Precisely Characterizing Security Impact in a Flood of Patches via Symbolic Rule Comparison

Qiushi Wu, Yang He, Stephen McCamant, Kangjie Lu

Research output: Chapter in Book/Report/Conference proceedingConference contribution

35 Scopus citations

Abstract

A bug is a vulnerability if it has security impacts when triggered. Determining the security impacts of a bug is important to both defenders and attackers. Maintainers of large software systems are bombarded with numerous bug reports and proposed patches, with missing or unreliable information about their impact. Determining which few bugs are vulnerabilities is difficult, and bugs that a maintainer believes do not have security impact will be de-prioritized or even ignored. On the other hand, a public report of a bug with a security impact is a powerful first step towards exploitation. Adversaries may exploit such bugs to launch devastating attacks if defenders do not fix them promptly. Common practice is for maintainers to assess the security impacts of bugs manually, but the scaling and reliability challenges of manual analysis lead to missed vulnerabilities. We propose an automated approach, SID, to determine the security impacts for a bug given its patch, so that maintainers can effectively prioritize applying the patch to the affected programs. The insight behind SID is that both the effect of a patch (either submitted or applied) and security-rule violations (e.g., out-of-bound access) can be modeled as constraints that can be automatically solved. SID incorporates rule comparison, using under-constrained symbolic execution of a patch to determine the security impacts of an un-applied patch. SID can further automatically classify vulnerabilities based on their security impacts. We have implemented SID and applied it to bug patches of the Linux kernel and matching CVE-assigned vulnerabilities to evaluate its precision and recall. We optimized SID to reduce false positives, and our evaluation shows that, from 54K recent valid commit patches, SID detected 227 security bugs with at least 243 security impacts at a 97% precision rate. Critically, 197 of them were not reported as vulnerabilities before, leading to delayed or ignored patching in derivative programs. Even worse, 21 of them are still unpatched in the latest Android kernel. Once exploited, they can cause critical security impacts on Android devices. The evaluation results confirm that SID's approach is effective and precise in automatically determining security impacts for a massive stream of bug patches.

Original languageEnglish (US)
Title of host publication27th Annual Network and Distributed System Security Symposium, NDSS 2020
PublisherThe Internet Society
ISBN (Electronic)1891562614, 9781891562617
DOIs
StatePublished - 2020
Event27th Annual Network and Distributed System Security Symposium, NDSS 2020 - San Diego, United States
Duration: Feb 23 2020Feb 26 2020

Publication series

Name27th Annual Network and Distributed System Security Symposium, NDSS 2020

Conference

Conference27th Annual Network and Distributed System Security Symposium, NDSS 2020
Country/TerritoryUnited States
CitySan Diego
Period2/23/202/26/20

Bibliographical note

Publisher Copyright:
© 2020 27th Annual Network and Distributed System Security Symposium, NDSS 2020. All Rights Reserved.

Fingerprint

Dive into the research topics of 'Precisely Characterizing Security Impact in a Flood of Patches via Symbolic Rule Comparison'. Together they form a unique fingerprint.

Cite this