The CVE Wayback Machine: Measuring Coordinated Disclosure from Exploits against Two Years of Zero-Days
Pages 236 - 252
Abstract
Software security depends on coordinated vulnerability disclosure (CVD) from researchers, a process that the community has continually sought to measure and improve. Yet, CVD practices are only as effective as the data that informs them. In this paper, we use DScope, a cloud-based interactive Internet telescope, to build statistical models of vulnerability lifecycles, bridging the data gap in over 20 years of CVD research. By analyzing application-layer Internet scanning traffic over two years, we identify real-world exploitation timelines for 63 threats. We bring this data together with six additional datasets to build a complete birth-to-death model of these vulnerabilities, the most complete analysis of vulnerability lifecycles to date. Our analysis reaches three key recommendations: (1) CVD across diverse vendors shows lower effectiveness than previously thought, (2) intrusion detection systems are underutilized to provide protection for critical vulnerabilities, and (3) existing data sources of CVD can be augmented by novel approaches to Internet measurement. In this way, our vantage point offers new opportunities to improve the CVD process, achieving a safer software ecosystem in practice.
References
[1]
Nikolaos Alexopoulos, Manuel Brack, Jan Philipp Wagner, Tim Grube, and Max Mühlhäuser. 2022. How Long Do Vulnerabilities Live in the Code? A Large-Scale Empirical Measurement Study on FOSS Vulnerability Lifetimes. en. In 359--376. isbn: 978-1-939133-31-1. https://www.usenix.org/conference/u senixsecurity22/presentation/alexopoulos.
[2]
Manos Antonakakis et al. 2017. Understanding the mirai botnet. In 26th USENIX security symposium (USENIX Security 17), 1093--1110.
[3]
William A. Arbaugh, William L. Fithen, and John McHugh. 2000. Windows of vulnerability: A case study analysis. Computer, 33, 12, 52--59. Publisher: IEEE.
[4]
2022. Atlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining, Other Malware. en-US. (Sept. 2022). https://www.trendmic ro.com/en_us/research/22/i/atlassian-confluence-vulnerability-cve-2022-26 134-abused-for-cryptocurrency-mining-other-malware.html.
[5]
Leyla Bilge and Tudor Dumitraş. 2012. Before we knew it: an empirical study of zero-day attacks in the real world. en. In Proceedings of the 2012 ACM conference on Computer and communications security. ACM, Raleigh North Carolina USA, (Oct. 2012), 833--844. isbn: 978-1-4503-1651-4.
[6]
Todd Bishop. 2021. Amazon Web Services posts record $13.5B in *profits* for 2020 in Andy Jassy's AWS swan song. en-US. (Feb. 2021). https://www.geekwi re.com/2021/amazon-web-services-posts-record-13-5b-profits-2020-andy-j assys-aws-swan-song/.
[7]
blinded for submission. 2023. Gamma (name blinded for submission). In Available on request.
[8]
Elias Bou-Harb. 2015. Approaches and Techniques for Fingerprinting and Attributing Probing Activities by Observing Network Telescopes. en. phd. Concordia University, (June 2015). https://spectrum.library.concordia.ca/id/eprint/980132 /.
[9]
[n. d.] Bugtraq Mailing List. (). https://seclists.org/bugtraq/.
[10]
Benjamin L. Bullough, Anna K. Yanchenko, Christopher L. Smith, and Joseph R. Zipkin. 2017. Predicting Exploitation of Disclosed Software Vulnerabilities Using Open-source Data. In Proceedings of the 3rd ACM on International Workshop on Security And Privacy Analytics (IWSPA '17). Association for Computing Machinery, New York, NY, USA, (Mar. 2017), 45--53. isbn: 978-1-4503-4909-3.
[11]
Andrew Case, Sean Koessel, Steven Adair, and Thomas Lancaster. 2022. Zero-Day Exploitation of Atlassian Confluence | Volexity. en-US. (June 2022). https: //www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-co nfluence/.
[12]
[n. d.] CERT Coordination Center. (). https://www.kb.cert.org.
[13]
[n. d.] Coordinated Vulnerability Disclosure Process | CISA. en. (). https://ww w.cisa.gov/coordinated-vulnerability-disclosure-process.
[14]
Jonathan Corbet. 2022. What constitutes disclosure of a kernel vulnerability? (June 2022). https://lwn.net/Articles/896829/.
[15]
[n. d.] CVE - CVE. (). https://cve.mitre.org/.
[16]
Stefan Frei, Dominik Schatzmann, Bernhard Plattner, and Brian Trammell. 2010. Modeling the security ecosystem-the dynamics of (in) security. Economics of Information Security and Privacy, 79--106. Publisher: Springer.
[17]
Raphael Hiesgen, Marcin Nawrocki, Thomas C Schmidt, and Matthias Wahlisch. [n. d.] The Race to the Vulnerable: Measuring the Log4j Shell Incident. en, 9.
[18]
S. Hills. 2013. Considerations and recommendations concerning internet research and human subjects research regulations, with revisions. HHS. gov.
[19]
Allen Householder and Jonathan Spring. 2021. A State-Based Model for Multi-Party Coordinated Vulnerability Disclosure (MPCVD).
[20]
Allen D. Householder and Jonathan Spring. 2022. Are We Skillful or Just Lucky? Interpreting the Possible Histories of Vulnerability Disclosures. en. Digital Threats: Research and Practice, 3, 4, (Dec. 2022), 1--28.
[21]
Tatum Hunter and Gerrit De Vynck. 2021. The ?most serious' security breach ever is unfolding right now. Here's what you need to know. en. Section: Technology. (Dec. 2021). https://www.washingtonpost.com/technology/2021/12/20 /log4j-hack-vulnerability-java/.
[22]
[n. d.] Known Exploited Vulnerabilities Catalog | CISA. en. (). https://www.cis a.gov/known-exploited-vulnerabilities-catalog.
[23]
Jake Kouns. 2008. Open Source Vulnerability Database Project. Open Source Business Resource, June 2008.
[24]
Frank Li and Vern Paxson. 2017. A Large-Scale Empirical Study of Security Patches. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS '17). Association for Computing Machinery, New York, NY, USA, (Oct. 2017), 2201--2215. isbn: 978-1-4503-4946-8.
[25]
Daiping Liu, Shuai Hao, and Haining Wang. 2016. All Your DNS Records Point to Us: Understanding the Security Threats of Dangling DNS Records. en. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, Vienna Austria, (Oct. 2016), 1414--1425. isbn: 978-1-4503-4139-4.
[26]
Robert A. Martin. 2007. Common weakness enumeration. Mitre Corporation, 24.
[27]
[n. d.] The Merit Network, Inc. ORION. en-US. https://www.merit.edu. ().
[28]
[n. d.] Metasploit | Penetration Testing Software, Pen Testing Security. en. (). https://www.metasploit.com/.
[29]
Kathleen Metrick, Jared Semrau, and Shambavi Sadayappan. 2020. Think Fast: Time Between Disclosure, Patch Release and Vulnerability Exploitation -Intelligence for Vulnerability Management, Part Two. en. (Apr. 2020). https: //www.mandiant.com/resources/blog/time-between-disclosure-patch-releas e-and-vulnerability-exploitation.
[30]
[n. d.] Microsoft - Security Update Guide FAQs. en-us. (). https://www.micros oft.com/en-us/msrc/faqs-security-update-guide.
[31]
Aleksandar Milenkoski, Marco Vieira, Samuel Kounev, Alberto Avritzer, and Bryan D. Payne. 2015. Evaluating Computer Intrusion Detection Systems: A Survey of Common Practices. en. ACM Computing Surveys, 48, 1, (Sept. 2015), 1--41.
[32]
[n. d.] NVD - Home. (). https://nvd.nist.gov/.
[33]
[n. d.] Offensive Security's Exploit Database Archive. en. (). https://www.expl oit-db.com/.
[34]
[n. d.] Official Snort Ruleset covering the most emerging threats. (). https://w ww.snort.org/products.
[35]
[n. d.] Packet Storm. (). https://packetstormsecurity.com/.
[36]
Ruoming Pang, Vinod Yegneswaran, Paul Barford, Vern Paxson, and Larry Peterson. 2004. Characteristics of internet background radiation. en. In Proceedings of the 4th ACM SIGCOMM conference on Internet measurement - IMC '04. ACM Press, Taormina, Sicily, Italy, 27. isbn: 978-1-58113-821-4. 5/1028788.1028794.
[37]
Eric Pauley and Patrick McDaniel. 2023. Understanding the Ethical Frameworks of Internet Measurement Studies. In The 2nd International Workshop on Ethics in Computer Security (EthiCS 2023). San Diego, CA, (Feb. 2023). thics.2023.239547.
[38]
Eric Pauley, Ryan Sheatsley, Blaine Hoak, Quinn Burke, Yohan Beugin, and Patrick McDaniel. 2022. Measuring and Mitigating the Risk of IP Reuse on Public Clouds. English. In 2022 IEEE Symposium on Security and Privacy (SP). ISSN: 2375--1207. IEEE Computer Society, (Apr. 2022), 1523--1523. isbn: 978-1-66541-316-9.
[39]
Prashanth Rajivan, Efrat Aharonov-Majar, and Cleotilde Gonzalez. 2020. Update now or later? Effects of experience, cost, and risk preference on update decisions. Journal of Cybersecurity, 6, 1, tyaa002. Publisher: Oxford University Press.
[40]
2023. Report a security or privacy vulnerability. en. (Jan. 2023). https://support.apple.com/en-us/HT201220.
[41]
Martin Roesch. 1999. Snort - Lightweight Intrusion Detection for Networks. en, 11.
[42]
Muhammad Shahzad, Muhammad Zubair Shafiq, and Alex X. Liu. 2012. A large scale exploratory analysis of software vulnerability life cycles. In Proceedings of the 34th International Conference on Software Engineering (ICSE '12). IEEE Press, Zurich, Switzerland, (June 2012), 771--781. isbn: 978-1-4673-1067-3.
[43]
Kiran Sridhar, Allen Householder, Jonathan Spring, and Daniel W. Woods. 2021. Cybersecurity Information Sharing: Analysing an Email Corpus of Coordinated Vulnerability Disclosure. In The 20th Annual Workshop on the Economics of Information Security.
[44]
Octavian Suciu, Connor Nelson, Zhuoer Lyu, Tiffany Bao, and Tudor Dumitras,. 2022. Expected Exploitability: Predicting the Development of Functional Vulnerability Exploits. en. In 377--394. isbn: 978-1-939133-31-1. https://www.usen ix.org/conference/usenixsecurity22/presentation/suciu.
[45]
[n. d.] Talos - Author of the Official Snort Rule Sets. (). https://www.snort.org /talos.
[46]
Johannes Ullrich. [n. d.] DShield - SANS.edu Internet Storm Center. en. (). http://www.dshield.org/index_dyn.html.
[47]
[n. d.] Vulnerabilities - Security Update Guide - Microsoft. (). https://msrc.micr osoft.com/update-guide/vulnerability.
[48]
[n. d.] Vulnerability Reports - Latest network security threats and zeroday dis-coveries || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence. https://www.talosintelligence.com/vulnerability_reports.
[49]
T. Walshe and A. C. Simpson. 2022. Coordinated Vulnerability Disclosure programme effectiveness: Issues and recommendations. en. Computers & Security, 123, (Dec. 2022), 102936.
[50]
Vinod Yegneswaran, Paul Barford, and Vern Paxson. [n. d.] Using Honeynets for Internet Situational Awareness. en.
[51]
Su Zhang, Xinwen Zhang, and Xinming Ou. 2014. After we knew it: empirical study and modeling of cost-effectiveness of exploiting prevalent known vulnerabilities across IaaS cloud. In Proceedings of the 9th ACM symposium on Information, computer and communications security (ASIA CCS '14). Association for Computing Machinery, New York, NY, USA, (June 2014), 317--328. isbn: 978-1-4503-2800-5.
Index Terms
- The CVE Wayback Machine: Measuring Coordinated Disclosure from Exploits against Two Years of Zero-Days
Recommendations
On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits
CCS '05: Proceedings of the 12th ACM conference on Computer and communications securityVulnerabilities that allow worms to hijack the control flow of each host that they spread to are typically discovered months before the worm outbreak, but are also typically discovered by third party researchers. A determined attacker could discover ...
Honeypot Baselining for Zero Day Attack Detection
Honeypots are the network sensors used for capturing the network attacks. As these sensors are solely deployed for the purpose of being attacked and compromised hence they have to be closely monitored and controlled. In the work presented in this paper ...
From Patches to Honey-Patches: Lightweight Attacker Misdirection, Deception, and Disinformation
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications SecurityTraditional software security patches often have the unfortunate side-effect of quickly alerting attackers that their attempts to exploit patched vulnerabilities have failed. Attackers greatly benefit from this information; it expedites their search for ...
Comments
Information & Contributors
Information
Published In
October 2023
746 pages
ISBN:9798400703829
DOI:10.1145/3618257
- General Chairs:
- Marie-José Montpetit,
- Aris Leivadeas,
- Program Chairs:
- Steve Uhlig,
- Mobin Javed
Copyright © 2023 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 24 October 2023
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
Conference
IMC '23
Sponsor:
Acceptance Rates
Overall Acceptance Rate 277 of 1,083 submissions, 26%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 400Total Downloads
- Downloads (Last 12 months)238
- Downloads (Last 6 weeks)30
Reflects downloads up to 31 Dec 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in