前言
本文旨在阅读 安全领域的漏洞补丁研究:CCS 17 顶会论文阅读 —— A Large-Scale Empirical Study of Security Patches
1 基本信息
Li F, Paxson V. A large-scale empirical study of security patches[C]//Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2017: 2201-2215.
总共两位作者:
PHD 一作:Frank Li https://people.eecs.berkeley.edu/~frankli/
导师:Vern Paxson https://www.icir.org/vern/ 主要做网络(包括协议)、系统方面的,漏洞检测(detection)
2 文章内容
介绍背景,第一下没看懂:
Given how the “patching treadmill” plays a central role for enabling sites to counter emergent security concerns, it behooves the security community to understand the patch development process and characteristics of the resulting fxes. Illumination of the nature of security patch development can inform us of shortcomings in existing remediation processes and provide insights for improving current practices.
本文工作:
In this work we conduct a large-scale empirical study of security patches, investigating more than 4,000 bug fxes for over 3,000 vulnerabilities that affected a diverse set of 682 open-source software projects. For our analysis we draw upon the National Vulnerability Database, information scraped from relevant external references, affected software repositories, and their associated security fxes. Leveraging this diverse set of information, we conduct an analysis of various aspects of the patch development life cycle, including investigation into the duration of impact a vulnerability has on a code base, the timeliness of patch development, and the degree to which developers produce safe and reliable fxes. We then characterize the nature of security fxes in comparison to other non-security bug fxes, exploring the complexity of different types of patches and their impact on code bases.
结论(发现):
Among our fndings we identify that: security patches have a lower footprint in code bases than non-security bug patches; a third of all security issues were introduced more than 3 years prior to remediation; attackers who monitor open-source repositories can often get a jump of weeks to months on targeting not-yet-patched systems prior to any public disclosure and patch distribution; nearly 5% of security fxes negatively impacted the associated software; and 7% failed to completely remedy the security hole they targeted.
大意是:
考虑到“枯燥繁重的补丁工作”在帮助网站对抗紧急安全问题时扮演的中心作用,对安全社区来说,理解补丁的发展过程和产生的fix(修复)特征是非常有必要的。解释安全补丁发展的本质可以告诉我们当前漏洞补救过程中的缺点,并对改进当前的常规做法提供了见解。
(略晦涩,术语不少)
故本文调查了4000多个缺陷修复(for over 3000 vulnerabilities,影响了682个开源软件项目)。在分析时,我们采用来自NVD(国家漏洞数据库)的信息(信息提取自相关外部参考,被影响的软件仓库,以及和它们相关的安全补丁)。利用这些多样的信息,我们在补丁发展生命周期的各个方面做了一个分析,包括分析漏洞对一个代码库的影响持续时间,补丁开发的及时性,以及开发者提供的补丁的安全和可靠程度。我们随后还将安全修复的本质和其他非安全修复做了比较,探究不同类型补丁的复杂度以及他们对代码库的影响。
本文之发现如下:在代码库中,安全补丁比非安全补丁拥有更少的覆盖面(footprint);三分之一的漏洞在被补救的三年前就已经被introduced(发现)了;监视开源仓库的攻击者能够经常在数周甚至到数月的时间跨度内针对一个尚未修复的系统(在任何公共揭露和补丁发布之前);几乎5%的安全补丁对相关的软件产生了消极影响,以及有7%的没法完全修复他们针对的目标安全漏洞。
大致介绍下作者工作:1)调研打补丁的发展生命周期;2)分析、比较安全修复补丁和非安全修复补丁;3)解释自己在调查中发现的问题。
3 几个QAs
3.1 QA1:比较想知道补丁发展的生命周期
作者的实验研究方法如下:
关于life cycle:
From a software project’s perspective, a vulnerability advances through several events throughout its life, such as its introduction into the code base, its discovery and the subsequent patch development, the public disclosure of the security issue, and the distribution of the fx.
大意是:
从软件项目的角度来说,一个漏洞要在其生命中经历几个events(我理解为阶段),如:漏洞被引入代码库;被发现;接下来进入补丁开发;公开的揭露安全问题;修复的发布。
还有专门网页介绍:
Security bug lifetime https://outflux.net/blog/archives/2016/10/18/security-bug-lifetime/
一个软件漏洞从被注入(introduced)到被被修复,大概要3-6 年。
3.2 QA2:关于补丁修复的相关研究
Some have analyzed public documentation about vulnerabilities, such as security advisories, to shed light on the vulnerability disclosure process [14, 32]. These studies, however, did not include analyses of the corresponding code bases and the patch development process itself. Others have tracked the development of specifc projects to better understand patching dynamics [18, 28, 41]. While providing insights on the responsiveness of particular projects to security issues, these investigations have been limited to a smaller scale across a few (often one) projects
[14] Stefan Frei, Martin May, Ulrich Fiedler, and Bernhard Plattner. Large-Scale Vulnerability Analysis. In SIGCOMM Workshops, 2006
[32] Muhammad Shahzad, M. Zubair Shafq, and Alex X. Liu. A Large Scale Exploratory Analysis of Software Vulnerability Life Cycles. In International Conference on Software Engineering (ICSE), 2012.
竟然在ICSE上发表了,而不是在安全的会议上。神奇
[18] Zhen Huang, Mariana D’Angelo, Dhaval Miyani, and David Lie. Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Response. In IEEE Security and Privacy (S&P), 2016.
这个工具挺出名的,快速响应式的热补丁技术。
[28] Andy Ozment and Stuart E. Schechter. Milk or Wine: Does Software Security Improve with Age? In USENIX Security Symposium, 2006
额,一直在循环?昨天才看了一篇调研(写在博客: 手机隐私泄露日益严重? [论文阅读] [NDSS 2018] Bug Fixes, Improvements, ... and Privacy Leaks A 中),也是讲better or worse 的。
[41] Shahed Zaman, Bram Adams, and Ahmed E. Hassan. Security Versus Performance Bugs: A Case Study on Firefox. In Mining Software Repositories (MSR), 2011.
Nappa et al. [27] shed light on the patch deployment process from an end-user perspective, analyzing when security updates were available to clients and how quickly clients patched.
[27] Antonio Nappa, Richard Johnson, Leyla Bilge, Juan Caballero, and Tudor Dumitras. The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability Patching. In IEEE Security and Privacy (S&P), 2015.
可以看出,作者也非常关注软工领域的缺陷修复。如下在related work中的说法:
Zhong and Su [42] conducted an empirical study of over 9,000 bug fxes across six Java projects. They framed their investigation around patch properties that would make them suitable for generation by automatic program repair, fnding that the majority are too complex or too delocalized to likely be automatically created
[42] Hao Zhong and Zhendong Su. An Empirical Study on Real Bug Fixes. In International Conference on Software Engineering (ICSE), 2015
Similarly, Park et al. [29] studied supplementary bug fxes, additional fxes produced when the initial fx was incomplete. Their analysis covered three open-source projects and showed that over a quarter of remedies required multiple patches.
[29] Jihun Park, Miryung Kim, Baishkhi Ray, and Doo-Hwan Bae. An Empirical Study on Supplementary Bug Fixes. In Mining Software Repositories (MSR), 2012.
Sliwerski et. al. [33] investigated two projects and correlated updates that required fxes with the update sizes,
fnding larger updates were more likely to require subsequent fxes
[33] Jacek Sliwerski, Thomas Zimmermann, and Andreas Zeller. When Do Changes Induce Fixes. In Mining Software Repositories (MSR), 2005.
Soto et. al. [34] applied common bug fx patterns to Java patches, fnding that less than 15% could be matched.
[34] Mauricio Soto, Ferdian Thung, Chu-Pan Wong, Claire Le Goues, and David Lo. A Deeper Look into Bug Fixes: Patterns, Replacements, Deletions, and Additions. In Mining Software Repositories (MSR), 2016.
此外还有:
[39] Zhengzi Xu, Bihuan Chen, Mahinthan Chandramohan, Yang Liu, and Fu Song. SPAIN: Security Patch Analysis for Binaries Towards Understanding the Pain and Pills. In International Conference on Software Engineering (ICSE), 2017.
[30] Henning Perl, Sergej Dechand, Matthew Smith, Daniel Arp, Fabian Yamaguchi, Konrad Rieck, Sascha Fahl, and Yasemin Acar. VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assist Code Audits. In ACM Conference on Computer and Communications Security (CCS), 2015.
[41] Shahed Zaman, Bram Adams, and Ahmed E. Hassan. Security Versus Performance Bugs: A Case Study on Firefox. In Mining Software Repositories (MSR), 2011
4 总结
思考见注。
抚长剑兮玉珥,璆锵鸣兮琳琅;
瑶席兮玉瑱,盍将把兮琼芳;
——屈原《九歌》
大意是:
手抚着镶玉的长剑剑柄,身上的佩玉和鸣响叮当。
精美的瑶席玉瑱压四方,摆设好祭品鲜花散芳香。
https://so.gushiwen.org/shiwenv_a18a1d071633.aspx
大抵如是。总得找些(重拾)爱好