An official website of the United States government
Security patches in open source software (OSS) not only provide security fixes to identified vulnerabilities, but also make the vulnerable code public to the attackers. Therefore, armored attackers may misuse this information to launch N-day attacks on unpatched OSS versions. The best practice for preventing this type of N-day attacks is to keep upgrading the software to the latest version in no time. However, due to the concerns on reputation and easy software development management, software vendors may choose to secretly patch their vulnerabilities in a new version without reporting them to CVE or even providing any explicit description in their change logs. When those secretly patched vulnerabilities are being identified by armored attackers, they can be turned into powerful “0-day” attacks, which can be exploited to compromise not only unpatched version of the same software, but also similar types of OSS (e.g., SSL libraries) that may contain the same vulnerability due to code clone or similar design/implementation logic. Therefore, it is critical to identify secret security patches and downgrade the risk of those “0-day” attacks to at least “n-day” attacks. In this paper, we develop a defense system and implement a toolset to automatically identify secret security patches in open source software. To distinguish security patches from other patches, we first build a security patch database that contains more than 4700 security patches mapping to the records in CVE list. Next, we identify a set of features to help distinguish security patches from non-security ones using machine learning approaches. Finally, we use code clone identification mechanisms to discover similar patches or vulnerabilities in similar types of OSS. The experimental results show our approach can achieve good detection performance. A case study on OpenSSL, LibreSSL, and BoringSSL discovers 12 secret security patches.
more »
« less
Identifying casualty changes in software patches
Noise in software patches impacts their understanding, analysis, and use for tasks such as change prediction. Although several approaches have been developed to identify noise in patches, this issue has persisted. An analysis of a dataset of security patches for the Tomcat web server, which we further expanded with security patches from five additional systems, uncovered several kinds of previously unreported noise which we call nonessential casualty changes. These are changes that themselves do not alter the logic of the program but are necessitated by other changes made in the patch. In this paper, we provide a comprehensive taxonomy of casualty changes. We then develop CasCADe, an automated technique for automatically identifying casualty changes. We evaluate CasCADe with several publicly available datasets of patches and tools that focus on them. Our results show that CasCADe is highly accurate, that the kinds of noise it identifies occur relatively commonly in patches, and that removing this noise improves upon the evaluation results of a previously published change-based approach.
more »
« less
- Award ID(s):
- 1823354
- PAR ID:
- 10293490
- Date Published:
- Journal Name:
- ESEC/FSE 2021: Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering
- Page Range / eLocation ID:
- 304 to 315
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
Android controls the majority of the global OS market. Android Open Source Project (AOSP) is a very complex system with many layers including the apps, the Application Framework, the middle-ware, the customized Linux kernel, and the trusted components. Although security is implemented in every layer, the Application Framework forms an important of the attack surface due to managing the user interface and permissions. Android security has evolved over the years. The security flaws that have been found in the Application Framework led to a redesign of Android permissions. Part of this evolution includes fixes to the vulnerabilities that are publicly released in the monthly Android security bulletins. In this study, we analyze the CVEs listed in the Android security bulletin within the last 6 years. We focus on the Android application framework and investigate several research questions relating to 1) the security relevant components, 2) the type and amount of testing information for the security patches, and 3) the adequacy of the tests designed to test these patches. Our findings indicate that Android security testing practices can be further improved by designing security bulletin update specific tests, and by improving code coverage of patched files.more » « less
-
Abstract The impact that each individual non‐pharmaceutical intervention (NPI) had on the spread rate of COVID‐19 is difficult to estimate, since several NPIs were implemented in rapid succession in most countries. In this article, we analyze the detectability of sudden changes in a parameter of nonlinear dynamical systems, which could be used to represent NPIs or mutations of the virus, in the presence of measurement noise. Specifically, by taking an agnostic approach, we provide necessary conditions for when the best possible unbiased estimator is able to isolate the effect of a sudden change in a model parameter, by using the Hammersley–Chapman–Robbins (HCR) lower bound. Several simplifications to the calculation of the HCR lower bound are given, which depend on the amplitude of the sudden change and the dynamics of the system. We further define the concept of the most informative sample based on the largest distance between two output trajectories, which is a good indicator of when the HCR lower bound converges. These results are thereafter used to analyze the susceptible‐infected‐removed model. For instance, we show that performing analysis using the number of recovered/deceased, as opposed to the cumulative number of infected, may be an inferior signal to use since sudden changes are fundamentally more difficult to estimate and seem to require more samples. Finally, these results are verified by simulations and applied to real data from the spread of COVID‐19 in France.more » « less
-
McMahon, Katherine (Ed.)ABSTRACT The impacts of global climate change on dryland fungi have been understudied even though fungi are extremely sensitive to changes in the environment. Considering that many fungi are pathogens of plants and animals, including humans, their responses to anthropogenic change could have important implications for public health and food security. In this study, we investigated the potential physiological responses (i.e., metatranscriptomics) of pathogenicity and stress in dryland fungi exposed to global change drivers, drought, and the physical disturbance associated with land use. Specifically, we wanted to assess if there was an increase in the transcription of genes associated to pathogenicity and stress in response to global change drivers. In addition, we wanted to investigate which pathogenicity and stress genes were consistently differentially expressed under the different global change conditions across the heterogeneous landscape (i.e., microsite) of the Chihuahuan desert. We observed increased transcription of pathogenicity and stress genes, with specific genes being most upregulated in response to global change drivers. Additionally, climatic conditions linked to different microsites, such as those found under patches of vegetation, may play a significant role. We provide evidence supporting the idea that environmental stress caused by global change could contribute to an increase of pathogenicity as global climate changes. Specifically, increases in the transcription of stress and virulence genes, coupled with variations in gene expression, could lead to the onset of pathogenicity. Our work underscores the importance of studying dryland fungi exposed to global climate change and increases in existing fungal pathogens, as well as the emergence of new fungal pathogens, and consequences to public health and food security. IMPORTANCEThe effects of global climate change on dryland fungi and consequences to our society have been understudied despite evidence showing that pathogenic fungi increase in abundance under global climate change. Moreover, there is a growing concern that global climate change will contribute to the emergence of new fungal pathogens. Yet, we do not understand what mechanisms might be driving this increase in virulence and the onset of pathogenicity. In this study, we investigate how fungi respond to global change drivers, physical disturbance, and drought, in a dryland ecosystem in terms of pathogenicity and stress. We find that indeed, under global change drivers, there is an increase in the transcription and expression of genes associated to pathogenicity and stress, but that microclimatic conditions matter. Our study shows the importance of investigating dryland fungi exposed to global climate change and impacts on our society, which may include threats to public health and food security.more » « less
-
The oceanography of the Gulf of Maine has recently changed in ways that have not been seen previously, but that are likely to be more common in the future. Because of the rapid rate of change, some view the Gulf of Maine as a window into the ocean’s future with the idea that lessons learned can be applied in places that have yet to experience similar rapid changes. Based on a formal statistical definition of oceanographic surprises, the frequency of surprises in the Gulf of Maine is higher and has increased faster than ex- pected even given underlying trends. The analysis suggests that we should expect new kinds of surprises that are characteristically different from previ- ous ones. The implication for policymaking is that in addition to considering long-term environmental changes, it is important to consider scenarios of sudden, unexpected, and potentially extreme environmental changes.more » « less
- Free Publicly Accessible Full Text
-
Accepted Manuscript1.0
- Conference Paper:
- https://doi.org/10.1145/3468264.3468624
