Large Scale Characterization of Software Vulnerability Life Cycles

Shahzad, Muhammad; Shafiq, M. Zubair; Liu, Alex X.

doi:10.1109/tdsc.2019.2893950

Cited by 15 publications

(14 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Other research finds that manufacturers' "patch release behavior is an under investigated component of overall software quality and security" [49, p. 116]. Several studies, e.g., [9], find that there are significant delays between vulnerability disclosure and patch release. One good example is Android OS, where there are significant differences in the U&P frequency between phone manufacturers [50].…”

Section: Software Engineering For Internet Of Things' Patches and Upd...mentioning

confidence: 99%

See 1 more Smart Citation

A Large-Scale Analysis of IoT Firmware Version Distribution in the Wild

Ebbers

2023

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

This paper examines the up-to-dateness of installed firmware versions of Internet of Things devices accessible via public Internet. It takes a novel approach to identify versions based on the source code of their web interfaces. It analyzes data sets of 1.06m devices collected using the IoT search engine Censys and then maps the results against the latest version each manufacturer offers. A fully scalable and adaptive approach is developed by applying the SEMMA data mining process. This approach relies on three data artifacts: raw data from Censys, a mapping table with firmware versions, and a keyword search list. The results confirm the heterogeneity of connected IoT devices and show that only 2.45 percent of the IoT devices "in the wild" run the latest available firmware. Installed versions are 19.2 months old on average. This real-world evidence suggests that the updating processes and methods used by engineers so far are not sufficient to keep IoT devices up-to-date. This paper identifies and quantifies influencing factors and captures the global and diverse distribution of IoT devices. It finds manufacturer and device type influence the up-todateness of firmware, whereas the country in which the device is deployed is less significant.

show abstract

Section: Software Engineering For Internet Of Things' Patches and Upd...mentioning

confidence: 99%

“…Researchers attribute the potential to protect devices to both users and manufacturers, and thus to software engineers [1], [8]. However, many manufacturers do not provide patches in a timely manner [9]. While IoT standards for providing FW updates exist [10], [11], these do not appear very institutionalized.…”

Section: Introductionmentioning

confidence: 99%

A Large-Scale Analysis of IoT Firmware Version Distribution in the Wild

Ebbers

2023

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

show abstract

“…The life-cycle of a vulnerability typically refers to the time of i) introduction, ii) discovery (may never be known/ documented), iii) disclosure (vulnerability being disclosed to the corresponding package maintainers), iv) advisory publication (in vulnerability databases), v) fix availability, and vi) exploit availability [35], [36]. Prior work [11], [18], [31], [35], [36], [37], [38], [39] has looked at the time duration between vulnerability disclosure, fix availability, and exploit availability. Li and Paxson [6] have looked at the time duration between vulnerability introduction, discovery, and commit date of the code changes that fix the vulnerability.…”

Section: Vulnerability Life Cyclementioning

confidence: 99%

“…Imtiaz et al [19], when comparing popular SCA tools, found six of the nine studied tools to have reported unique non-CVEs that were not reported by the other tools in the study. However, while the CVE data is widely accepted within the security community, and well studied in the literature [6], [11], [35], [36], [37], [38], vulnerabilities without a CVE identifier are still under-studied, although they are not uncommon in the open source vulnerability databases [19]. Approximately one-fourth of the advisories in our dataset are non-CVEs which provides us with a unique opportunity to compare CVEs and non-CVEs relative to security release practices.…”

Section: Cves Vs Non-cvesmentioning

confidence: 99%

Open or Sneaky? Fast or Slow? Light or Heavy?: Investigating Security Releases of Open Source Packages

Imtiaz¹,

Aniqa²,

Williams³

2021

Preprint

View full text Add to dashboard Cite

Vulnerabilities in open source packages can be a security risk for the client projects that use these packages as dependencies. When a new vulnerability is discovered in a package, the package should quickly release a fix in a new version, referred to as security release in this study. The security release should be well-documented and require minimal migration effort to facilitate fast adoption by the client projects. However, to what extent the open source packages follow these recommendations is not known. The goal of this study is to aid software practitioners and researchers in understanding the current practice of releasing security fixes by open source packages and identifying areas for improvement through an empirical study of security releases. Specifically, in this paper, we study (1) the time lag between fix and release; (2) how security fixes are documented in the release notes; (3) code change characteristics (size and semantic versioning) of the release; and (4) the time lag between the release and an advisory publication on Snyk or NVD (two popular vulnerability databases) for security releases over a dataset of 4,377 security advisories across seven package ecosystems (Composer, Go, Maven, npm, NuGet, pip, and RubyGems). We find that the median security release is available in under 4 days of the corresponding fix and contains 134 lines of code (LOC) change. Further, we find that 61.5% of the security releases come with a release note that documents the corresponding security fix. However, Snyk and NVD may take a median of 25 days (from the release) to publish an advisory for these security releases, possibly resulting in delayed notification to the client projects. Further, security releases may also contain breaking change(s) as 13.4% of the releases indicated backward incompatibility through semantic versioning, while 6.4% of the releases mentioned breaking change(s) in the release notes. Based on our findings, we make four recommendations for the package maintainers and the ecosystem administrators, such as using private fork for security fixes and standardizing the practice for announcing security releases.

show abstract

“…S oftware vulnerabilities generally refer to security flaws in source code and are prevalent in modern software system evolution [1]. Attackers can utilize unresolved vulnerabilities to undertake malicious activities, posing enormous risks to millions of users around the globe [2].…”

Section: Introductionmentioning

confidence: 99%

Introduction to the Department of Cardiology in Nanjing First Hospital of Nanjing Medical University, China

Zhang

Chen

2020

European Heart Journal

View full text Add to dashboard Cite

Reclosure of ruptured incision after peroral endoscopic myotomy using endoloops and metallic clipsSince Inoue et al. introduced peroral endoscopic myotomy (POEM) into a clinic to treat esophageal achalasia in 2010, the procedure has been carried out in many countries around the world. 1 As more and more POEM is being done, associated technical difficulties and complications may occur. 2 To our knowledge, the present study is the first to report incision rupture after POEM.A 37-year-old man presented to our academic center after experiencing 25 years of dysphagia and 2 months of exacerbation. Barium swallow examination and esophageal manometry diagnosed the patient with type I esophageal achalasia and he agreed to receive POEM.POEM was carried out using the standard technique. After the operation, the patient received routine postoperative care. On the third day after the procedure, the patient had a fever (38.9°C, white blood cell count 18.24 × 10 9 /L, % neutrophils 95.3%) and X-ray showed the absence of several metal clips at the proximal end of the longitudinal incision which revealed the incision rupture.Gastroesophageal endoscopy showed that the middle and proximal parts of the incision was ruptured. It was not possible to reclose the incision with routine clips because of the swollen mucosa around the defect. On endoscopy, an endoloop was inserted and snared the remaining clips in the distal part. In the middle, four clips were anchored onto the defect margins at full thickness and another endoloop was inserted to snare the clips tightly. The same procedure was done in the proximal part (Figs 1,2). After monitoring the patient's condition for several days, he was discharged without any complaints or complications.In the present study, we propose reclosure of a mucosal incision after POEM using conventional endoloops and hemostatic clips. It could reclose the incision regardless of the swollen tissue or the size of the longitudinal incision.

show abstract

Large Scale Characterization of Software Vulnerability Life Cycles

Cited by 15 publications

References 21 publications

A Large-Scale Analysis of IoT Firmware Version Distribution in the Wild

A Large-Scale Analysis of IoT Firmware Version Distribution in the Wild

Open or Sneaky? Fast or Slow? Light or Heavy?: Investigating Security Releases of Open Source Packages

Introduction to the Department of Cardiology in Nanjing First Hospital of Nanjing Medical University, China

Contact Info

Product

Resources

About