the beauty and the beast
play

The Beauty and the Beast Vulnerabilities in Red Hats Packages - PowerPoint PPT Presentation

May 02, 2023 •1.12k likes •1.9k views

The Beauty and the Beast Vulnerabilities in Red Hats Packages Stephan Neuhaus <Stephan.Neuhaus@disi.unitn.it> Thomas Zimmermann <tzimmer@microsoft.com> Vulnerabilities are important because fixing them costs a lot of money (2005

  1. The Beauty and the Beast Vulnerabilities in Red Hat’s Packages Stephan Neuhaus <Stephan.Neuhaus@disi.unitn.it> Thomas Zimmermann <tzimmer@microsoft.com>

  2. Vulnerabilities are important because fixing them costs a lot of money (2005 FBI study: 67 Bn $). There are 3241 packages (or were, by August 2008) o fg ered by Red Hat. (There are certainly more being o fg ered for Red Hat!)

  3. Vulnerabilities are important because fixing them costs a lot of money (2005 FBI study: 67 Bn $). There are 3241 packages (or were, by August 2008) o fg ered by Red Hat. (There are certainly more being o fg ered for Red Hat!)

  4. Vulnerabilities are important because fixing them costs a lot of money (2005 FBI study: 67 Bn $). There are 3241 packages (or were, by August 2008) o fg ered by Red Hat. (There are certainly more being o fg ered for Red Hat!)

  5. Explain colours: white = no vulnerabilities, blue -> red: progressively more

  6. Explain colours: white = no vulnerabilities, blue -> red: progressively more

  7. Explain colours: white = no vulnerabilities, blue -> red: progressively more

  8. Explain colours: white = no vulnerabilities, blue -> red: progressively more

  9. Explain colours: white = no vulnerabilities, blue -> red: progressively more

  10. Explain colours: white = no vulnerabilities, blue -> red: progressively more

  13. 2/3 of packages Distribution of RHSAs top not shown 600 kernel , kernel-doc 100 Number of Packages php -related 10 1 0 8 18 30 41 73 88 112 129 Number of RHSAs Note logarithmic y-axis. 3241 packages in total, about 2/3 with no known vulnerabilities.

  14. Properties of packages, not properties of the software in the package

  15. Are there properties that correlate with vulnerabilities? Properties of packages, not properties of the software in the package

  16. Are there properties that correlate with vulnerabilities? Are there properties that increase or decrease the risk? Properties of packages, not properties of the software in the package

  17. Are there properties that correlate with vulnerabilities? Are there properties that increase or decrease the risk? Can we predict whether a package contains unknown vulnerabilities? Properties of packages, not properties of the software in the package

  18. Are there properties that ✔ Dependencies correlate with vulnerabilities? Are there properties that increase or decrease the risk? Can we predict whether a package contains unknown vulnerabilities? Properties of packages, not properties of the software in the package

  19. Are there properties that ✔ Dependencies correlate with vulnerabilities? Are there properties that ✔ Beauties and increase or decrease the risk? Beasts Can we predict whether a package contains unknown vulnerabilities? Properties of packages, not properties of the software in the package

  20. Are there properties that ✔ Dependencies correlate with vulnerabilities? Are there properties that ✔ Beauties and increase or decrease the risk? Beasts Can we predict whether a package ✔ Machine Learning contains unknown vulnerabilities? Properties of packages, not properties of the software in the package

  21. Dependencies

  22. Dependencies amanda-server

  23. Dependencies amanda-server glibc

  24. Dependencies libtermcap coreutils grep amanda-server perl gnuplot readline amanda glibc xinetd

  25. Dependencies and Vulnerabilities • Dependency A → B exists because A wants to use the services offered by B • Vulnerability exists in A if • A is in an insecure domain (domains are characterised by dependencies) • B is insecure and fix in B spills over to A; or • B is difficult to use securely Packages in same domain will tend to have same dependencies. Domain examples are: compilers, games, o ffj ce applications,

  26. Red Hat Dependencies

  27. Distribution of Package Dependencies development packages 400 containing headers 300 kdebase Number of Dependencies 200 100 0 0 4 8 13 19 25 31 37 43 50 56 62 75 81 88 96 Number of Packages Distribution is apparently logarithmic with a long tail. This is not transitive closure. kdebase has 14 RHSAs (but 96 dependencies), kernel has 129 (but 0 dependencies), so number of dependencies is not a good predictor of number of RHSAs

  28. Are there properties that ✔ Dependencies correlate with vulnerabilities? Are there properties that ✔ Beauties and increase or decrease the risk? Beasts Can we predict whether a package ✔ Machine Learning contains unknown vulnerabilities?

  29. Where does the addition of dependencies significantly increase/ decrease the risk?

  30. Where does the addition of dependencies significantly increase/ decrease the risk? 1. Data structure: concept lattice

  31. Where does the addition of dependencies significantly increase/ decrease the risk? 1. Data structure: concept lattice 2. Compute change in risk

  32. Where does the addition of dependencies significantly increase/ decrease the risk? 1. Data structure: concept lattice 2. Compute change in risk 3. Include only statistically significant changes

  33. Step 1: Data Structure Start with no knowledge about dependencies (top node contains all packages). Add knowledge of glibc (node contains all packages depending on glibc), then qt (node contains all packages depending on qt and glibc), then xorg-x11-libs (node contains all packages

  34. Step 1: Data Structure ∅ Start with no knowledge about dependencies (top node contains all packages). Add knowledge of glibc (node contains all packages depending on glibc), then qt (node contains all packages depending on qt and glibc), then xorg-x11-libs (node contains all packages

  35. Step 1: Data Structure ∅ glibc Block 1: All packages depending on glibc Start with no knowledge about dependencies (top node contains all packages). Add knowledge of glibc (node contains all packages depending on glibc), then qt (node contains all packages depending on qt and glibc), then xorg-x11-libs (node contains all packages

  36. Step 1: Data Structure ∅ … glibc kdelibs Block 1: All packages depending on glibc Start with no knowledge about dependencies (top node contains all packages). Add knowledge of glibc (node contains all packages depending on glibc), then qt (node contains all packages depending on qt and glibc), then xorg-x11-libs (node contains all packages

  37. Step 1: Data Structure ∅ … glibc kdelibs qt xorg-x11-libs Block 1: All packages depending on glibc Block 2: All packages depending on glibc, qt Block 3: All packages depending on glibc, qt, xorg-x11-libs Start with no knowledge about dependencies (top node contains all packages). Add knowledge of glibc (node contains all packages depending on glibc), then qt (node contains all packages depending on qt and glibc), then xorg-x11-libs (node contains all packages

  38. Step 1: Data Structure ∅ … glibc kdelibs qt xorg-x11-libs Block 1: All packages depending on glibc Block 2: All packages depending on glibc, qt Block 3: All packages depending on glibc, qt, xorg-x11-libs Start with no knowledge about dependencies (top node contains all packages). Add knowledge of glibc (node contains all packages depending on glibc), then qt (node contains all packages depending on qt and glibc), then xorg-x11-libs (node contains all packages

  39. Step 2: ∅ 32.9% vulnerable Compute Risk Change (1065 out of 3241) glibc kdelibs 33.5% vulnerable 85.6% vulnerable (692 out of 2066) (143 out of 167) glibc, qt 77.4% vulnerable (120 out of 155) glibc, qt, xorg-x11-libs 79.4% vulnerable (27 out of 34) Question: Is the rise of 43.9% when going from {glibc} to {glibc, qt} just some random fluctuation? We test this using statistical tests (Chi^2 or Fischer exact) and discard the “random fluctuation” hypothesis when the probability of such a increase happening

  40. Step 2: ∅ 32.9% vulnerable Compute Risk Change (1065 out of 3241) +0.6% +52.7% glibc kdelibs 33.5% vulnerable 85.6% vulnerable (692 out of 2066) (143 out of 167) +43.9% glibc, qt 77.4% vulnerable (120 out of 155) +2.0% glibc, qt, xorg-x11-libs 79.4% vulnerable (27 out of 34) Question: Is the rise of 43.9% when going from {glibc} to {glibc, qt} just some random fluctuation? We test this using statistical tests (Chi^2 or Fischer exact) and discard the “random fluctuation” hypothesis when the probability of such a increase happening

  41. Step 2: ∅ 32.9% vulnerable Compute Risk Change (1065 out of 3241) +0.6% +52.7% glibc kdelibs 33.5% vulnerable 85.6% vulnerable (692 out of 2066) (143 out of 167) +43.9% Risk change by adding qt glibc, qt 77.4% vulnerable only when already dependent (120 out of 155) on glibc! (glibc is the context ) +2.0% glibc, qt, xorg-x11-libs 79.4% vulnerable (27 out of 34) Question: Is the rise of 43.9% when going from {glibc} to {glibc, qt} just some random fluctuation? We test this using statistical tests (Chi^2 or Fischer exact) and discard the “random fluctuation” hypothesis when the probability of such a increase happening

  42. Step 3: Include Only Significant Changes • Risk changes with significance p < 0.01 • No significant and more general context exists for this dependency • Risk goes up: “beast” • Risk goes down: “beauty”

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

BEAUTY AND THE BEAUTY AND THE BEAST BEAST Eta Haskell for JVM JAREK RATAJSKI JAREK RATAJSKI

BEAUTY AND THE BEAUTY AND THE BEAST BEAST Eta Haskell for JVM JAREK RATAJSKI JAREK RATAJSKI

BEAUTY AND THE BEAUTY AND THE BEAST BEAST Eta Haskell for JVM JAREK RATAJSKI JAREK RATAJSKI @jarek000000 Loves programming since the first line I wrote for C64 Anarchitect @ Engenius GmbH Java developer (since 1999) with a functional

1.31k views • 114 slides
Fairytale By: David, Destinee, Erik, Lauren A is for Aladdin B is for Beauty and the Beast C is

Fairytale By: David, Destinee, Erik, Lauren A is for Aladdin B is for Beauty and the Beast C is

Fairytale By: David, Destinee, Erik, Lauren A is for Aladdin B is for Beauty and the Beast C is for Cinderella D is for Donkey (from shrek) E is for Evil Stepmother F is for Princess and the Frog G is for Goldilocks and the Three Bears H is

459 views • 27 slides
Beauty and the Beast: Diverting modern web browsers to build unique browser fingerprints Pierre

Beauty and the Beast: Diverting modern web browsers to build unique browser fingerprints Pierre

Beauty and the Beast: Diverting modern web browsers to build unique browser fingerprints Pierre Laperdrix, Walter Rudametkin, Benoit Baudry 2/19 Example of a fingerprint Attribute Value User agent Mozilla/5.0 (X11; Linux i686; rv:25.0)

215 views • 19 slides
Pinot Noir: The Savage Yet Seductive Grape The Beauty and the Beast Dr. Karl Kaiser

Pinot Noir: The Savage Yet Seductive Grape The Beauty and the Beast Dr. Karl Kaiser

Pinot Noir: The Savage Yet Seductive Grape The Beauty and the Beast Dr. Karl Kaiser CCOVI Professional Affiliate Brock University, St. Catharines, ON Introduction to Pinot Noir The Story of the Origin Quotes taken from Pinot

818 views • 38 slides
Pinot Noir: The Savage Yet Seductive Grape The Beauty and the Beast Dr. Karl Kaiser

Pinot Noir: The Savage Yet Seductive Grape The Beauty and the Beast Dr. Karl Kaiser

Pinot Noir: The Savage Yet Seductive Grape The Beauty and the Beast Dr. Karl Kaiser CCOVI Professional Affiliate Brock University, St. Catharines, ON Introduction to Pinot Noir The Story of the Origin Quotes taken from Pinot Noir

710 views • 39 slides
Revelation 13 The Beast and the Number 666 Becoming Closer The Beast from the Sea (Rev 13:1-2

Revelation 13 The Beast and the Number 666 Becoming Closer The Beast from the Sea (Rev 13:1-2

Revelation 13 The Beast and the Number 666 Becoming Closer The Beast from the Sea (Rev 13:1-2 NIV) And the dragon stood on the shore of the sea. And I saw a beast coming out of the sea. He had ten horns and seven heads, with ten crowns on

259 views • 15 slides
Automatic Abstraction for Congruences A Story of Beauty and the Beast Andy King and Harald

Automatic Abstraction for Congruences A Story of Beauty and the Beast Andy King and Harald

Automatic Abstraction for Congruences A Story of Beauty and the Beast Andy King and Harald Sndergaard Portcullis Computer Security University of Melbourne Andy King and Harald Sndergaard Automatic Abstraction for Congruences Structure of

516 views • 12 slides
BEAST 2 BEAST 2 RB subst model BEAST Add-Ons Remco R. Bouckaert

BEAST 2 BEAST 2 RB subst model BEAST Add-Ons Remco R. Bouckaert

BEAST 2 Remco Bouckaert BEAST 2 BEAST 2 RB subst model BEAST Add-Ons Remco R. Bouckaert remco@cs.{auckland|waikato}.ac.nz rrb@xm.co.nz Department of Computer Science University of Auckland &amp; University of Waikato 1 BEAST 2 What

659 views • 20 slides
Feeding Feeding the the beast: beast: science science cases cases for for SHAR(K)

Feeding Feeding the the beast: beast: science science cases cases for for SHAR(K)

Feeding Feeding the the beast: beast: science science cases cases for for SHAR(K) SHAR(K)-NIR@LB NIR@LBT Valentina DOrazi INAF Padova Francesca Bacciotti (INAF Arcetri), Angela Bongiorno (INAF Roma) and the science team ADONI 2016,

554 views • 18 slides
Taming the Beast Workshop Bayesian inference of species tree Species &amp; gene trees *BEAST

Taming the Beast Workshop Bayesian inference of species tree Species &amp; gene trees *BEAST

Taming the Beast Taming the Beast Workshop Bayesian inference of species tree Species &amp; gene trees *BEAST Species tree prior Multispecies coalescent Bayesian inference of species tree Molecular clock model Felsenstein likelihood and

205 views • 19 slides
OUR BUSINESS OUR BEAUTY IS multiplied BY SIX We also care for what is naturally beautiful:

OUR BUSINESS OUR BEAUTY IS multiplied BY SIX We also care for what is naturally beautiful:

BEAUTY IS OUR BUSINESS OUR BEAUTY IS multiplied BY SIX We also care for what is naturally beautiful: Brazil BEAUTY MADE IN 4,000 PLANTS retail stores So Jos dos Pinhais (iResearch Center) Camaari 1,750 DISTRIBUTION CENTERS cities

626 views • 23 slides
Beast II 101: Part 2 XML Add-ons Applications Remco R. Bouckaert

Beast II 101: Part 2 XML Add-ons Applications Remco R. Bouckaert

Beast II 101 Bouckaert Beast II 101: Part 2 XML Add-ons Applications Remco R. Bouckaert remco@cs.{auckland|waikato}.ac.nz Department of Computer Science University of Auckland &amp; University of Waikato 1 Beast II 101 What is XML?

492 views • 26 slides
OUTLINE THE BEAUTY SAMPLING BAR WHAT IS IT? CUSTOMIZED BEAUTY SAMPLING FOR A CAUSE Onsite

OUTLINE THE BEAUTY SAMPLING BAR WHAT IS IT? CUSTOMIZED BEAUTY SAMPLING FOR A CAUSE Onsite

PROGRAM OUTLINE THE BEAUTY SAMPLING BAR WHAT IS IT? CUSTOMIZED BEAUTY SAMPLING FOR A CAUSE Onsite sampling bar station located the highly-trafficked foyer area directly from the lobby High-end environment with clear dispensers

398 views • 8 slides
Beam background detection at SuperKEKB/Belle II Peter M. Lewis on behalf of the BEAST II

Beam background detection at SuperKEKB/Belle II Peter M. Lewis on behalf of the BEAST II

Beam background detection at SuperKEKB/Belle II Peter M. Lewis on behalf of the BEAST II Collaboration University of Hawai i at M noa 27 February 2017 INSTR-17 Overview This talk About BEAST II: a suite of detectors for measuring

273 views • 26 slides
Sally Beauty Holdings December 2013 1 Company Highlights Sally Beauty Holdings is a leading

Sally Beauty Holdings December 2013 1 Company Highlights Sally Beauty Holdings is a leading

Sally Beauty Holdings December 2013 1 Company Highlights Sally Beauty Holdings is a leading international specialty retailer and distributor of professional beauty products Annual consolidated sales of over $3.6 billion Strong cash flow

604 views • 25 slides
Sally Beauty Holdings Company Overview Company Highlights Sally Beauty Holdings is a leading

Sally Beauty Holdings Company Overview Company Highlights Sally Beauty Holdings is a leading

Sally Beauty Holdings Company Overview Company Highlights Sally Beauty Holdings is a leading international specialty retailer and distributor of professional beauty products Annual consolidated sales of over $3.8 billion Strong cash

626 views • 25 slides
String Solving with Word Equations and Transducers: Anthony W. Lin (Yale-NUS), Pablo Barcelo

String Solving with Word Equations and Transducers: Anthony W. Lin (Yale-NUS), Pablo Barcelo

String Solving with Word Equations and Transducers: Anthony W. Lin (Yale-NUS), Pablo Barcelo (Univ. of Chile) String

394 views • 27 slides
Major problem for biologists using SAS Major problem for biologists using SAS In the past,

Major problem for biologists using SAS Major problem for biologists using SAS In the past,

Ab initio methods: how/why do they work D.Svergun, EMBL-Hamburg Major problem for biologists using SAS Major problem for biologists using SAS In the past, many biologists did not believe that SAS yields more than the radius of gyration

855 views • 27 slides
Ivanov Boris #whoami Ivanov Boris: Senior Computer Forensics Specialist LLC Group-IB

Ivanov Boris #whoami Ivanov Boris: Senior Computer Forensics Specialist LLC Group-IB

COMPUTER FORENSIC INVESTIGATION OF {mobile} BANKING TROJAN Ivanov Boris #whoami Ivanov Boris: Senior Computer Forensics Specialist LLC Group-IB Graduate student 05.13.19 - Defense methods and systems of information, information

664 views • 39 slides
Ab initio methods: how/why do they work D.Svergun Small-angle scattering in structural biology

Ab initio methods: how/why do they work D.Svergun Small-angle scattering in structural biology

29-Oct-14 Ab initio methods: how/why do they work D.Svergun Small-angle scattering in structural biology Data analysis Detector Resolution, nm: 3 Incident Sample lg I, relative 3.1 1.6 1.0 0.8 beam Wave vector 2 2 Scattering

611 views • 31 slides
Integrating SELinux and Security-typed Languages Sandra Rueda - ruedarod@cse.psu.edu Boniface

Integrating SELinux and Security-typed Languages Sandra Rueda - ruedarod@cse.psu.edu Boniface

Integrating SELinux and Security-typed Languages Sandra Rueda - ruedarod@cse.psu.edu Boniface Hicks, Trent Jaeger, Patrick McDaniel Systems and Internet Infrastructure Security Lab Department of Computer Science and Engineering SIIS Lab -

492 views • 25 slides
Extinction Class 5 Jan 26, 2009 Last Class Today Endemism

Extinction Class 5 Jan 26, 2009 Last Class Today Endemism

Extinction Class 5 Jan 26, 2009 Last Class Today Endemism Species Ecosystem Role Estimating extinction Extinct Species Rate of Extinction Cause of

695 views • 38 slides
Carolina Parakeet Panthera leo barbaricus Barbary Lion extinct around 1935? (1918?) Extinct

Carolina Parakeet Panthera leo barbaricus Barbary Lion extinct around 1935? (1918?) Extinct

Carolina Parakeet Panthera leo barbaricus Barbary Lion extinct around 1935? (1918?) Extinct 1922 Tasmanian Tiger Gastric brooding frog Extinct ? Extinct 1936 Not found since 1985 Table 2.2. A sample of species once thought extinct,

301 views • 7 slides
on Low- &amp; Moderate-Income Communities Wednesday, November 7, 2018 | 3:30-4:00 ET Welcome

on Low- &amp; Moderate-Income Communities Wednesday, November 7, 2018 | 3:30-4:00 ET Welcome

Insights on the Impact of Fees on Low- &amp; Moderate-Income Communities Wednesday, November 7, 2018 | 3:30-4:00 ET Welcome Carmen Shorter Sr. Manager for Learning, Field Engagement Prosperity Now Smart Growth for Credit Counseling

495 views • 18 slides

More recommend