Skip to main content
SpringerLink
Log in

An Empirical Study of Secret Security Patch in Open Source Software

  • Chapter
  • First Online:
Book cover Adaptive Autonomous Secure Cyber Systems

Abstract

Security patches of Open Source Software (OSS) point out the vulnerable source code and provide security fixes, which can be misused by attackers to generate exploits as N-day attacks. Though the best practice for defending this type of N-day attacks is to timely patch the software, it becomes a challenge considering that a system may bundle multiple OSS with a large number of patches including security fixes, bug fixes, and new features. Even worse, software vendors may secretly patch their vulnerabilities without reporting to CVE or providing any explicit descriptions in change logs. Hence, armored attackers may compromise not only unpatched versions of the same software, but also other software with similar functionalities due to code clone or similar logic. We consider it as one type of “0-day” vulnerability. Since those secret security patches should be correctly identified and fixed with high priority, we develop a machine learning based toolset to help distinguish security patches from non-security patches. We then conduct an empirical analysis on three popular open source SSL libraries to study the existence of security patches. Our experimental results suggest that a joint effort is needed to eliminate this type of “0-day” attacks introduced by secret patches.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 139.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 179.00
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 179.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The dataset is available at https://github.com/SecretPatch/Dataset.

References

  1. Breiman L (2001) Random forests. Machine learning 45(1):5–32

    Article  Google Scholar 

  2. Chang CC, Lin CJ (2011) LIBSVM: A library for support vector machines. ACM transactions on intelligent systems and technology (TIST) 2(3):27

    Google Scholar 

  3. Common Vulnerabilities and Exposures (CVE) (2019) https://cve.mitre.org/cve/identifiers/index.html

  4. GitHub (2019) The state of the octoverse 2018. https://octoverse.github.com

  5. GNU Diffutils (2016) https://www.gnu.org/software/diffutils/

  6. Google Inc (2019) BoringSSL. URL https://boringssl.googlesource.com/boringssl/

    Google Scholar 

  7. Grune D (2017) The software and text similarity tester SIM. https://dickgrune.com/Programs/similarity_tester/

  8. Hall M, Frank E, Holmes G, Pfahringer B, Reutemann P, Witten IH (2009) The WEKA data mining software: an update. SIGKDD Explorations 11(1):10–18

    Article  Google Scholar 

  9. Harris S (2015) Simian. https://www.harukizaemon.com/simian/

  10. Jiang L, Misherghi G, Su Z, Glondu S (2007) Deckard: Scalable and accurate tree-based detection of code clones. In: Proceedings of the 29th international conference on Software Engineering, IEEE Computer Society, pp 96–105

    Google Scholar 

  11. Kim S, Woo S, Lee H, Oh H (2017) Vuddy: A scalable approach for vulnerable code clone discovery. In: Security and Privacy (SP), 2017 IEEE Symposium on, IEEE, pp 595–614

    Google Scholar 

  12. Knight JC, Leveson NG (1986) An experimental evaluation of the assumption of independence in multiversion programming. IEEE Transactions on software engineering (1):96–109

    Article  Google Scholar 

  13. Krinke J (2001) Identifying similar code with program dependence graphs. In: Reverse Engineering, 2001. Proceedings. Eighth Working Conference on, IEEE, pp 301–309

    Google Scholar 

  14. Kula RG, German DM, Ouni A, Ishio T, Inoue K (2018) Do developers update their library dependencies? Empirical Software Engineering 23(1):384–417

    Article  Google Scholar 

  15. Li F, Paxson V (2017) A large-scale empirical study of security patches. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, ACM, pp 2201–2215

    Google Scholar 

  16. Li Z, Zou D, Xu S, Jin H, Qi H, Hu J (2016) Vulpecker: an automated vulnerability detection system based on code similarity analysis. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, ACM, pp 201–213

    Google Scholar 

  17. Li Z, Zou D, Xu S, Ou X, Jin H, Wang S, Deng Z, Zhong Y (2018) Vuldeepecker: A deep learning-based system for vulnerability detection. arXiv preprint arXiv:180101681

    Google Scholar 

  18. Lily Hay Newman (2017) Equifax offically has no excuse. https://www.wired.com/story/equifax-breach-no-excuse/

  19. Liu C, Chen C, Han J, Yu PS (2006) Gplag: detection of software plagiarism by program dependence graph analysis. In: Proceedings of the 12th ACM SIGKDD international conference on Knowledge discovery and data mining, ACM, pp 872–881

    Google Scholar 

  20. Mu D, Cuevas A, Yang L, Hu H, Xing X, Mao B, Wang G (2018) Understanding the reproducibility of crowd-reported security vulnerabilities. In: 27th USENIX Security Symposium (USENIX Security 18), USENIX, pp 919–936

    Google Scholar 

  21. OpenBSD Foundation (2019) LibreSSL. URL https://www.libressl.org

    Google Scholar 

  22. OpenSSL Software Foundation (2019) OpenSSL. URL https://www.openssl.org

    Google Scholar 

  23. Perl H, Dechand S, Smith M, Arp D, Yamaguchi F, Rieck K, Fahl S, Acar Y (2015) Vccfinder: Finding potential vulnerabilities in open-source projects to assist code audits. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, ACM, pp 426–437

    Google Scholar 

  24. Pieterse V, Black PE (1999) Algorithms and Theory of Computation Handbook. CRC Press LLC

    Google Scholar 

  25. Request CVE IDs (2019) https://cve.mitre.org/cve/request_id.html

  26. Roy CK, Cordy JR (2007) A survey on software clone detection research. Queen’s School of Computing TR 541(115):64–68

    Google Scholar 

  27. Snyk (2019) The state of open source security 2019. https://snyk.io/stateofossecurity/

  28. The MITRE Corporation (2019) CVE list. https://cve.mitre.org/cve/

  29. Tian Y, Lawall J, Lo D (2012) Identifying linux bug fixing patches. In: Proceedings of the 34th International Conference on Software Engineering, IEEE Press, pp 386–396

    Google Scholar 

  30. White Source Software (2019) The state of open source vulnerabilities management. https://www.whitesourcesoftware.com/open-source-vulnerability-management-report/

  31. Xu Z, Chen B, Chandramohan M, Liu Y, Song F (2017) SPAIN: security patch analysis for binaries towards understanding the pain and pills. In: Proceedings of the 39th International Conference on Software Engineering, IEEE Press, pp 462–472

    Google Scholar 

  32. Yang W (1991) Identifying syntactic differences between two programs. Software: Practice and Experience 21(7):739–755

    Google Scholar 

  33. Zaman S, Adams B, Hassan AE (2011) Security versus performance bugs: a case study on firefox. In: Proceedings of the 8th working conference on mining software repositories, ACM, pp 93–102

    Google Scholar 

Download references

Acknowledgements

We would like to thank Shu Wang and Fuxun Yu for their valuable suggestions on this work. This work is partially supported by the NSF grant CNS-1822094, IIP-1266147 and ONR grants N00014-16-1-3214, N00014-16-1-3216, and N00014-18-2893.

Author information

Authors and Affiliations

  1. George Mason University, Fairfax, VA, USA

    Xinda Wang, Kun Sun & Sushil Jajodia

  2. Northrop Grumman Corporation, Falls Church, VA, USA

    Archer Batcheller

Authors
  1. Xinda Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kun Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Archer Batcheller
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Sushil Jajodia
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Kun Sun .

Editor information

Editors and Affiliations

  1. Center for Secure Information Systems, George Mason University, Fairfax, VA, USA

    Sushil Jajodia

  2. Thayer School of Engineering, Dartmouth College, Hanover, NH, USA

    George Cybenko

  3. Department of Computer Science, Dartmouth College, Hanover, NH, USA

    V.S. Subrahmanian

  4. MS T310, MITRE Corporation, McLean, VA, USA

    Vipin Swarup

  5. Computing and Information Science Division, Army Research Office, Durham, NC, USA

    Cliff Wang

  6. Computer Science & Engineering, University of Michigan, Ann Arbor, MI, USA

    Michael Wellman

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Wang, X., Sun, K., Batcheller, A., Jajodia, S. (2020). An Empirical Study of Secret Security Patch in Open Source Software. In: Jajodia, S., Cybenko, G., Subrahmanian, V., Swarup, V., Wang, C., Wellman, M. (eds) Adaptive Autonomous Secure Cyber Systems. Springer, Cham. https://doi.org/10.1007/978-3-030-33432-1_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-33432-1_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-33431-4

  • Online ISBN: 978-3-030-33432-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation