Proactive security review

Proactive security review and test efforts are a necessary component of the software development lifecycle. Resource limitations often preclude reviewing the entire code base. One way to prioritize security efforts is risk-based attack surface approximation (RASA), a technique that uses crash dump stack traces to predict what code may contain exploitable vulnerabilities. However, storing every crash seen by end users may be infeasible, depending on the scale of the deployment of the software. In this work, we explore the effect of random sampling of crashes on RASA as a mitigation strategy.

The goal

The goal of this research is to help software development teams prioritize security efforts by determining how random sampling of crash dump stack traces affects the result of risk-based attack surface approximation. We explore the use of RASA using Mozilla Firefox and Microsoft Windows 8.1 crash dump stack traces.


We create RASA at the file level for Firefox, in which the 15.8% of the files that were part of the approximation contained 73.6% of the vulnerabilities seen. For Windows 8.1, 23.6% of the files that were part of the approximation contained 44.5% of the vulnerabilities seen. We explore the rate of change in vulnerability and file coverage through the development of the Data Efficiency metric to quantify the efficiency of RASA at different sampling levels. For Mozilla Firefox, we observe less than 1% difference in total coverage of vulnerabilities starting at a 40% sampling of crashes. For Windows 8.1, we observe less than 2% difference in total coverage of vulnerabilities starting at a 60% sampling of crashes.

  • [DOI] C. Theisen, B. Murphy, K. Herzig, and L. Williams, “Risk-based attack surface approximation: how much data is enough?,” in 2017 ieee/acm 39th international conference on software engineering: software engineering in practice track (icse-seip), Piscataway, NJ, USA, 2017, p. 273–282.
    author = {Theisen, Christopher and Murphy, Brendan and Herzig, Kim and Williams, Laurie},
    title = {Risk-based Attack Surface Approximation: How Much Data is Enough?},
    booktitle={2017 IEEE/ACM 39th International Conference on Software Engineering: Software Engineering in Practice Track (ICSE-SEIP)},
    series = {ICSE-SEIP '17},
    year = {2017},
    isbn = {978-1-5386-2717-4},
    location = {Buenos Aires, Argentina},
    pages = {273--282},
    numpages = {10},
    url = {},
    doi = {10.1109/ICSE-SEIP.2017.9},
    acmid = {3103148},
    publisher = {IEEE Press},
    address = {Piscataway, NJ, USA}

No Comment

Comments are closed.