技术控

    今日:122| 主题:49179
收藏本版 (1)
最新软件应用技术尽在掌握

[其他] Security bug lifetime

[复制链接]
一瞬间的记忆 发表于 2016-10-19 17:56:14
94 1

立即注册CoLaBug.com会员,免费获得投稿人的专业资料,享用更多功能,玩转个人品牌!

您需要 登录 才可以下载或查看,没有帐号?立即注册

x
In several of myrecent presentations, I’ve discussed the lifetime of security flaws in the Linux kernel. Jon Corbet did an analysis in 2010 , and found that security bugs appeared to have roughly a 5 year lifetime. As in, the flaw gets introduced in a Linux release, and then goes unnoticed by upstream developers until another release 5 years later, on average. I updated this research for 2011 through 2016, and used the Ubuntu Security Team’s CVE Tracker to assist in the process. The Ubuntu kernel team already does the hard work of trying to identify when flaws were introduced in the kernel, so I didn’t have to re-do this for the 557 kernel CVEs since 2011.
   As the README details, the raw CVE data is spread across the active/ , retired/ , and ignored/ directories. By scanning through the CVE files to find any that contain the line “Patches_linux:”, I can extract the details on when a flaw was introduced and when it was fixed. For example CVE-2016-0728 shows:
  [code]Patches_linux:
break-fix: 3a50597de8635cd05133bd12c95681c82fe7b878 23567fd052a9abb6d67fe8e7a9ccdd9800a540f2[/code]   This means that CVE-2016-0728 is believed to have been introduced by commit 3a50597de8635cd05133bd12c95681c82fe7b878 and fixed by commit 23567fd052a9abb6d67fe8e7a9ccdd9800a540f2 . If there are multiple lines, then there may be multiple SHAs identified as contributing to the flaw or the fix. And a “ - ” is just short-hand for the start of Linux git history .
   Then for each SHA, I queried git to find its corresponding release, and made a mapping of release version to release date, wrote out theraw data, and rendered graphs. Each vertical line shows a given CVE from when it was introduced to when it was fixed. Red is “Critical”, orange is “High”, blue is “Medium”, and black is “Low”:
   
Security bug lifetime-1 (research,security,identify,through,several)

  And here it is zoomed in to just Critical and High:

Security bug lifetime-2 (research,security,identify,through,several)

  The line in the middle is the date from which I started the CVE search (2011). The vertical axis is actually linear time, but it’s labeled with kernel releases (which are pretty regular). The numerical summary is:
  
       
  • Critical: 2 @ 3.3 years   
  • High: 34 @ 6.4 years   
  • Medium: 334 @ 5.2 years   
  • Low: 186 @ 5.0 years  
  This comes out to roughly 5 years lifetime again, so not much has changed from Jon’s 2010 analysis.
   While we’re getting better at fixing bugs, we’re also adding more bugs. And for many devices that have been built on a given kernel version, there haven’t been frequent (or some times any) security updates, so the bug lifetime for those devices is even longer. To really create a safe kernel, we need to get proactive about self-protection technologies . The systems using a Linux kernel are right now running with security flaws. Those flaws are just not known to the developers yet, but they’re likely known to attackers.
      © 2016,Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License .
12下一页
友荐云推荐




上一篇:Exploring Application Insights for disconnected or connected deep telemetry in A
下一篇:深度重构UIViewController
酷辣虫提示酷辣虫禁止发表任何与中华人民共和国法律有抵触的内容!所有内容由用户发布,并不代表酷辣虫的观点,酷辣虫无法对用户发布内容真实性提供任何的保证,请自行验证并承担风险与后果。如您有版权、违规等问题,请通过"联系我们"或"违规举报"告知我们处理。

dwqmx 发表于 2016-11-15 23:19:29
挖贴技术哪家强?dwqmx
回复 支持 反对

使用道具 举报

*滑动验证:
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

我要投稿

推荐阅读

扫码访问 @iTTTTT瑞翔 的微博
回页顶回复上一篇下一篇回列表手机版
手机版/CoLaBug.com ( 粤ICP备05003221号 | 文网文[2010]257号 )|网站地图 酷辣虫

© 2001-2016 Comsenz Inc. Design: Dean. DiscuzFans.

返回顶部 返回列表