Cited By
View all- Dam TNeumaier S(2024)Towards Measuring Vulnerabilities and Exposures in Open-Source PackagesData Science—Analytics and Applications10.1007/978-3-031-42171-6_2(13-19)Online publication date: 4-Jan-2024
Understanding the Practice of Security Patch Management across Multiple Branches in OSS Projects
Authors: 
Xin Tan, Yuan Zhang, Jiajun Cao, 
Kun Sun, Mi Zhang, Min YangAuthors Info & Claims
Xin Tan, Yuan Zhang, Jiajun Cao, Kun Sun, Mi Zhang, Min YangAuthors Info & ClaimsPages 767 - 777
Abstract
Since the users of open source software (OSS) projects may not use the latest version all the time, OSS development teams often support code maintenance for old versions through maintaining multiple stable branches. Typically, the developers create a stable branch for each old stable version, deploy security patches on the branch, and release fixed versions at regular intervals. As such, old-version applications in production environments are protected from the disclosed vulnerabilities in a long time. However, the rapidly growing number of OSS vulnerabilities has greatly strained this patch deployment model, and a critical need has arisen for the security community to understand the practice of security patch management across stable branches. In this work, we conduct a large-scale empirical study of stable branches in OSS projects and the security patches deployed on them via investigating 608 stable branches belonging to 26 popular OSS projects as well as more than 2,000 security fixes for 806 CVEs deployed on stable branches.
Our study distills several important findings: (i) more than 80% affected CVE-Branch pairs are unpatched; (ii) the unpatched vulnerabilities could pose a serious security risk to applications in use, with 47.39% of them achieving a CVSS score over 7 (High or Critical Severity); and (iii) the patch porting process requires great manual efforts and takes an average of 40.46 days, significantly extending the time window for N-day vulnerability attacks. Our results reveal the worrying state of security patch management across stable branches. We hope our study can shed some light on improving the practice of patch management in OSS projects.
References
[1]
2010. American Fuzzy Lop. https://lcamtuf.coredump.cx/afl/.
[2]
2016. Syzkaller. https://github.com/google/syzkaller.
[3]
2018. syzbot dashboard. https://syzkaller.appspot.com/upstream.
[4]
2021. Bigtree CMS. https://www.bigtreecms.org/.
[5]
2021. Bigtree CMS release cycle. https://www.bigtreecms.org/developers/dev-guide/release-cycle/.
[6]
2021. github. https://github.com/.
[7]
2021. HHVM. https://hhvm.com/.
[8]
2021. HHVM release policy. https://docs.hhvm.com/hhvm/FAQ/faq.
[9]
2021. Jackson databind. https://github.com/FasterXML/jackson-databind.
[10]
2021. OpenEMR. https://www.open-emr.org/.
[11]
2021. phpMyAdmin. https://www.phpmyadmin.net/.
[12]
2021. QEMU. https://www.qemu.org/.
[13]
2021. Semantic Versioning 2.0.0. https://semver.org/.
[14]
MITRE Corporation. 2021. CWE: Common Weakness Enumeration.https://cwe.mitre.org/.
[15]
Jiarun Dai, Yuan Zhang, Zheyue Jiang, Yingtian Zhou, Junyan Chen, Xinyu Xing, Xiaohan Zhang, Xin Tan, Min Yang, and Zhemin Yang. 2020. BScout: Direct Whole Patch Presence Test for Java Executables. In 29th USENIX Security Symposium (USENIX Security).
[16]
Jiarun Dai, Yuan Zhang, Hailong Xu, Haiming Lyu, Zicheng Wu, Xinyu Xing, and Min Yang. 2021. Facilitating Vulnerability Assessment through PoC Migration. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security.
[17]
Ying Dong, Wenbo Guo, Yueqi Chen, Xinyu Xing, Yuqing Zhang, and Gang Wang. 2019. Towards the Detection of Inconsistencies in Public Security Vulnerability Reports. In Proceedings of the 28th USENIX Security Symposium (USENIX Security).
[18]
Sadegh Farhang, Mehmet Bahadir Kirdan, Aron Laszka, and Jens Grossklags. 2019. Hey google, what exactly do your security patches tell us? a large-scale empirical study on android patched vulnerabilities. arXiv preprint arXiv:1905.09352(2019).
[19]
Stefan Frei, Martin May, Ulrich Fiedler, and Bernhard Plattner. 2006. Large-Scale Vulnerability Analysis. In Proceedings of the 2006 SIGCOMM Workshop on Large-Scale Attack Defense (LSAD).
[20]
Google. 2016. OSS-Fuzz. https://github.com/google/oss-fuzz.
[21]
Thong Hoang, Hong Jin Kang, David Lo, and Julia Lawall. 2020. CC2Vec: Distributed Representations of Code Changes. In Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering (ICSE).
[22]
Thong Hoang, Julia Lawall, Richard J. Oentaryo, Yuan Tian, and David Lo. 2019. PatchNet: A Tool for Deep Patch Classification. In 2019 IEEE/ACM 41st International Conference on Software Engineering: Companion Proceedings (ICSE-Companion).
[23]
Thong Hoang, Julia Lawall, Yuan Tian, Richard J. Oentaryo, and David Lo. 2021. PatchNet: Hierarchical Deep Learning-Based Stable Patch Identification for the Linux Kernel. IEEE Transactions on Software Engineering (TSE) (2021).
[24]
Zheyue Jiang, Yuan Zhang, Jun Xu, Qi Wen, Zhenghe Wang, Xiaohan Zhang, Xinyu Xing, Min Yang, and Zhemin Yang. 2020. PDiff: Semantic-based Patch Presence Testing for Downstream Kernels. In Proceedings of the 27th ACM SIGSAC Conference on Computer and Communications Security (CCS).
[25]
Frank Li and Vern Paxson. 2017. A Large-Scale Empirical Study of Security Patches. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS).
[26]
Aravind Machiry, Nilo Redini, Eric Camellini, Christopher Kruegel, and Giovanni Vigna. 2020. SPIDER: Enabling Fast Patch Propagation In Related Software Repositories. In Proceedings of the 41th IEEE Symposium on Security and Privacy (S&P).
[27]
Robert K Merton. 1968. The Matthew effect in science: The reward and communication systems of science are considered. Science (1968).
[28]
Robert K Merton. 1988. The Matthew effect in science, II: Cumulative advantage and the symbolism of intellectual property. isis (1988).
[29]
Mockus and Votta. 2000. Identifying reasons for software changes using historic databases (ICSM). In Proceedings 2000 International Conference on Software Maintenance.
[30]
Dongliang Mu, Alejandro Cuevas, Limin Yang, Hang Hu, Xinyu Xing, Bing Mao, and Gang Wang. 2018. Understanding the Reproducibility of Crowd-reported Security Vulnerabilities. In Proceedings of the 27th USENIX Security Symposium (USENIX Security).
[31]
U.S. National Institute of Standards and Technology. 2021. National Vulnerability Database. https://nvd.nist.gov/home.cfm.
[32]
U.S. National Institute of Standards and Technology. 2021. NVD Data Feed.https://nvd.nist.gov/vuln/data-feeds.
[33]
U.S. National Institute of Standards and Technology. 2021. NVD Specific CVSS Information.https://nvd.nist.gov/vuln-metrics/cvss.
[34]
U.S. National Institute of Standards and Technology. 2021. Official Common Platform Enumeration Dictionary.https://nvd.nist.gov/products/cpe.
[35]
Baishakhi Ray, Daryl Posnett, Vladimir Filkov, and Premkumar Devanbu. 2014. A Large Scale Study of Programming Languages and Code Quality in Github. In Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering. 155–165.
[36]
Luis R. Rodriguez and Julia Lawall. 2015. Increasing Automation in the Backporting of Linux Drivers Using Coccinelle. In 2015 11th European Dependable Computing Conference (EDCC).
[37]
Muhammad Shahzad, Muhammad Zubair Shafiq, and Alex X. Liu. 2012. A large scale exploratory analysis of software vulnerability life cycles. In 34th International Conference on Software Engineering (ICSE).
[38]
Ridwan Shariffdeen, Xiang Gao, Gregory J. Duck, Shin Hwei Tan, Julia Lawall, and Abhik Roychoudhury. 2021. Automated Patch Backporting in Linux (Experience Paper). In Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA).
[39]
Youkun Shi, Yuan Zhang, Tianhan Luo, Xiangyu Mao, Yinzhi Cao, Ziwen Wang, Yudi Zhao, Zongan Huang, and Min Yang. 2022. Backporting Security Patches of Web Applications: A Prototype Design and Implementation on Injection Vulnerability Patches. In 31th USENIX Security Symposium (USENIX Security).
[40]
Yan Sun, Qing Wang, and Ye Yang. 2017. FRLink: Improving the recovery of missing issue-commit links by revisiting file relevance. Information and Software Technology(2017).
[41]
Xin Tan, Yuan Zhang, Chenyuan Mi, Jiajun Cao, Kun Sun, Yifan Lin, and Min Yang. 2021. Locating the Security Patches for Disclosed OSS Vulnerabilities with Vulnerability-Commit Correlation Ranking. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS).
[42]
Ferdian Thung, Xuan-Bach D. Le, David Lo, and Julia Lawall. 2016. Recommending Code Changes for Automatic Backporting of Linux Device Drivers. In 2016 IEEE International Conference on Software Maintenance and Evolution (ICSME).
[43]
Yuan Tian, Julia Lawall, and David Lo. 2012. Identifying Linux Bug Fixing Patches. In Proceedings of the 34th International Conference on Software Engineering (ICSE).
[44]
Tom Walker. 2021. 20 Most Popular Open Source Software Ever. https://www.tripwiremagazine.com/20-most-popular-open-source-software-ever-2/.
[45]
Xinda Wang, Kun Sun, Archer Batcheller, and Sushil Jajodia. 2019. Detecting ”0-Day” Vulnerability: An Empirical Study of Secret Security Patch in OSS. In Proceedings of the 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).
[46]
Xinda Wang, Shu Wang, Pengbin Feng, Kun Sun, and Sushil Jajodia. 2021. PatchDB: A Large-Scale Security Patch Dataset. In 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).
[47]
WhiteSource. 2021. The State of Open Source Vulnerabilities 2021. https://www.whitesourcesoftware.com/resources/blog/2021-state-of-open-source-security-vulnerabilities-cheat-sheet/.
[48]
Rongxin Wu, Hongyu Zhang, Sunghun Kim, and Shing-Chi Cheung. 2011. ReLink: Recovering Links between Bugs and Changes. In Proceedings of the 19th ACM SIGSOFT Symposium and the 13th European Conference on Foundations of Software Engineering (FSE/ESEC).
[49]
Zheng Zhang, Hang Zhang, Zhiyun Qian, and Billy Lau. 2021. An Investigation of the Android Kernel Patch Ecosystem. In 30th USENIX Security Symposium (USENIX Security).
Index Terms
- Understanding the Practice of Security Patch Management across Multiple Branches in OSS Projects
Index terms have been assigned to the content through auto-classification.
Recommendations
A Large-Scale Empirical Study of Security Patches
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications SecurityGiven how the "patching treadmill" plays a central role for enabling sites to counter emergent security concerns, it behooves the security community to understand the patch development process and characteristics of the resulting fixes. Illumination of ...
Locating the Security Patches for Disclosed OSS Vulnerabilities with Vulnerability-Commit Correlation Ranking
CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications SecuritySecurity patches play an important role in defending against the security threats brought by the increasing OSS vulnerabilities. However, the collection of security patches still remains a challenging problem. Existing works mainly adopt a matching-...
The Research on a Patch Management System for Enterprise Vulnerability Update
ICIE '09: Proceedings of the 2009 WASE International Conference on Information Engineering - Volume 02Because of virus and worms which make use of vulnerability of computer systems, computer software is getting in trouble increasingly. Although there are opportunities to defend these attacks at an earlier stage, people undergo several serious ...
Comments
Information & Contributors
Information
Published In
April 2022
3764 pages
ISBN:9781450390965
DOI:10.1145/3485447
Copyright © 2022 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 25 April 2022
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Funding Sources
- U.S. ARMY
- Shanghai Rising-Star Program
- U.S. NAVY
- National Natural Science Foundation of China
- Natural Science Foundation of Shanghai
Conference
WWW '22
Sponsor:
Acceptance Rates
Overall Acceptance Rate 1,899 of 8,196 submissions, 23%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 822Total Downloads
- Downloads (Last 12 months)478
- Downloads (Last 6 weeks)47
Reflects downloads up to 30 Aug 2024
Other Metrics
Citations
Cited By
View all- Dam TNeumaier S(2024)Towards Measuring Vulnerabilities and Exposures in Open-Source PackagesData Science—Analytics and Applications10.1007/978-3-031-42171-6_2(13-19)Online publication date: 4-Jan-2024
View Options
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML FormatGet Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in