Analysis of bugs in Google security research project database

Several classifications exist in the literature on software bugs. Classification of bugs in software systems is primarily based on the level of complexity and reproducibility. Bohrbugs and Mandelbugs are the two most common bugs present in most software systems. This paper studies the distribution of Bohrbugs and Mandelbugs in the Google Security Research Project (GSRP) and some selected software systems. Also, we studied the frequency distribution of bug-fix time reported in GSRP. Bug-fix time analysis is a critical study of bug reporting systems and for measuring software quality. For example, if bugs in a complex software system take a relatively long time to be fixed, the system may have some structural problems that would make it difficult to reproduce the bugs. This paper reports the distribution of various bugs, and bug fix time statistics. We also list the top 25 bug-fix times reported in GSRP.

[1]  David Clark,et al.  Computers at risk: safe computing in the information age , 1991 .

[2]  Norman E. Fenton,et al.  Quantitative Analysis of Faults and Failures in a Complex Software System , 2000, IEEE Trans. Software Eng..

[3]  Andy Ozment,et al.  Improving vulnerability discovery models , 2007, QoP '07.

[4]  Stefan Wagner,et al.  Defect classification and defect types revisited , 2008, DEFECTS '08.

[5]  Kishor S. Trivedi,et al.  Reproducibility of Environment-Dependent Software Failures: An Experience Report , 2014, 2014 IEEE 25th International Symposium on Software Reliability Engineering.

[6]  Kishor S. Trivedi,et al.  Fighting bugs: remove, retry, replicate, and rejuvenate , 2007, Computer.

[7]  Ram Chillarege,et al.  Test and development process retrospective - a case study using ODC triggers , 2002, Proceedings International Conference on Dependable Systems and Networks.

[8]  David Dawson,et al.  Wiley Handbook of Science and Technology for Homeland Security , 2011 .

[9]  William A. Arbaugh,et al.  IEEE 52 Computer , 1985 .

[10]  Kishor S. Trivedi,et al.  The Nature of the Times to Flight Software Failure during Space Missions , 2012, 2012 IEEE 23rd International Symposium on Software Reliability Engineering.

[11]  Pascal Meunier,et al.  Classes of Vulnerabilities and Attacks , 2008 .

[12]  Lynette I. Millett,et al.  COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD , 2010 .

[13]  Wenliang Du,et al.  Categorization of Software Errors that led to Security Breaches , 1998 .

[14]  Mark Butcher,et al.  Improving software testing via ODC: Three case studies , 2002, IBM Syst. J..

[15]  Carl E. Landwehr,et al.  A taxonomy of computer program security flaws , 1993, CSUR.

[16]  Omar H. Alhazmi,et al.  Quantitative vulnerability assessment of systems software , 2005, Annual Reliability and Maintainability Symposium, 2005. Proceedings..

[17]  Kishor S. Trivedi,et al.  An empirical investigation of fault types in space mission system software , 2010, 2010 IEEE/IFIP International Conference on Dependable Systems & Networks (DSN).

[18]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[19]  Dong Seong Kim,et al.  Recovery from Failures Due to Mandelbugs in IT Systems , 2011, 2011 IEEE 17th Pacific Rim International Symposium on Dependable Computing.

[20]  Jim Gray,et al.  Why Do Computers Stop and What Can Be Done About It? , 1986, Symposium on Reliability in Distributed Software and Database Systems.

[21]  Alfs Berztiss Classification of Software , 1996 .

[22]  Junfeng Yang,et al.  An empirical study of operating systems errors , 2001, SOSP.

[23]  Kishor S. Trivedi,et al.  Software Faults, Software Aging and Software Rejuvenation( New Development of Software Reliability Engineering) , 2005 .

[24]  Victor R. Basili,et al.  Software errors and complexity: an empirical investigation0 , 1984, CACM.

[25]  P. Meunier,et al.  Sharing Vulnerability Information using a Taxonomically-correct, Web-based Cooperative Database , 2001 .

[26]  Data processing-open systems interconnection - basic reference model , 1981, CCRV.

[27]  Elaine J. Weyuker,et al.  Predicting the location and number of faults in large software systems , 2005, IEEE Transactions on Software Engineering.

[28]  Kishor S. Trivedi,et al.  A Classification of Software Faults , 2011 .

[29]  Dewayne E. Perry,et al.  EMPIRICAL STUDY OF SOFTWARE INTERFACE FAULTS. , 1985 .

[30]  Kishor S. Trivedi,et al.  A workload-based analysis of software aging, and rejuvenation , 2005, IEEE Transactions on Reliability.

[31]  Amit M. Paradkar,et al.  A software flaw taxonomy: aiming tools at security , 2005, SOEN.

[32]  Kishor S. Trivedi,et al.  Availability Modeling of SIP Protocol on IBM© WebSphere© , 2008, 2008 14th IEEE Pacific Rim International Symposium on Dependable Computing.

[33]  Victor R. Basili,et al.  Software errors and complexity: an empirical investigation , 1993 .

[34]  Inderpal S. Bhandari,et al.  Orthogonal Defect Classification - A Concept for In-Process Measurements , 1992, IEEE Trans. Software Eng..

[35]  Kishor S. Trivedi,et al.  Fault triggers in open-source software: An experience report , 2013, 2013 IEEE 24th International Symposium on Software Reliability Engineering (ISSRE).

[36]  Michael R. Lyu,et al.  Handbook of software reliability engineering , 1996 .

[37]  Alpana Dubey Towards adopting ODC in automation application development projects , 2012, ISEC.

[38]  John Viega,et al.  19 Deadly Sins of Software Security , 2005 .

[39]  Kishor S. Trivedi,et al.  A comprehensive model for software rejuvenation , 2005, IEEE Transactions on Dependable and Secure Computing.

[40]  Bharat B. Madan,et al.  A method for modeling and quantifying the security attributes of intrusion tolerant systems , 2004, Perform. Evaluation.