Familiarity breeds contempt: the honeymoon effect and the role of legacy code in zero-day vulnerabilities
@inproceedings{Clark2010FamiliarityBC, title={Familiarity breeds contempt: the honeymoon effect and the role of legacy code in zero-day vulnerabilities}, author={Sandy Clark and Stefan Frei and Matt Blaze and Jonathan M. Smith}, booktitle={ACSAC '10}, year={2010} }
Work on security vulnerabilities in software has primarily focused on three points in the software life-cycle: (1) finding and removing software defects, (2) patching or hardening software after vulnerabilities have been discovered, and (3) measuring the rate of vulnerability exploitation. This paper examines an earlier period in the software vulnerability life-cycle, starting from the release date of a version through to the disclosure of the fourth vulnerability, with a particular focus on…
Figures and Tables from this paper
58 Citations
The Software Vulnerability Ecosystem: Software Development In The Context Of Adversarial Behavior
- Computer Science
- 2017
Using a novel data-driven analysis of large databases of vulnerabilities, it is suggested that the rapid-release cycles used in agile software development (in which new software is introduced frequently) have a vulnerability discovery rate equivalent to conventional development.
Timelines for In-Code Discovery of Zero-Day Vulnerabilities and Supply-Chain Attacks
- Computer ScienceArXiv
- 2018
This study addresses an aspect of their longevity by considering the likelihood that they will be discovered in the code across versions, and approximate well-disguised vulnerabilities as only being discoverable if the relevant lines of code are explicitly examined, and obvious vulnerabilities as being discoverability if any part of the relevant file is examined.
Moving Targets: Security and Rapid-Release in Firefox
- Computer ScienceCCS
- 2014
Surprisingly, the resulting data show that Firefox RRC does not result in higher vulnerability rates and, further, that it is exactly the unfamiliar, newly released software (the "moving targets") that requires time to exploit.
Large Scale Characterization of Software Vulnerability Life Cycles
- Computer ScienceIEEE Transactions on Dependable and Secure Computing
- 2020
An exploratory measurement study of a large software vulnerability data set containing 56077 vulnerabilities disclosed since 1988 till 2013 uncovers several statistically significant findings that have important implications for software development and deployment.
Software Vulnerability Life Cycles and the Age of Software Products: An Empirical Assertion with Operating System Products
- Computer ScienceCAiSE Workshops
- 2016
The results indicate that the age of the observed Microsoft products does not affect the turnaround times, and only feeble statistical relationships are present for the examined Linux releases.
An historical examination of open source releases and their vulnerabilities
- Computer ScienceCCS
- 2012
Examining historical releases of Sendmail, Postfix, Apache httpd and OpenSSL by using static source code analysis and the entry-rate in the Common Vulnerabilities and Exposures dictionary for a release shows that software quality, as measured by the number of issues, issue density or number of exploitable bugs, does not always improve with each new release.
A large scale exploratory analysis of software vulnerability life cycles
- Computer Science2012 34th International Conference on Software Engineering (ICSE)
- 2012
An exploratory measurement study of a large software vulnerability data set containing 46310 vulnerabilities disclosed since 1988 till 2011 uncovers several statistically significant findings that have important implications for software development and deployment.
Vulnerability Scrying Method for Software Vulnerability Discovery Prediction Without a Vulnerability Database
- Computer ScienceIEEE Transactions on Reliability
- 2013
Vulnerability scrying is proposed, a new paradigm for vulnerability discovery prediction based on code properties which uses code properties as its parameters to predict vulnerability discovery.
The Tip of the Iceberg
- Computer ScienceACM Trans. Priv. Secur.
- 2020
This first investigation into the problem that studies a complete distribution of software, spanning multiple versions, finds no clear evidence that the vulnerability rate of widely used software decreases over time and shows that several popular beliefs cannot be confirmed given the dataset.
How Long Do Vulnerabilities Live in the Code? A Large-Scale Empirical Measurement Study on FOSS Vulnerability Lifetimes
- Computer Science
- 2021
The first large-scale measurement of Free and Open Source Software vulnerability lifetimes is performed, and it is found that the average lifetime of a vulnerability is around 4 years, varying significantly between projects (~2 years for Chromium, ~7 years for OpenSSL).
References
SHOWING 1-10 OF 41 REFERENCES
An Empirical Analysis of Exploitation Attempts Based on Vulnerabilities in Open Source Software
- Computer ScienceWEIS
- 2010
Empirical analysis of two years of security alert data from intrusion detection systems indicates that open source software vulnerabilities are at greater risk of exploitation, diffuse more rapidly, and have greater volume of exploitation attempts.
Blood in the Water - Are there Honeymoon Effects Outside Software?
- Computer ScienceSecurity Protocols Workshop
- 2010
This position paper examines representative examples in security protocols (Needham-Schroeder), crypto algorithms (hash functions), and security architecture (virtual machines), where an analysis of inter-arrival times of published papers discussing attacks suggests that honeymoons are enjoyed across a wide range of computer security defenses.
Milk or Wine: Does Software Security Improve with Age?
- Computer ScienceUSENIX Security Symposium
- 2006
Strong statistical evidence of a decrease in the rate at which foundational vulnerabilities are being reported is found, however, this decrease is anything but brisk: foundational vulnerabilities have a median lifetime of at least 2.6 years.
Modeling the vulnerability discovery process
- Computer Science16th IEEE International Symposium on Software Reliability Engineering (ISSRE'05)
- 2005
The models for the vulnerability discovery process are examined both analytically and using actual data on vulnerabilities discovered in three widely-used systems.
Windows of Vulnerability: A Case Study Analysis
- Computer ScienceComputer
- 2000
A life cycle model for system vulnerabilities is proposed, then applied to three case studies to reveal how systems often remain vulnerable long after security fixes are available.
Improving vulnerability discovery models
- Computer ScienceQoP '07
- 2007
A standard set of definitions relevant to measuring characteristics of vulnerabilities and their discovery process is proposed, and the theoretical requirements of VDMs are described, to highlight the shortcomings of existing work.
An empirical study of operating systems errors
- Computer ScienceSOSP
- 2001
A study of operating system errors found by automatic, static, compiler analysis applied to the Linux and OpenBSD kernels found that device drivers have error rates up to three to seven times higher than the rest of the kernel.
N-Variant Systems: A Secretless Framework for Security through Diversity
- Computer ScienceUSENIX Security Symposium
- 2006
The N-variant systems framework is introduced, a model for analyzing security properties of N-Variant systems is presented, variations that can be used to detect attacks that involve referencing absolute memory addresses and executing injected code are defined, and performance results from a prototype implementation are presented.
A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior
- Computer ScienceIEEE Trans. Software Eng.
- 1997
The collected data indicates that the breaches during the standard attack phase are statistically equivalent and that the times between breaches are exponentially distributed, which would actually imply that traditional methods for reliability modeling could be applicable.