This is the repository for the paper "Understanding Vulnerability Inducing Commits of the Linux Kernel" accepted to TOSEM 2024.
Our complete dataset is included in this repository at CVE_to_KVIC.json, which maps CVEs to corresponding KVICs.
Our paper can be cited as follows:
@article{jiang2024comprehensive,
title={Understanding Vulnerability Inducing Commits of the Linux Kernel},
author={Jiang, Muhui and Jiang, Jinan and Wu, Tao and Ma, Zuchao and Luo, Xiapu and Zhou, Yajin},
journal={ACM Transactions on Software Engineering and Methodology},
year={2024},
abstract = {The Linux kernel is popular and well-maintained. Over the past decade, around 860 thousand commits were merged with hundreds of vulnerabilities (i.e., 223 on average) disclosed every year, taking the total lines of code to 35.1 million in 2022. Many algorithms have been proposed to detect the vulnerabilities, but few studied how they were induced. To fill this gap, we conduct the first empirical study on the Kernel Vulnerability Inducing Commits (KVIC), the commits that induced vulnerabilities in the Linux kernel. We utilized 6 different methods on identifying the Kernel Vulnerability Fixing Commits (KVFCs), the commits that fix vulnerabilities in the Linux kernel, and proposed the other 4 different methods for identifying KVICs by using the identified KVFCs as a bridge. In total, we constructed the first dataset of KVICs with 1,240 KVICs for 1,335 CVEs. We conducted a thorough analysis on the characteristics, purposes, and involved human factors of the KVICs and obtained many interesting findings and insights. For example, KVICs usually have limited reviewers and can still be induced by experienced authors or maintainers. Based on these insights, we proposed several suggestions to the Linux community to help mitigate the induction of KVICs.},
publisher={Association for Computing Machinery},
keywords = {KVIC, Linux Kernel, Vulnerability Induction}
}