Investigating the Effects of T-Wise Interaction Sampling for Vulnerability Discovery in Highly-Configurable Software Systems

Empirical evidence has shown that variability bugs, i.e., bugs that only manifest if certain features of a configurable software system are selected, are not only a theoretical concept. Many variability bugs involve an intricate interplay of multiple features, turning them into so-called feature-interaction bugs. The strategy of t-wise interaction sampling can be used to identify variability bugs in highly-configurable systems. In this regard, the number of findings, as well as the overall sample size, typically increase with stronger interaction sampling (i.e., higher t values). In this paper, we aim to confirm these observations for vulnerabilities. We use the static source code analysis platform Vari-Joern to analyze real-world highly-configurable software systems for the presence of vulnerability patterns using t-wise interaction sampling of varying strength and compare the number of findings and associated sample sizes. We analyze the feature configurations associated with the vulnerability warnings raised by our approach to evaluate the presence of feature interaction vulnerabilities. Our results show that stronger interaction sampling produces a greater number of findings at a higher computational cost, also for vulnerabilities. ... mehrThe increase in findings can be attributed to the identification of feature-interaction vulnerabilities involving an interplay of a greater number of features.