论文信息 - How Open Should Open Source Be?

How Open Should Open Source Be?

Many open-source projects land security fixes in public repositories before shipping these patches to users. This paper presents attacks on such projects - taking Firefox as a case-study - that exploit patch metadata to efficiently search for security patches prior to shipping. Using access-restricted bug reports linked from patch descriptions, security patches can be immediately identified for 260 out of 300 days of Firefox 3 development. In response to Mozilla obfuscating descriptions, we show that machine learning can exploit metadata such as patch author to search for security patches, extending the total window of vulnerability by 5 months in an 8 month period when examining up to two patches daily. Finally we present strong evidence that further metadata obfuscation is unlikely to prevent information leaks, and we argue that open-source projects instead ought to keep security patches secret until they are ready to be released.

Dawn Xiaodong Song | Benjamin I. P. Rubinstein | Adam Barth | Saung Li

[1] David Brumley,et al. Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[2] U. Fayyad. On the induction of decision trees for multiple concept learning , 1991 .

[3] Hsuan-Tien Lin,et al. A note on Platt’s probabilistic outputs for support vector machines , 2007, Machine Learning.

[4] Nello Cristianini,et al. An introduction to Support Vector Machines , 2000 .

[5] J. Ross Quinlan,et al. Induction of Decision Trees , 1986, Machine Learning.

[6] Bernhard Plattner,et al. Firefox (In) security update dynamics exposed , 2008, CCRV.

[7] Stefan Frei,et al. Why Silent Updates Boost Security , 2009 .

[8] Chih-Jen Lin,et al. LIBSVM: A library for support vector machines , 2011, TIST.

[9] A. Atiya,et al. Learning with Kernels: Support Vector Machines, Regularization, Optimization, and Beyond , 2005, IEEE Transactions on Neural Networks.