, resulting in CVE (common vulnerability exposure) entries in the National Vulnerability Database (NVD). In open source projects, CVEs are usually quickly addressed with patch commits, and subsequent releases of new versions. Often those commits include regression tests to give some evidence that the vulnerability is fixed. 

The objective of this research project is to investigate whether novel techniques can be developed to automatically assess those commits. In particular, comparing the source code and test executions before and after the patch could increase or decrease our confidence that the patch fixed the vulnerabilities. Analysing how developers of open source projects patch and test vulnerabilities might help us to achieve this goal. The project can use public vulnerability datasets such as  https://github.com/tuhh-softsec/vul4j to conduct experiments, and evaluate an automated tool to be developed.

 

Type:

Undergraduate

Outcome:

Prerequisites

None

Specialisations

• Software Engineering

Categories

• Software Development Tools and Processes 1
• Software Development Tools and Processes 2

Supervisor

• Valerio Terragni

Co-supervisor

Team

• Xin Yang Liu
• Kyle Lowe

Lab

HASEL (405.662, Lab)