Do #ifdefs Influence the Occurrence of Vulnerabilities? An Empirical Study of the Linux Kernel

TL;DR

This study investigates how #ifdefs and configuration complexity in the Linux kernel influence vulnerability occurrence, revealing that vulnerable functions tend to have higher variability and are more frequently compiled, highlighting the need for systematic variability management.

Contribution

It provides empirical evidence linking configuration complexity with vulnerabilities in the Linux kernel, emphasizing the importance of managing variability systematically.

Findings

Vulnerable functions exhibit higher variability than non-vulnerable ones.

Vulnerable functions are constrained by fewer configuration options.

Functions appearing in frequently-compiled variants are more prone to vulnerabilities.

Abstract

Preprocessors support the diversification of software products with #ifdefs, but also require additional effort from developers to maintain and understand variable code. We conjecture that #ifdefs cause developers to produce more vulnerable code because they are required to reason about multiple features simultaneously and maintain complex mental models of dependencies of configurable code. We extracted a variational call graph across all configurations of the Linux kernel, and used configuration complexity metrics to compare vulnerable and non-vulnerable functions considering their vulnerability history. Our goal was to learn about whether we can observe a measurable influence of configuration complexity on the occurrence of vulnerabilities. Our results suggest, among others, that vulnerable functions have higher variability than non-vulnerable ones and are also constrained by fewer configuration options. This suggests that developers are inclined to notice functions appear in frequently-compiled product variants. We aim to raise developers' awareness to address variability more systematically, since configuration complexity is an important, but often ignored aspect of software product lines.