基于Mozilla的安全性漏洞再修复经验研究

相较于其他类型的漏洞,安全性漏洞更容易发生再修复,这使得安全性漏洞需要更多的开发资源,从而增加了这些安全性漏洞修复的成本。因此,减少安全性漏洞再修复的发生的重要性不言而喻。对安全性漏洞再修复的经验研究有助于减少再修复的发生。首先,通过对Mozilla工程中一些发生再修复的安全性漏洞的安全性漏洞类型、发生再修复的原因、再修复的次数、修改的提交数、修改的文件数、修改的代码行数的增减、初始修复和再修复的对比等数据进行分析,发现了安全性漏洞发生再修复是普遍存在的,且与漏洞发生原因的识别的复杂程度和漏洞修复的复杂程度这两个因素有关；其次,初始修复涉及的文件、代码的集中程度是影响再修复的原因之一,而使用更复杂、更有效的修复过程可有效避免再修复的发生；最后,总结了几种安全性漏洞发生再修复的原因,使开发人员有效地识别不同类型的安全性漏洞再修复。

Empirical Study of Reopened Security Bugs on Mozilla

Compared to other types of bugs,security bug reopens more often,moreover,they need more development resources to fix it,which adds an extra cost to fix them.Hence,the empirical study of reopened security bugs is important.Our study collected the reopened security bugs from the Mozilla project,and analyzed them from the times of their reopening and commits,files which were modified to fix them,lines of added and deleted code,and comparison of the original fixing and reopened fixing.The empirical results show that security bug reopening often happen and it relates to the complexity of recognizing the reason that a security bug happens and fixing bugs.In addition,the locality of the files and code in the original security bug fixing is one of the causes to influence its re-fixing for bug reopens,and using more complex and effective fixing process can help reduce the security bug reopens.Finally,we summarized several causes for security bug reopens to help developers more easily identify the reopens of different types of security bugs.