A study of software security problem disclosure, correction and patching processes

Quantitative analysis of software security problems plays an important role in understanding software security. Information on how and when software security problems are disclosed, exploited in the field, fixed by developers and patched by users, is often analysed from a calendar time perspective. This provides worst-case assessment and effort-to-fix information, but is not directly related to actual operational impact of the discovered problems. Given that security problems are a subset of the more general category of software problems, employing usage metrics typically found in classical software reliability engineering, such as inservice time, appears to be a reasonable approach for assessing security problems. The main goal of this thesis is to investigate operational software security problem disclosure, correction and patching processes through publicly available information, and through that improve our understanding of of the issues, as well as enable better process and defense planning and related decision making. One of the issues one runs into almost immediately when studying open software security data is the distributed nature and diversity of such data. The data reside in numerous data bases, in different formats, and it is a challenge to collect that information. The first step in the current work was to develop a set of tools for automated collection of linked information across public repositories. Investigated were products that follow a process of full disclosure of security problems before fixes are available (we call them “full disclosure” products), and those that disclose security problems along with fixes and possibly only limited information about them (we call them “limited disclosure” products). To analyse and understand collected information, a comprehensive security problem response model was developed that describes interactions of events associated with users, developers, attackers, software security problems, and fixes. The model captures the states through which a software may go based on the discovery, disclosure, exploit, failure, and correction of security problems. The model distinguishes itself from published models by emphasizing roles and operational impact perspectives. As part of the analyses, two sub-models are investigated for estimating the disclosure of unique security problems - the classical Logarithmic Poisson Execution Time (LPET) model, and a Bayesian model. The latter model was included to capture the subjective views of risk and exposure. Both models were found to work well - the LPET in the context of security problem rates across releases, and the Bayesian model in the context of disclosure of security problems per release. In combination with experimental data, the overall model was also used to investigate security problem disclosure, correction and patching policies. Time to discovery, time-to-disclosure, time-to-intrusion, time-to-patch-availability, and time-to-patch-application are some of the metrics in this context. Empirical results tell us that between 30% and 80% of the reported problems will fail in the field only if end-users interact with the attack mechanism (e.g., opening a malicious attachment in an email). We classify such problems as “voluntary” security problems. Early warning/disclosure of such problems may help users in taking precautions. An interesting question is “Under what conditions is the policy of early disclosure of voluntary security problems a good one?”. This is discussed from the perspectives where (a) users do not intervene in the installation of patches (we call it “automatic updates”) and (b) where users do intervene (we call it “non-automatic updates”). For a given set of values of the process metrics under consideration, it is shown what percentage of users should heed the warning for the policy of early disclosure to be effective. Several other such policies are examined and discussed.

[1]  Kishor S. Trivedi,et al.  Characterizing intrusion tolerant systems using a state transition model , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[2]  Bev Littlewood A bayesian differential debugging model for software reliability , 1981, SIGMETRICS Perform. Evaluation Rev..

[3]  Yuanyuan Zhou,et al.  Have things changed now?: an empirical study of bug characteristics in modern open source software , 2006, ASID '06.

[4]  Mladen A. Vouk,et al.  On mining data across software repositories , 2009, 2009 6th IEEE International Working Conference on Mining Software Repositories.

[5]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[6]  Wenliang Du,et al.  Categorization of Software Errors that led to Security Breaches , 1998 .

[7]  Bart Jacobs,et al.  Increased security through open source , 2007, Commun. ACM.

[8]  Stefan Frei,et al.  The dynamics of ( in ) security , 2009 .

[9]  J. Herbsleb,et al.  Two case studies of open source software development: Apache and Mozilla , 2002, TSEM.

[10]  Donald F. Towsley,et al.  Code red worm propagation modeling and analysis , 2002, CCS '02.

[11]  Giuseppe Serazzi,et al.  Computer Virus Propagation Models , 2003, MASCOTS Tutorials.

[12]  Angelos D. Keromytis,et al.  Experiences Enhancing Open Source Security in the POSSE Project , 2005 .

[13]  Guido Schryen,et al.  Increasing Software Security through Open Source or Closed Source Development? Empirics Suggest that We have Asked the Wrong Question , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[14]  Gonzalo Álvarez,et al.  A new taxonomy of Web attacks suitable for efficient encoding , 2003, Comput. Secur..

[15]  Daniel Plakosh,et al.  Trust and vulnerability in open source software , 2002, IEE Proc. Softw..

[16]  Mladen A. Vouk,et al.  On operational availability of a large software-based telecommunications system , 1992, [1992] Proceedings Third International Symposium on Software Reliability Engineering.

[17]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[18]  William S. McPhee Operating System Integrity in OS/VS2 , 1974, IBM Syst. J..

[19]  Indrajit Ray,et al.  Measuring, analyzing and predicting security vulnerabilities in software systems , 2007, Comput. Secur..

[20]  Sam Ransbotham,et al.  An Empirical Analysis of Exploitation Attempts Based on Vulnerabilities in Open Source Software , 2010, WEIS.

[21]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[22]  Andy Ozment,et al.  Software Security Growth Modeling: Examining Vulnerabilities with Reliability Growth Models , 2006, Quality of Protection.

[23]  A.E. Hassan,et al.  The road ahead for Mining Software Repositories , 2008, 2008 Frontiers of Software Maintenance.

[24]  Thomas Zimmermann,et al.  Knowledge Collaboration by Mining Software Repositories , 2006 .

[25]  M. P. Ristenbatt Methodology for network communication vulnerability analysis , 1988, MILCOM 88, 21st Century Military Communications - What's Possible?'. Conference record. Military Communications Conference.

[26]  Ross J. Anderson,et al.  Security in open versus closed systems - the dance of Boltzmann , 2002 .

[27]  Guido Schryen,et al.  Open source vs. closed source software: towards measuring security , 2009, SAC '09.

[28]  S. M. Bellovin,et al.  Security problems in the TCP/IP protocol suite , 1989, CCRV.

[29]  Yuriy Bulygin,et al.  Epidemics of Mobile Worms , 2007, 2007 IEEE International Performance, Computing, and Communications Conference.

[30]  Bernhard Plattner,et al.  Firefox (In) security update dynamics exposed , 2008, CCRV.

[31]  Murugan Anandarajan,et al.  Managing Web Usage in the WorkPlace: A Social, Ethical, and Legal Perspective , 2002 .

[32]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[33]  Sheldon M. Ross,et al.  Introduction to Probability Models, Eighth Edition , 1972 .

[34]  May R. Chaffin,et al.  Empirical Estimates and Observations of 0Day Vulnerabilities , 2009, 2009 42nd Hawaii International Conference on System Sciences.

[35]  Eric Rescorla,et al.  Is finding security holes a good idea? , 2005, IEEE Security & Privacy.

[36]  Bernhard Plattner,et al.  Large-scale vulnerability analysis , 2006, LSAD '06.

[37]  David Wright,et al.  Towards Operational Measures of Computer Security , 1993, J. Comput. Secur..

[38]  Walt Scacchi,et al.  Free/open source software development: recent research results and emerging opportunities , 2007, ESEC-FSE companion '07.

[39]  Thomas Zimmermann,et al.  The Beauty and the Beast: Vulnerabilities in Red Hat's Packages , 2009, USENIX Annual Technical Conference.

[40]  Lawrence Carin,et al.  Cybersecurity Strategies: The QuERIES Methodology , 2008, Computer.

[41]  Bev Littlewood,et al.  Theories of Software Reliability: How Good Are They and How Can They Be Improved? , 1980, IEEE Transactions on Software Engineering.

[42]  Jun Zhang,et al.  Economics of Security Patch Management , 2006, WEIS.

[43]  Norman F. Schneidewind Reliability - security model , 2006, 11th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS'06).

[44]  John D. Musa,et al.  Software reliability - measurement, prediction, application , 1987, McGraw-Hill series in software engineering and technology.

[45]  William Farr,et al.  Software reliability modeling survey , 1996 .

[46]  Andreas Zeller,et al.  Predicting vulnerable software components , 2007, CCS '07.

[47]  Brian P. Macfie,et al.  Applied Statistics for Public Policy , 2005 .

[48]  Simon Shiu,et al.  Analysing the Performance of Security Solutions to Reduce Vulnerability Exposure Window , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[49]  Andy Ozment,et al.  Improving vulnerability discovery models , 2007, QoP '07.

[50]  John P. Robinson,et al.  The Internet and Other Uses of Time , 2008 .

[51]  Elaine Shi,et al.  The Sybil attack in sensor networks: analysis & defenses , 2004, Third International Symposium on Information Processing in Sensor Networks, 2004. IPSN 2004.

[52]  Rahul Telang,et al.  Does information security attack frequency increase with vulnerability disclosure? An empirical analysis , 2006, Inf. Syst. Frontiers.

[53]  Tomas Olovsson,et al.  A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior , 1997, IEEE Trans. Software Eng..

[54]  Gary McGraw,et al.  Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors , 2005, IEEE Secur. Priv..

[55]  Yashwant K. Malaiya,et al.  Application of Vulnerability Discovery Models to Major Operating Systems , 2008, IEEE Transactions on Reliability.

[56]  Mladen A. Vouk,et al.  An empirical study of security problem reports in Linux distributions , 2009, 2009 3rd International Symposium on Empirical Software Engineering and Measurement.

[57]  Robin Berthier,et al.  A Statistical Analysis of Attack Data to Separate Attacks , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[58]  Bev Littlewood How to Measure Software Reliability and How Not To , 1979, IEEE Transactions on Reliability.

[59]  Roy T. Fielding,et al.  Shared leadership in the Apache project , 1999, CACM.

[60]  Yashwant K. Malaiya,et al.  Modeling the vulnerability discovery process , 2005, 16th IEEE International Symposium on Software Reliability Engineering (ISSRE'05).

[61]  Bev Littlewood,et al.  A Bayesian Reliability Growth Model for Computer Software , 1973 .

[62]  Jean-Claude Laprie,et al.  Software Reliability Trend Analyses from Theoretical to Practical Considerations , 1994, IEEE Trans. Software Eng..

[63]  Jesús M. González-Barahona,et al.  GluTheos: Automating the Retrieval and Analysis of Data from Publicly Available Software Repositories , 2004, MSR.

[64]  Mladen A. Vouk,et al.  Towards a Unifying Approach in Understanding Security Problems , 2009, 2009 20th International Symposium on Software Reliability Engineering.

[65]  Mladen A. Vouk,et al.  Towards a Bayesian Approach in Modeling the Disclosure of Unique Security Faults in Open Source Projects , 2010, 2010 IEEE 21st International Symposium on Software Reliability Engineering.

[66]  Martin Michlmayr,et al.  A Statistical Analysis of Defects in Debian and Strategies for Improving Quality in Free Software Projects , 2006 .

[67]  Bharat B. Madan,et al.  Modeling and quantification of security attributes of software systems , 2002, Proceedings International Conference on Dependable Systems and Networks.