15th USENIX Security Symposium Abstract
Pp. 93104 of the Proceedings
Milk or Wine: Does Software Security Improve with Age?
Andy Ozment and Stuart E. Schechter, MIT Lincoln Laboratory
We examine the code base of the OpenBSD operating
system to determine whether its security is increasing
over time. We measure the rate at which new code
has been introduced and the rate at which vulnerabilities
have been reported over the last 7.5 years and fifteen
We learn that 61% of the lines of code in today's
OpenBSD are foundational: they were introduced prior
to the release of the initial version we studied and have
not been altered since. We also learn that 62% of reported
vulnerabilities were present when the study began
and can also be considered to be foundational.
We find strong statistical evidence of a decrease in the
rate at which foundational vulnerabilities are being reported.
However, this decrease is anything but brisk:
foundational vulnerabilities have a median lifetime of at
least 2.6 years.
Finally, we examined the density of vulnerabilities in
the code that was altered/introduced in each version. The
densities ranged from 0 to 0.033 vulnerabilities reported
per thousand lines of code. These densities will increase
as more vulnerabilities are reported.
- View the full text of this paper in HTML and PDF. Listen to the presentation in MP3 format.
Until August 2007, you will need your USENIX membership identification in order to access the full papers.
The Proceedings are published as a collective work, © 2006 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.