Predicting Vulnerable Software Components Stephan Neuhaus Thomas - - PowerPoint PPT Presentation

predicting vulnerable software components
SMART_READER_LITE
LIVE PREVIEW

Predicting Vulnerable Software Components Stephan Neuhaus Thomas - - PowerPoint PPT Presentation

Nov 22, 2023 18 likes •269 views

Predicting Vulnerable Software Components Stephan Neuhaus Thomas Zimmermann Andreas Zeller Security Advisory 2005-13 Security Advisory 2005-41 Security Advisory 2006-76 Security Advisory 2005-16 Security Advisory 2005-15 Security Advisory

slide-1
SLIDE 1

Predicting Vulnerable Software Components

Stephan Neuhaus Thomas Zimmermann Andreas Zeller

slide-2
SLIDE 2

Security Advisory 2005-12

Title: Livefeed bookmarks can steal cookies Impact: High Products: Firefox Description: Earlier versions of Firefox allowed javascript: and data: URLs as Livefeed bookmarks. When they updated the URL would be run in the context of the current page and could be used to steal cookies or data displayed on the page. If the user were on a page with elevated privileges (for example, about:config) when the Livefeed was updated, the feed URL could potentially run arbitrary code on the user's machine.

Security Advisory 2005-13

Title: Window Injection Spoofing Severity: Low Products: Firefox, Mozilla Suite Description: A website can inject content into a popup opened by another site if the target name

  • f the popup window is known. An attacker who

knows you are going to visit that other site could spoof the contents of the popup.

Security Advisory 2005-14

Title: SSL "secure site" indicator spoofing Severity: Moderate Products: Firefox, Mozilla Suite Description: Various schemes were reported that could cause the "secure site" lock icon to appear and show certificate details for the wrong

  • site. These could be used by phishers to make

their spoofs look more legitimate, particularly in windows that hide the address bar showing the true location.

Security Advisory 2005-15

Title: Heap overflow possible in UTF8 to Unicode conversion Severity: High Products: Firefox, Thunderbird, Mozilla Suite Description: It is possible for a UTF8 string with invalid sequences to trigger a heap overflow of converted Unicode data. Exploitability would depend on the attackers ability to get the string into the buggy converter. General web content is converted elsewhere but we can't rule out the possibility of a successful attack.

Security Advisory 2005-16

Title: Spoofing download and security dialogs with overlapping windows Severity: High Products: Firefox, Mozilla Suite Description: Michael Krax demonstrates that the download dialog and security dialogs can be spoofed by partially covering them with an

  • verlapping window. Some users may not notice

the OS window border and browser statusbar bisecting what appears to be a single dialog, and be convinced by the spoofing text of the top-most window to click on the "Allow" or "Open" button

  • f the window below.

Vulnerabilities

Security Advisory 2005-41

Title: Privilege escalation via DOM property

  • verrides

Severity: Critical Products: Firefox, Mozilla Suite Description: moz_bug_r_a4 reported several exploits giving an attacker the ability to install malicious code or steal data, requiring only that the user do commonplace actions like click on a link or open the context menu. The common cause in each case was privileged UI code ("chrome") being overly trusting of DOM nodes from the content window.

Security Advisory 2006-76

Title: XSS using outer window's Function object Impact: High Products: Firefox 2.0 Description: moz_bug_r_a4 demonstrated that the Function prototype regression described in bug 355161 could be exploited to bypass the protections against cross site script (XSS) injection, which could be used to steal credentials

  • r sensitive data from arbitrary sites or perform

destructive actions on behalf of a logged-in user.

Is this new component likely to be vulnerable? What other components are vulnerable?

slide-3
SLIDE 3

Vulnerability Database Version Archive Code Code Code Code Component Component Component Code

Predictor Vulture

slide-4
SLIDE 4

Code

Programmer Code Complexity Language

Look for features that are invariant under evolution

slide-5
SLIDE 5

GUI Database Certificates OS Imports

slide-6
SLIDE 6

nsIContent.h nsIContentUtils.h nsIScriptSecurityManager.h

✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✔

slide-7
SLIDE 7

nsIPrivateDOMEvent.h nsReadableUtils.h

✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘

slide-8
SLIDE 8

Research Questions

  • How well do imports predict vulnerabilities?
  • Can imports be used for classification

(vulnerable or not) and for regression (number of vulnerabilities)?

slide-9
SLIDE 9

Case Study: Mozilla

  • CVS from January 4, 2007
  • 14,368 C/C++ files
  • 134 Security Advisories since January 2005
  • Only 424 vulnerable components (4.05%)

⇒ Prediction is challenging

slide-10
SLIDE 10
slide-11
SLIDE 11
slide-12
SLIDE 12

components in Mozilla vulnerable components 424 10,452

4.05%

slide-13
SLIDE 13 Mozilla Vulnerabilities security nss lib libpkix pkix_pl_nss modu pki sy pkix top uti r incl ckfw builtins ca ns freebl mpi ecl softoken ssl pk11wr util certd smim crmf pki1 pki pkcs12 certhig pkcs de jar cry bas asn cmd zlib lib m pk si fips crlu pk blt ce c S t manager jss
  • rg
s layout generic base style xul base src tr tables svg base re mathml base src forms prin in ht bu js src xpconnect src test l liveco fdlib tamarin core pcre code MM shell pl e jsd mailnews base src util search src imap src addrbook src mime src compose src import
  • utl
eud src
  • ex
local src mapi
  • ld
ma news src exten palm b s db b modules
  • ji
tests src JNI C Arr Ac A C sr pu plugin tools test s s base src sam def S libimg png rdf src libfont jmcge src softupd src libpr0n dec s zlib src libre src libjar libp src libb src xml pro s li gfx src ps gtk xlib windo mac
  • s2
x11sh theb xlib qt phot be xpr xp sh f cairo cairo src glitz src libpixma src thebe src publi publ content base src p html content src doc src xslt src xslt xpath xul temp src doc src cont svg content src events src xbl src xml d xtf can extensions canvas3d src xforms webservice soap sche pro w i java xpcom xmlterm base line python xpco spellch src walle src univ src sche src met sr sql b pre ins typ aut coo xm w s p s l nsprpub pr src md wi uni ma
  • b
misc io pthre thr cp li tests include md p li t li xpcom io glue reflect xptcal src x s ds
  • bsolete
c string pu sr typelib xpi x base tests build MoreFi compo thr pr s widget src mac gtk2 windows gtk
  • s2
beos xpwi xlib qt ph co g g embedding browser activex src co plu co pl gtk src powerp phot web qt compon printin win web fi qa teste tests mfc w directory c-sdk ldap libraries libldap clie exa i suncsdk c-sdk ldap libraries cli i xp b db sqlite3 src mork src tri sr md ef Compiler Code md x Front Primi Utilitie Gener zli qa c Runtim Syste C N C gc sr i Tools Pack co D Ex D xpinstall wizard windows setup uni
  • s2
setup libxpne GUSI mac unix src intl uconv ucvlat src ucvcn uti ucv u u u t unichar src locale src chardet src ctl src l s netwerk base src protocol http src ftp streamco cache test dns co bui s java webclient src_moz xpcom te ja u pluggab wf do jni plu editor libeditor html base text txm com txtsv toolkit components place src his s do pa airbag airbag xre m xpfe compone sear boo hi st bootstra app appshel calendar libical src libical au libic test base js2 src re browser components places src migrat boo s parser htmlparser src p expa lib tools trace- li codes re re le d jp f p accessible src atk bas ht ms xu dom src base
  • ther-license
7zst src 7zi libart_ atk-1. jpeg msgsdk C protocol cck expat driver muc ib gc boehm c plugin
  • ji
MRJ plu MRJ pl rdf base src chro d docshell base s uriloader extha b camino src ipc ipcd e lib mac profile sr config mston src view src mail com buil win caps src dbm s i sun stu web w sto sr gcon chro mini Mozilla Vulnerabilities security nss lib libpkix pkix_pl_nss modu pki sy pkix top uti r incl ckfw builtins ca ns freebl mpi ecl softoken ssl pk11wr util certd smim crmf pki1 pki pkcs12 certhig pkcs de jar cry bas asn cmd zlib lib m pk si fips crlu pk blt ce c S t manager jss
  • rg
s layout generic base style xul base src tr tables svg base re mathml base src forms prin in ht bu js src xpconnect src test l liveco fdlib tamarin core pcre code MM shell pl e jsd mailnews base src util search src imap src addrbook src mime src compose src import
  • utl
eud src
  • ex
local src mapi
  • ld
ma news src exten palm b s db b modules
  • ji
tests src JNI C Arr Ac A C sr pu plugin tools test s s base src sam def S libimg png rdf src libfont jmcge src softupd src libpr0n dec s zlib src libre src libjar libp src libb src xml pro s li gfx src ps gtk xlib windo mac
  • s2
x11sh theb xlib qt phot be xpr xp sh f cairo cairo src glitz src libpixma src thebe src publi publ content base src p html content src doc src xslt src xslt xpath xul temp src doc src cont svg content src events src xbl src xml d xtf can extensions canvas3d src xforms webservice soap sche pro w i java xpcom xmlterm base line python xpco spellch src walle src univ src sche src met sr sql b pre ins typ aut coo xm w s p s l nsprpub pr src md wi uni ma
  • b
misc io pthre thr cp li tests include md p li t li xpcom io glue reflect xptcal src x s ds
  • bsolete
c string pu sr typelib xpi x base tests build MoreFi compo thr pr s widget src mac gtk2 windows gtk
  • s2
beos xpwi xlib qt ph co g g embedding browser activex src co plu co pl gtk src powerp phot web qt compon printin win web fi qa teste tests mfc w directory c-sdk ldap libraries libldap clie exa i suncsdk c-sdk ldap libraries cli i xp b db sqlite3 src mork src tri sr md ef Compiler Code md x Front Primi Utilitie Gener zli qa c Runtim Syste C N C gc sr i Tools Pack co D Ex D xpinstall wizard windows setup uni
  • s2
setup libxpne GUSI mac unix src intl uconv ucvlat src ucvcn uti ucv u u u t unichar src locale src chardet src ctl src l s netwerk base src protocol http src ftp streamco cache test dns co bui s java webclient src_moz xpcom te ja u pluggab wf do jni plu editor libeditor html base text txm com txtsv toolkit components place src his s do pa airbag airbag xre m xpfe compone sear boo hi st bootstra app appshel calendar libical src libical au libic test base js2 src re browser components places src migrat boo s parser htmlparser src p expa lib tools trace- li codes re re le d jp f p accessible src atk bas ht ms xu dom src base
  • ther-license
7zst src 7zi libart_ atk-1. jpeg msgsdk C protocol cck expat driver muc ib gc boehm c plugin
  • ji
MRJ plu MRJ pl rdf base src chro d docshell base s uriloader extha b camino src ipc ipcd e lib mac profile sr config mston src view src mail com buil win caps src dbm s i sun stu web w sto sr gcon chro mini
slide-14
SLIDE 14 Mozilla Vulnerabilities js src xpconnect src livecon content base src public html content src documen src xbl src xul document src p content src templates src events src public xslt src xslt base xml document src content src svg conte canvas src layout xul base src tree src grid generic base forms tables style build svg mathm printin html security nss lib util softoken pki ssl cryptohi free pk1 cert smi cmd manager boot ssl dom src base js e public widget src mac windows gtk gtk2 xlib
  • s2
qt phot beos xpwi pu netwerk protocol http src about view base src streamc convert cache src dn s caps src inclu xpinstall src uriloader exthandler un
  • s2
mac wi be base modules plugin base libpr0n decod gif x libjar
  • ji
xpcom string public src io glue parser expat lib htmlp src docshell base mailnews base src se addrb src mime src ne sr embedding components windoww src c br w editor libeditor html ba te c xpfe appshell src co se hi extensions xforms sq b toolkit components satch hi au gfx cairo cairo sr intl unich sr ut uc sr view src p acces src b x rdf base chro storage src chrome src db calen brows camin ipc webs Mozilla Vulnerabilities js src xpconnect src livecon content base src public html content src documen src xbl src xul document src p content src templates src events src public xslt src xslt base xml document src content src svg conte canvas src layout xul base src tree src grid generic base forms tables style build svg mathm printin html security nss lib util softoken pki ssl cryptohi free pk1 cert smi cmd manager boot ssl dom src base js e public widget src mac windows gtk gtk2 xlib
  • s2
qt phot beos xpwi pu netwerk protocol http src about view base src streamc convert cache src dn s caps src inclu xpinstall src uriloader exthandler un
  • s2
mac wi be base modules plugin base libpr0n decod gif x libjar
  • ji
xpcom string public src io glue parser expat lib htmlp src docshell base mailnews base src se addrb src mime src ne sr embedding components windoww src c br w editor libeditor html ba te c xpfe appshell src co se hi extensions xforms sq b toolkit components satch hi au gfx cairo cairo sr intl unich sr ut uc sr view src p acces src b x rdf base chro storage src chrome src db calen brows camin ipc webs Mozilla Vulnerabilities js src xpconnect src livecon content base src public html content src documen src xbl src xul document src p content src templates src events src public xslt src xslt base xml document src content src svg conte canvas src layout xul base src tree src grid generic base forms tables style build svg mathm printin html security nss lib util softoken pki ssl cryptohi free pk1 cert smi cmd manager boot ssl dom src base js e public widget src mac windows gtk gtk2 xlib
  • s2
qt phot beos xpwi pu netwerk protocol http src about view base src streamc convert cache src dn s caps src inclu xpinstall src uriloader exthandler un
  • s2
mac wi be base modules plugin base libpr0n decod gif x libjar
  • ji
xpcom string public src io glue parser expat lib htmlp src docshell base mailnews base src se addrb src mime src ne sr embedding components windoww src c br w editor libeditor html ba te c xpfe appshell src co se hi extensions xforms sq b toolkit components satch hi au gfx cairo cairo sr intl unich sr ut uc sr view src p acces src b x rdf base chro storage src chrome src db calen brows camin ipc webs
slide-15
SLIDE 15

Distribution of MFSAs

Number of MFSAs Number of Components 1 3 5 7 9 11 13 1 2 5 20 50 300

Distribution of Bug Reports

Number of Bug Reports Number of Components 1 3 5 7 9 13 17 24 1 2 5 20 50 300

slide-16
SLIDE 16

Imports

  • 9,066 imports
  • 79,541 import relations (x imports y)
  • Takes about five minutes to compute
slide-17
SLIDE 17

Results soon

slide-18
SLIDE 18

Support Vector Machines

slide-19
SLIDE 19

Support Vector Machines

Support Vectors

slide-20
SLIDE 20

Support Vector Machines

slide-21
SLIDE 21

Results Now!

slide-22
SLIDE 22

Experiments

  • 40 random splits

6,968 rows in training set, 3,484 rows in validation set

  • Classification

Train SVM, compute recall and precision

  • Regression

Train SVM, compute rank correlation on top 1%

  • SVM: linear kernel with default parameters

R implementation (up to 10GB of main memory)

slide-23
SLIDE 23
  • 0.55

0.60 0.65 0.70 0.75 0.35 0.40 0.45 0.50 0.55

(a) Precision and Recall

Recall Precision 0.2 0.3 0.4 0.5 0.6 0.7 0.0 0.2 0.4 0.6 0.8 1.0

(b) Rank Correlation

Rank Correlation Cumulative Distribution

  • 2/3 of all vulnerable components detected

2/3 of all vulnerable components detected 45% (about 1/2) of predictions correct moderately strong correlation (mostly significant at p < 0.01)

slide-24
SLIDE 24

Similar Results for Bugs

Packages + Import relationships

(Schröter et al, ISESE 2006)

Precision: 66.7% Recall: 69.4% Binaries + Dependencies

(Zimmermann/Nagappan @ Microsoft Research, 2006)

Precision: 64.4% Recall: 75.3%

slide-25
SLIDE 25

Predicted Rank Component Actual Rank

1 nsDOMClassInfo 3 2 SGridRowLayout 95 3 xpcprivate 6 4 jsxml 2 5 nsGenericHTMLElement 8 6 jsgc 3 7 nsISEnvironment 12 8 jsfun 1 9 nsHTMLLabelElement 18 10 nsHttpTransaction 35