Familiarity breeds contempt: the honeymoon effect and the role of legacy code in zero-day vulnerabilities

@inproceedings{Clark2010FamiliarityBC,
  title={Familiarity breeds contempt: the honeymoon effect and the role of legacy code in zero-day vulnerabilities},
  author={Sandy Clark and Stefan Frei and Matt Blaze and Jonathan M. Smith},
  booktitle={ACSAC '10},
  year={2010}
}
Work on security vulnerabilities in software has primarily focused on three points in the software life-cycle: (1) finding and removing software defects, (2) patching or hardening software after vulnerabilities have been discovered, and (3) measuring the rate of vulnerability exploitation. This paper examines an earlier period in the software vulnerability life-cycle, starting from the release date of a version through to the disclosure of the fourth vulnerability, with a particular focus on… 
View on ACM
umiacs.umd.edu
58 Citations
Highly Influential Citations
1
Background Citations
36
Methods Citations
3
Results Citations
1

58 Citations

Citation Type

Citation Type

The Software Vulnerability Ecosystem: Software Development In The Context Of Adversarial Behavior
TLDR
Using a novel data-driven analysis of large databases of vulnerabilities, it is suggested that the rapid-release cycles used in agile software development (in which new software is introduced frequently) have a vulnerability discovery rate equivalent to conventional development.
Timelines for In-Code Discovery of Zero-Day Vulnerabilities and Supply-Chain Attacks
TLDR
This study addresses an aspect of their longevity by considering the likelihood that they will be discovered in the code across versions, and approximate well-disguised vulnerabilities as only being discoverable if the relevant lines of code are explicitly examined, and obvious vulnerabilities as being discoverability if any part of the relevant file is examined.
Moving Targets: Security and Rapid-Release in Firefox
TLDR
Surprisingly, the resulting data show that Firefox RRC does not result in higher vulnerability rates and, further, that it is exactly the unfamiliar, newly released software (the "moving targets") that requires time to exploit.
Large Scale Characterization of Software Vulnerability Life Cycles
TLDR
An exploratory measurement study of a large software vulnerability data set containing 56077 vulnerabilities disclosed since 1988 till 2013 uncovers several statistically significant findings that have important implications for software development and deployment.
Software Vulnerability Life Cycles and the Age of Software Products: An Empirical Assertion with Operating System Products
TLDR
The results indicate that the age of the observed Microsoft products does not affect the turnaround times, and only feeble statistical relationships are present for the examined Linux releases.
An historical examination of open source releases and their vulnerabilities
TLDR
Examining historical releases of Sendmail, Postfix, Apache httpd and OpenSSL by using static source code analysis and the entry-rate in the Common Vulnerabilities and Exposures dictionary for a release shows that software quality, as measured by the number of issues, issue density or number of exploitable bugs, does not always improve with each new release.
A large scale exploratory analysis of software vulnerability life cycles
TLDR
An exploratory measurement study of a large software vulnerability data set containing 46310 vulnerabilities disclosed since 1988 till 2011 uncovers several statistically significant findings that have important implications for software development and deployment.
Vulnerability Scrying Method for Software Vulnerability Discovery Prediction Without a Vulnerability Database
TLDR
Vulnerability scrying is proposed, a new paradigm for vulnerability discovery prediction based on code properties which uses code properties as its parameters to predict vulnerability discovery.
The Tip of the Iceberg
TLDR
This first investigation into the problem that studies a complete distribution of software, spanning multiple versions, finds no clear evidence that the vulnerability rate of widely used software decreases over time and shows that several popular beliefs cannot be confirmed given the dataset.
How Long Do Vulnerabilities Live in the Code? A Large-Scale Empirical Measurement Study on FOSS Vulnerability Lifetimes
TLDR
The first large-scale measurement of Free and Open Source Software vulnerability lifetimes is performed, and it is found that the average lifetime of a vulnerability is around 4 years, varying significantly between projects (~2 years for Chromium, ~7 years for OpenSSL).
...
...

References

SHOWING 1-10 OF 41 REFERENCES
An Empirical Analysis of Exploitation Attempts Based on Vulnerabilities in Open Source Software
TLDR
Empirical analysis of two years of security alert data from intrusion detection systems indicates that open source software vulnerabilities are at greater risk of exploitation, diffuse more rapidly, and have greater volume of exploitation attempts.
Blood in the Water - Are there Honeymoon Effects Outside Software?
TLDR
This position paper examines representative examples in security protocols (Needham-Schroeder), crypto algorithms (hash functions), and security architecture (virtual machines), where an analysis of inter-arrival times of published papers discussing attacks suggests that honeymoons are enjoyed across a wide range of computer security defenses.
Milk or Wine: Does Software Security Improve with Age?
TLDR
Strong statistical evidence of a decrease in the rate at which foundational vulnerabilities are being reported is found, however, this decrease is anything but brisk: foundational vulnerabilities have a median lifetime of at least 2.6 years.
Modeling the vulnerability discovery process
  • Omar H. Alhazmi, Y. Malaiya
  • Computer Science
    16th IEEE International Symposium on Software Reliability Engineering (ISSRE'05)
  • 2005
TLDR
The models for the vulnerability discovery process are examined both analytically and using actual data on vulnerabilities discovered in three widely-used systems.
Windows of Vulnerability: A Case Study Analysis
TLDR
A life cycle model for system vulnerabilities is proposed, then applied to three case studies to reveal how systems often remain vulnerable long after security fixes are available.
Windows of Vulnerability
Improving vulnerability discovery models
TLDR
A standard set of definitions relevant to measuring characteristics of vulnerabilities and their discovery process is proposed, and the theoretical requirements of VDMs are described, to highlight the shortcomings of existing work.
An empirical study of operating systems errors
TLDR
A study of operating system errors found by automatic, static, compiler analysis applied to the Linux and OpenBSD kernels found that device drivers have error rates up to three to seven times higher than the rest of the kernel.
N-Variant Systems: A Secretless Framework for Security through Diversity
TLDR
The N-variant systems framework is introduced, a model for analyzing security properties of N-Variant systems is presented, variations that can be used to detect attacks that involve referencing absolute memory addresses and executing injected code are defined, and performance results from a prototype implementation are presented.
A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior
TLDR
The collected data indicates that the breaches during the standard attack phase are statistically equivalent and that the times between breaches are exponentially distributed, which would actually imply that traditional methods for reliability modeling could be applicable.
...
...