Posts by Collection

portfolio

publications

An Empirical Analysis of Vulnerabilities in Virtualization Technologies

Published in 2016 IEEE International Conference on Cloud Computing Technology and Science (CloudCom), 2016

Abstract

Cloud computing relies on virtualization technologies to provide computer resource elasticity and scalability. Despite its benefits, virtualization technologies come with serious concerns in terms of security. Although existing work focuses on specific vulnerabilities and attack models related to virtualization, a systematic analysis of known vulnerabilities for different virtualization models, including hypervisor-based and container-based solutions is not present in the literature. In this paper, we present an overview of the existing known vulnerabilities for hypervisor and container solutions reported in the CVE database and classified under CWE categories. Given the vulnerability identification and categorization, we analyze our results with respect to different virtualization models and license schemes (open source/commercial). Our findings show among others that hypervisors and containers share common weaknesses with most of their vulnerabilities reported in the category of security features.

Recommended citation: A. Gkortzis, S. Rizou and D. Spinellis, 'An Empirical Analysis of Vulnerabilities in Virtualization Technologies,' 2016 IEEE International Conference on Cloud Computing Technology and Science (CloudCom), 2016, pp. 533-538, doi: 10.1109/CloudCom.2016.0093. https://antonisgkortzis.github.io/files/GRS_CloudSPD16.pdf

VulinOSS: A Dataset of Security Vulnerabilities in Open-source Systems

Published in ACM Mining Software Repositories conference (MSR'18), 2018

Abstract

Examining the different characteristics of open-source software in relation to security vulnerabilities, can provide the research community with findings that can lead to the development of more secure systems. We present a dataset where the reported vulnerabilities of 8694 open-source project versions, can be correlated with the corresponding source code and a number of software metrics. The metrics were obtained by analyzing the project’s source code via well-established tools. Apart from commonly used metrics (e.g. loc), we also provide data related to modern development trends such as continuous integration and testing. We outline motivational examples based on the dataset we describe.

Recommended citation: Antonios Gkortzis, Dimitris Mitropoulos, Diomidis Spinellis. "VulinOSS: A Dataset of Security Vulnerabilities in Open-source Systems." ACM Mining Software Repositories conference (MSR'18). https://antonisgkortzis.github.io/files/GMS_MSR_18.pdf

A Double-Edged Sword? Software Reuse and Potential Security Vulnerabilities

Published in Proceedings of the 18th International Conference on Software and Systems Reuse (ICSR '19), 2019

Abstract

Reuse is a common and often-advocated software development practice. Significant efforts have been invested into facilitating it, leading to advancements such as software forges, package managers, and the widespread integration of open source components into proprietary software systems. Reused software can make a system more secure through its maturity and extended vetting, or increase its vulnerabilities through a larger attack surface or insecure coding practices. To shed more light on this issue, we investigate the relationship between software reuse and potential security vulnerabilities, as assessed through static analysis. We empirically investigated 301 open source projects in a holistic multiple-case methods study. In particular, we examined the distribution of potential vulnerabilities between the native code created by a project’s development team and external code reused through dependencies, as well as the correlation between the ratio of reuse and the density of vulnerabilities. The results suggest that the amount of potential vulnerabilities in both native and reused code increases with larger project sizes. We also found a weak-to-moderate correlation between a higher reuse ratio and a lower density of vulnerabilities. Based on these findings it appears that code reuse is neither a frightening werewolf introducing an excessive number of vulnerabilities nor a silver bullet for avoiding them.

Recommended citation: Antonios Gkortzis, Daniel Feitosa, Diomidis Spinellis, 'A double-edged sword? software reuse and potential security vulnerabilities', Publisher: Springer, Cham, pages: 187-203 https://doi.org/10.1007/978-3-030-22888-0_13 https://antonisgkortzis.github.io/files/GFS_ICSR_19.pdf

Software reuse cuts both ways: An empirical analysis of its relationship with security vulnerabilities

Published in Journal of Systems and Software, Volume 172, February 2021, 110653, 2021

Abstract

Software reuse is a widely adopted practice among both researchers and practitioners. The relation between security and reuse can go both ways: a system can become more secure by relying on mature dependencies, or more insecure by exposing a larger attack surface via exploitable dependencies. To follow up on a previous study and shed more light on this subject, we further examine the association between software reuse and security threats. In particular, we empirically investigate 1244 open-source projects in a multiple-case study to explore and discuss the distribution of security vulnerabilities between the code created by a development team and the code reused through dependencies. For that, we consider both potential vulnerabilities, as assessed through static analysis, and disclosed vulnerabilities, reported in public databases. The results suggest that larger projects in size are associated with an increase on the amount of potential vulnerabilities in both native and reused code. Moreover, we found a strong correlation between a higher number of dependencies and vulnerabilities. Based on our empirical investigation, it appears that source code reuse is neither a silver bullet to combat vulnerabilities nor a frightening werewolf that entail an excessive number of them.

Recommended citation: Gkortzis, Antonios, Daniel Feitosa, and Diomidis Spinellis. 'Software reuse cuts both ways: An empirical analysis of its relationship with security vulnerabilities.' Journal of Systems and Software 172 (2021): 110653 https://www2.dmst.aueb.gr/dds/pubs/jrnl/2020-JSS-reuse-vs-vuln/html/GFS20.pdf

talks

teaching

Lab Instructor in Software Engineering in Practice

Undergraduate course, Department of Management Science and Technology, Athens University of Economics and Business, 2021

Lab Instructor in Software Engineering in Practice major course for the Spring semesters of 2017 to 2021.