Visible to the public Detecting "0-Day" Vulnerability: An Empirical Study of Secret Security Patch in OSS

TitleDetecting "0-Day" Vulnerability: An Empirical Study of Secret Security Patch in OSS
Publication TypeConference Paper
Year of Publication2019
AuthorsWang, Xinda, Sun, Kun, Batcheller, Archer, Jajodia, Sushil
Conference Name2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)
Date Publishedjun
Keywords0-day attacks, 0-day vulnerability, armored attackers, BoringSSL, compositionality, Computer bugs, Databases, easy software development management, Human Behavior, learning (artificial intelligence), machine learning, Metrics, n-day attacks, Open Source Software, pubcrawl, public domain software, Resiliency, secret security patches, secretly patched vulnerabilities, security, security fixes, security of data, security patch, security patch database, security patches mapping, software development management, software maintenance, software vendors, Training, unpatched OSS versions, vulnerability detection, vulnerable code public
AbstractSecurity patches in open source software (OSS) not only provide security fixes to identified vulnerabilities, but also make the vulnerable code public to the attackers. Therefore, armored attackers may misuse this information to launch N-day attacks on unpatched OSS versions. The best practice for preventing this type of N-day attacks is to keep upgrading the software to the latest version in no time. However, due to the concerns on reputation and easy software development management, software vendors may choose to secretly patch their vulnerabilities in a new version without reporting them to CVE or even providing any explicit description in their change logs. When those secretly patched vulnerabilities are being identified by armored attackers, they can be turned into powerful "0-day" attacks, which can be exploited to compromise not only unpatched version of the same software, but also similar types of OSS (e.g., SSL libraries) that may contain the same vulnerability due to code clone or similar design/implementation logic. Therefore, it is critical to identify secret security patches and downgrade the risk of those "0-day" attacks to at least "n-day" attacks. In this paper, we develop a defense system and implement a toolset to automatically identify secret security patches in open source software. To distinguish security patches from other patches, we first build a security patch database that contains more than 4700 security patches mapping to the records in CVE list. Next, we identify a set of features to help distinguish security patches from non-security ones using machine learning approaches. Finally, we use code clone identification mechanisms to discover similar patches or vulnerabilities in similar types of OSS. The experimental results show our approach can achieve good detection performance. A case study on OpenSSL, LibreSSL, and BoringSSL discovers 12 secret security patches.
Citation Keywang_detecting_2019