An Empirical Study on Virtual Reality Software Security Weaknesses

TL;DR

This empirical study analyzes 1,681 security weaknesses in 334 VR projects on GitHub, revealing prevalent types, introduction timing, and survival of vulnerabilities, highlighting the security risks in VR development tools and UI components.

Contribution

First systematic dataset of VR security weaknesses created using a novel framework, providing new insights into vulnerability types and their lifecycle in VR software.

Findings

VR weaknesses are mostly UI-related and resource-related.

VR development tools have higher security risks than applications.

Weaknesses are often introduced at the start of VR software development.

Abstract

Virtual Reality (VR) has emerged as a transformative technology across industries, yet its security weaknesses, including vulnerabilities, are underinvestigated. This study investigates 334 VR projects hosted on GitHub, examining 1,681 software security weaknesses to understand: what types of weaknesses are prevalent in VR software; when and how weaknesses are introduced; how long they have survived; and how they have been removed. Due to the limited availability of VR software security weaknesses in public databases (e.g., the National Vulnerability Database or NVD), we prepare the first systematic dataset of VR software security weaknesses by introducing a novel framework to collect such weaknesses from GitHub commit data. Our empirical study on the dataset leads to useful insights, including: (i) VR weaknesses are heavily skewed toward user interface weaknesses, followed by resource-related weaknesses; (ii) VR development tools pose higher security risks than VR applications; (iii) VR security weaknesses are often introduced at the VR software birth time.