Unveiling the Characteristics and Impact of Security Patch Evolution

The number of disclosed vulnerabilities in open-source projects has been increasing steadily over the years, and thus it is important to deploy patches to repair vulnerabilities in a timely manner. However, due to the widespread reuse and customization of open-source software, there are often multip...

Celý popis

Uložené v:
Podrobná bibliografia
Vydané v:IEEE/ACM International Conference on Automated Software Engineering : [proceedings] s. 1094 - 1106
Hlavní autori: Xie, Zifan, Wen, Ming, Wei, Zichao, Jin, Hai
Médium: Konferenčný príspevok..
Jazyk:English
Vydavateľské údaje: ACM 27.10.2024
Predmet:
Code Evolution
Codes
Ecosystems
Linux
Maintenance engineering
Manuals
Open source software
Security
Security Patch
Software engineering
Vulnerability Analysis
ISSN:2643-1572
On-line prístup:Získať plný text
Tagy: Pridať tag
Žiadne tagy, Buďte prvý, kto otaguje tento záznam!
Popis
Shrnutí:The number of disclosed vulnerabilities in open-source projects has been increasing steadily over the years, and thus it is important to deploy patches to repair vulnerabilities in a timely manner. However, due to the widespread reuse and customization of open-source software, there are often multiple versions or branches of the same project that co-exist in the ecosystem. Therefore, it is often challenging and tricky to guarantee that an exposed vulnerability can be repaired thoroughly. Driven by this, plenty of 1-day vulnerability analysis tools have been proposed recently, such as function-level vulnerability detection and patch presence test tools. Despite the fact that code evolution is common for open-source projects, existing analysis tools often neglect the important fact that the patched code is also constantly evolving. In this study, we take the first look to systematically investigate the phenomenon of security patch evolution in open-source projects. In particular, we performed extensive experiments on a large-scale dataset containing 1,046 distinct CVEs with 2,633 patches collected from popular open-source projects (e.g., linux, openssl). This study reveals interesting yet important findings with respect to the aspects of patch evolution frequency, patch evolution patterns, and the evolution impact on downstream 1-day vulnerability analysis tools. We believe that this study can shed important light on future researches on patch analysis.
ISSN:2643-1572
DOI:10.1145/3691620.3695488