Characterizing and Understanding Software Security Vulnerabilities in Machine Learning Libraries

被引：3

作者：

Harzevili, Nima Shiri ^{[1
]}

Shin, Jiho ^{[1
]}

Wang, Junjie ^{[2
]}

Wang, Song ^{[1
]}

Nagappan, Nachiappan ^{[3
]}

机构：

[1] York Univ, Lassonde Sch Engn, Toronto, ON, Canada

[2] Chinese Acad Sci, Inst Software, Beijing, Peoples R China

[3] IIIT Delhi, New Delhi, India

来源：

2023 IEEE/ACM 20TH INTERNATIONAL CONFERENCE ON MINING SOFTWARE REPOSITORIES, MSR | 2023年

关键词：

Security vulnerability; machine learning libraries; empirical study;

D O I：

10.1109/MSR59073.2023.00018

中图分类号：

TP31 [计算机软件];

学科分类号：

081202 ; 0835 ;

摘要：

The application of machine learning (ML) libraries has tremendously increased in many domains, including autonomous driving systems, medical, and critical industries. Vulnerabilities of such libraries could result in irreparable consequences. However, the characteristics of software security vulnerabilities have not been well studied. In this paper, to bridge this gap, we take the first step toward characterizing and understanding the security vulnerabilities of seven well-known ML libraries, including TensorFlow, PyTorch, Scikit-learn, Mlpack, Pandas, Numpy, and Scipy. To do so, we collected 683 security vulnerabilities to explore four major factors: 1) vulnerability types, 2) root causes, 3) symptoms, and 4) fixing patterns of security vulnerabilities in the studied ML libraries. The findings of this study can help developers and researchers understand the characteristics of security vulnerabilities across the studied ML libraries.

引用

页码：27 / 38

页数：12

共 50 条

[41] A software security assessment system based on analysis of vulnerabilities
Sui, Chenmeng
Liu, Yanzhao
Liu, Yun
Journal of Convergence Information Technology, 2012, 7 (06) : 211 - 219
[42] Security vulnerabilities in healthcare: an analysis of medical devices and software
Carlos M. Mejía-Granda
José L. Fernández-Alemán
Juan M. Carrillo-de-Gea
José A. García-Berná
Medical & Biological Engineering & Computing, 2024, 62 : 257 - 273
[43] A practical framework for dynamically immunizing software security vulnerabilities
Lin, Zhiqiang
Mao, Bing
Xie, Li
FIRST INTERNATIONAL CONFERENCE ON AVAILABILITY, RELIABILITY AND SECURITY, PROCEEDINGS, 2006, : 348 - +
[44] The Appilication of Fuzzing in Web software security vulnerabilities Test
Li, Li
Dong, Qiu
Liu, Dan
Zhu, Leilei
2013 INTERNATIONAL CONFERENCE ON INFORMATION TECHNOLOGY AND APPLICATIONS (ITA), 2013, : 130 - 133
[45] Security vulnerabilities in healthcare: an analysis of medical devices and software
Mejia-Granda, Carlos M.
Fernandez-Aleman, Jose L.
Carrillo-de-Gea, Juan M.
Garcia-Berna, Jose A.
MEDICAL & BIOLOGICAL ENGINEERING & COMPUTING, 2024, 62 (01) : 257 - 273
[46] Managing Publicly Known Security Vulnerabilities in Software Systems
Mahrous, Hesham
Malhotra, Baljeet
2018 16TH ANNUAL CONFERENCE ON PRIVACY, SECURITY AND TRUST (PST), 2018, : 247 - 256
[47] Measuring, analyzing and predicting security vulnerabilities in software systems
Alhazmi, O. H.
Malaiya, Y. K.
Ray, I.
COMPUTERS & SECURITY, 2007, 26 (03) : 219 - 228
[48] Demystifying the Impact of Open-Source Machine Learning Libraries on Software Analytics
Zhao, Yu
Gong, Yihui
Gong, Lina
Jiang, Shujuan
Huang, Zhiqiu
IEEE TRANSACTIONS ON RELIABILITY, 2024,
[49] Understanding the Hidden Cost of Software Vulnerabilities: Measurements and Predictions
Anwar, Afsah
Khormali, Aminollah
Nyang, DaeHun
Mohaisen, Aziz
SECURITY AND PRIVACY IN COMMUNICATION NETWORKS, SECURECOMM 2018, PT I, 2018, 254 : 377 - 395
[50] Understanding the Hidden Cost of Software Vulnerabilities: Measurements and Predictions
Anwar, Afsah
Khormali, Aminollah
Mohaisen, Aziz
PROCEEDINGS OF THE 2018 ACM ASIA CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY (ASIACCS'18), 2018, : 793 - 795

← 1 2 3 4 5 →