Abstract
Security patches of Open Source Software (OSS) point out the vulnerable source code and provide security fixes, which can be misused by attackers to generate exploits as N-day attacks. Though the best practice for defending this type of N-day attacks is to timely patch the software, it becomes a challenge considering that a system may bundle multiple OSS with a large number of patches including security fixes, bug fixes, and new features. Even worse, software vendors may secretly patch their vulnerabilities without reporting to CVE or providing any explicit descriptions in change logs. Hence, armored attackers may compromise not only unpatched versions of the same software, but also other software with similar functionalities due to code clone or similar logic. We consider it as one type of “0-day” vulnerability. Since those secret security patches should be correctly identified and fixed with high priority, we develop a machine learning based toolset to help distinguish security patches from non-security patches. We then conduct an empirical analysis on three popular open source SSL libraries to study the existence of security patches. Our experimental results suggest that a joint effort is needed to eliminate this type of “0-day” attacks introduced by secret patches.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
The dataset is available at https://github.com/SecretPatch/Dataset.
References
Breiman L (2001) Random forests. Machine learning 45(1):5–32
Chang CC, Lin CJ (2011) LIBSVM: A library for support vector machines. ACM transactions on intelligent systems and technology (TIST) 2(3):27
Common Vulnerabilities and Exposures (CVE) (2019) https://cve.mitre.org/cve/identifiers/index.html
GitHub (2019) The state of the octoverse 2018. https://octoverse.github.com
GNU Diffutils (2016) https://www.gnu.org/software/diffutils/
Google Inc (2019) BoringSSL. URL https://boringssl.googlesource.com/boringssl/
Grune D (2017) The software and text similarity tester SIM. https://dickgrune.com/Programs/similarity_tester/
Hall M, Frank E, Holmes G, Pfahringer B, Reutemann P, Witten IH (2009) The WEKA data mining software: an update. SIGKDD Explorations 11(1):10–18
Harris S (2015) Simian. https://www.harukizaemon.com/simian/
Jiang L, Misherghi G, Su Z, Glondu S (2007) Deckard: Scalable and accurate tree-based detection of code clones. In: Proceedings of the 29th international conference on Software Engineering, IEEE Computer Society, pp 96–105
Kim S, Woo S, Lee H, Oh H (2017) Vuddy: A scalable approach for vulnerable code clone discovery. In: Security and Privacy (SP), 2017 IEEE Symposium on, IEEE, pp 595–614
Knight JC, Leveson NG (1986) An experimental evaluation of the assumption of independence in multiversion programming. IEEE Transactions on software engineering (1):96–109
Krinke J (2001) Identifying similar code with program dependence graphs. In: Reverse Engineering, 2001. Proceedings. Eighth Working Conference on, IEEE, pp 301–309
Kula RG, German DM, Ouni A, Ishio T, Inoue K (2018) Do developers update their library dependencies? Empirical Software Engineering 23(1):384–417
Li F, Paxson V (2017) A large-scale empirical study of security patches. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, ACM, pp 2201–2215
Li Z, Zou D, Xu S, Jin H, Qi H, Hu J (2016) Vulpecker: an automated vulnerability detection system based on code similarity analysis. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, ACM, pp 201–213
Li Z, Zou D, Xu S, Ou X, Jin H, Wang S, Deng Z, Zhong Y (2018) Vuldeepecker: A deep learning-based system for vulnerability detection. arXiv preprint arXiv:180101681
Lily Hay Newman (2017) Equifax offically has no excuse. https://www.wired.com/story/equifax-breach-no-excuse/
Liu C, Chen C, Han J, Yu PS (2006) Gplag: detection of software plagiarism by program dependence graph analysis. In: Proceedings of the 12th ACM SIGKDD international conference on Knowledge discovery and data mining, ACM, pp 872–881
Mu D, Cuevas A, Yang L, Hu H, Xing X, Mao B, Wang G (2018) Understanding the reproducibility of crowd-reported security vulnerabilities. In: 27th USENIX Security Symposium (USENIX Security 18), USENIX, pp 919–936
OpenBSD Foundation (2019) LibreSSL. URL https://www.libressl.org
OpenSSL Software Foundation (2019) OpenSSL. URL https://www.openssl.org
Perl H, Dechand S, Smith M, Arp D, Yamaguchi F, Rieck K, Fahl S, Acar Y (2015) Vccfinder: Finding potential vulnerabilities in open-source projects to assist code audits. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, ACM, pp 426–437
Pieterse V, Black PE (1999) Algorithms and Theory of Computation Handbook. CRC Press LLC
Request CVE IDs (2019) https://cve.mitre.org/cve/request_id.html
Roy CK, Cordy JR (2007) A survey on software clone detection research. Queen’s School of Computing TR 541(115):64–68
Snyk (2019) The state of open source security 2019. https://snyk.io/stateofossecurity/
The MITRE Corporation (2019) CVE list. https://cve.mitre.org/cve/
Tian Y, Lawall J, Lo D (2012) Identifying linux bug fixing patches. In: Proceedings of the 34th International Conference on Software Engineering, IEEE Press, pp 386–396
White Source Software (2019) The state of open source vulnerabilities management. https://www.whitesourcesoftware.com/open-source-vulnerability-management-report/
Xu Z, Chen B, Chandramohan M, Liu Y, Song F (2017) SPAIN: security patch analysis for binaries towards understanding the pain and pills. In: Proceedings of the 39th International Conference on Software Engineering, IEEE Press, pp 462–472
Yang W (1991) Identifying syntactic differences between two programs. Software: Practice and Experience 21(7):739–755
Zaman S, Adams B, Hassan AE (2011) Security versus performance bugs: a case study on firefox. In: Proceedings of the 8th working conference on mining software repositories, ACM, pp 93–102
Acknowledgements
We would like to thank Shu Wang and Fuxun Yu for their valuable suggestions on this work. This work is partially supported by the NSF grant CNS-1822094, IIP-1266147 and ONR grants N00014-16-1-3214, N00014-16-1-3216, and N00014-18-2893.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Wang, X., Sun, K., Batcheller, A., Jajodia, S. (2020). An Empirical Study of Secret Security Patch in Open Source Software. In: Jajodia, S., Cybenko, G., Subrahmanian, V., Swarup, V., Wang, C., Wellman, M. (eds) Adaptive Autonomous Secure Cyber Systems. Springer, Cham. https://doi.org/10.1007/978-3-030-33432-1_13
Download citation
DOI: https://doi.org/10.1007/978-3-030-33432-1_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-33431-4
Online ISBN: 978-3-030-33432-1
eBook Packages: Computer ScienceComputer Science (R0)