The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability Patching

Nappa, Antonio; Johnson, R. Burke; Bilge, Leyla; Caballero, Juan; Dumitraş, Tudor

doi:10.1109/sp.2015.48

Cited by 103 publications

(91 citation statements)

References 24 publications

(27 reference statements)

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…This requires the definition of models that jointly evaluate attacker's and defender's strategies: (89) several independent studies showed that most attacks are driven by a handful of vulnerabilities only, suggesting that attackers choose vulnerabilities to exploit as opposed to launching attacks drawn randomly from a pool of exploits for all vulnerabilities. (46,47,103) Capturing these aspects may require to integrate socioeconomic models to evaluate attacker's incentives in marketing or buying a new vulnerability (91,102) or choosing a target. (89) We consider these aspects for future work.…”

Section: Discussionmentioning

confidence: 99%

Security Events and Vulnerability Data for Cybersecurity Risk Estimation

Allodi

Massacci

2017

Risk Analysis

View full text Add to dashboard Cite

Current industry standards for estimating cybersecurity risk are based on qualitative risk matrices as opposed to quantitative risk estimates. In contrast, risk assessment in most other industry sectors aims at deriving quantitative risk estimations (e.g., Basel II in Finance). This article presents a model and methodology to leverage on the large amount of data available from the IT infrastructure of an organization's security operation center to quantitatively estimate the probability of attack. Our methodology specifically addresses untargeted attacks delivered by automatic tools that make up the vast majority of attacks in the wild against users and organizations. We consider two-stage attacks whereby the attacker first breaches an Internet-facing system, and then escalates the attack to internal systems by exploiting local vulnerabilities in the target. Our methodology factors in the power of the attacker as the number of "weaponized" vulnerabilities he/she can exploit, and can be adjusted to match the risk appetite of the organization. We illustrate our methodology by using data from a large financial institution, and discuss the significant mismatch between traditional qualitative risk assessments and our quantitative approach.

show abstract

Section: Discussionmentioning

confidence: 99%

Security Events and Vulnerability Data for Cybersecurity Risk Estimation

Allodi

Massacci

2017

Risk Analysis

View full text Add to dashboard Cite

show abstract

“…Similar to other software, Android vendors maintain the security of their devices by developing and issuing patches regularly. Nappa et al [27] studied the vulnerabilities life cycle in client applications, and Li and Paxson [22] investigated the patch development life cycle in open source software projects. The issues of automatic updates and semi-automatic updates have been investigated in [10] and [24], respectively.…”

Section: Related Workmentioning

confidence: 99%

An Empirical Study of Android Security Bulletins in Different Vendors

Farhang

Kirdan

Lászka

et al. 2020

Proceedings of the Web Conference 2020

View full text Add to dashboard Cite

Mobile devices encroach on almost every part of our lives, including work and leisure, and contain a wealth of personal and sensitive information. It is, therefore, imperative that these devices uphold high security standards. A key aspect is the security of the underlying operating system. In particular, Android plays a critical role due to being the most dominant platform in the mobile ecosystem with more than one billion active devices and due to its openness, which allows vendors to adopt and customize it. Similar to other platforms, Android maintains security by providing monthly security patches and announcing them via the Android security bulletin. To absorb this information successfully across the Android ecosystem, impeccable coordination by many different vendors is required.In this paper, we perform a comprehensive study of 3,171 Androidrelated vulnerabilities and study to which degree they are reflected in the Android security bulletin, as well as in the security bulletins of three leading vendors: Samsung, LG, and Huawei. In our analysis, we focus on the metadata of these security bulletins (e.g., timing, affected layers, severity, and CWE data) to better understand the similarities and differences among vendors. We find that (i) the studied vendors in the Android ecosystem have adopted different structures for vulnerability reporting, (ii) vendors are less likely to react with delay for CVEs with Android Git repository references, (iii) vendors handle Qualcomm-related CVEs differently from the rest of external layer CVEs.

show abstract

“…To sketch a trade-off model that would allow to perform a retrospective analysis for "global" security maintenance of the whole FOSS component, we attempt to generalize the above "local" decision support. Similarly to Nappa et al [49], who employed survival analysis to analyze the time after a security patch is applied to a vulnerable host, we used it to analyze the persistence of vulnerable coding that we extracted from the sample of FOSS projects (shown in Table 2) with our screening tests. Survival analysis is the field of statistics that analyzes the expected duration of time before an event of interest occurs [50], and is being widely used in biological and medical studies.…”

Section: Decision Support For Security Mainte-nancementioning

confidence: 99%

A Screening Test for Disclosed Vulnerabilities in FOSS Components

Dashevskyi

Brucker

Massacci

2019

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

Abstract-Free and Open Source Software (FOSS) components are ubiquitous in both proprietary and open source applications. Each time a vulnerability is disclosed in a FOSS component, a software vendor using this component in an application must decide whether to update the FOSS component, patch the application itself, or just do nothing as the vulnerability is not applicable to the older version of the FOSS component used. This is particularly challenging for enterprise software vendors that consume thousands of FOSS components and offer more than a decade of support and security fixes for their applications. Moreover, customers expect vendors to react quickly on disclosed vulnerabilities-in case of widely discussed vulnerabilities such as Heartbleed, within hours. To address this challenge, we propose a screening test: a novel, automatic method based on thin slicing, for estimating quickly whether a given vulnerability is present in a consumed FOSS component by looking across its entire repository. We show that our screening test scales to large open source projects (e.g., Apache Tomcat, Spring Framework, Jenkins) that are routinely used by large software vendors, scanning thousands of commits and hundred thousands lines of code in a matter of minutes. Further, we provide insights on the empirical probability that, on the above mentioned projects, a potentially vulnerable component might not actually be vulnerable after all.

show abstract

The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability Patching

Cited by 103 publications

References 24 publications

Security Events and Vulnerability Data for Cybersecurity Risk Estimation

Security Events and Vulnerability Data for Cybersecurity Risk Estimation

An Empirical Study of Android Security Bulletins in Different Vendors

A Screening Test for Disclosed Vulnerabilities in FOSS Components

Contact Info

Product

Resources

About