Do #ifdefs Influence the Occurrence of Vulnerabilities? An Empirical Study of the Linux Kernel

Abstract

Preprocessors support the diversification of software products with #ifdefs, but also require additional effort from developers to maintain and understand variable code. We conjecture that #ifdefs cause developers to produce more vulnerable code because they are required to reason about multiple features simultaneously and maintain complex mental models of dependencies of configurable code. We extracted a variational call graph across all configurations of the Linux kernel, and used configuration complexity metrics to compare vulnerable and non-vulnerable functions considering their vulnerability history. Our goal was to learn about whether we can observe a measurable influence of configuration complexity on the occurrence of vulnerabilities. Our results suggest, among others, that vulnerable functions have higher variability than non-vulnerable ones and are also constrained by fewer configuration options. This suggests that developers are inclined to notice functions appear in frequently-compiled product variants. We aim to raise developers' awareness to address variability more systematically, since configuration complexity is an important, but often ignored aspect of software product lines.

DOI: 10.1145/2934466.2934467

Extracted Key Phrases

5 Figures and Tables

Cite this paper

@inproceedings{Ferreira2016DoI, title={Do #ifdefs Influence the Occurrence of Vulnerabilities? An Empirical Study of the Linux Kernel}, author={Gabriel Ferreira and Momin M. Malik and Christian K{\"a}stner and J{\"{u}rgen Pfeffer and Sven Apel}, booktitle={SPLC}, year={2016} }