Timelines for In-Code Discovery of Zero-Day Vulnerabilities and Supply-Chain Attacks

08/29/2018
by   Andrew J. Lohn, et al.
0

Zero-day vulnerabilities can be accidentally or maliciously placed in code and can remain in place for years. In this study, we address an aspect of their longevity by considering the likelihood that they will be discovered in the code across versions. We approximate well-disguised vulnerabilities as only being discoverable if the relevant lines of code are explicitly examined, and obvious vulnerabilities as being discoverable if any part of the relevant file is examined. We analyze the version-to-version changes in three types of open source software (Mozilla Firefox, GNU/Linus, and glibc) to understand the rate at which the various pieces of code are amended and find that much of the revision behavior can be captured with a simple intuitive model. We use that model and the data from over a billion unique lines of code in 87 different versions of software to specify the bounds for in-code discoverability of vulnerabilities - from expertly hidden to obviously observable.

READ FULL TEXT
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

03/23/2021

Tracing Vulnerable Code Lineage

This paper presents results from the MSR 2021 Hackathon. Our team invest...
06/15/2018

Beyond Metadata: Code-centric and Usage-based Analysis of Known Vulnerabilities in Open-source Software

The use of open-source software (OSS) is ever-increasing, and so is the ...
02/07/2022

Enabling Automatic Repair of Source Code Vulnerabilities Using Data-Driven Methods

Users around the world rely on software-intensive systems in their day-t...
03/06/2022

Vulnerability Detection in Open Source Software: An Introduction

This paper is an introductory discussion on the cause of open source sof...
07/05/2018

Improving Fuzzing Using Software Complexity Metrics

Vulnerable software represents a tremendous threat to modern information...
10/30/2021

Trojan Source: Invisible Vulnerabilities

We present a new type of attack in which source code is maliciously enco...
07/15/2020

TeeRex: Discovery and Exploitation of Memory Corruption Vulnerabilities in SGX Enclaves

Intel's Software Guard Extensions (SGX) introduced new instructions to s...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.