predicting vulnerable software components
play

Predicting Vulnerable Software Components Stephan Neuhaus Thomas - PowerPoint PPT Presentation

Predicting Vulnerable Software Components Stephan Neuhaus Thomas Zimmermann Andreas Zeller Security Advisory 2005-13 Security Advisory 2005-41 Security Advisory 2006-76 Security Advisory 2005-16 Security Advisory 2005-15 Security Advisory


  1. Predicting Vulnerable Software Components Stephan Neuhaus Thomas Zimmermann Andreas Zeller

  2. Security Advisory 2005-13 Security Advisory 2005-41 Security Advisory 2006-76 Security Advisory 2005-16 Security Advisory 2005-15 Security Advisory 2005-12 Security Advisory 2005-14 Title : Privilege escalation via DOM property Title : XSS using outer window's Function object Title : Spoofing download and security dialogs Title : Heap overflow possible in UTF8 to Title : Window Injection Spoofing Title : Livefeed bookmarks can steal cookies Title : SSL "secure site" indicator spoofing overrides with overlapping windows Unicode conversion Impact : High Severity : Low Impact : High Severity : Moderate Severity : High Severity : Critical Products : Firefox 2.0 Severity : High Products : Firefox, Mozilla Suite Products : Firefox Products : Firefox, Mozilla Suite Products : Firefox, Mozilla Suite Products : Firefox, Mozilla Suite Products : Firefox, Thunderbird, Mozilla Suite Description : moz_bug_r_a4 demonstrated that Description : A website can inject content into a Description : Earlier versions of Firefox allowed Description : Various schemes were reported Description : It is possible for a UTF8 string with Description: Michael Krax demonstrates that the Function prototype regression described in Description : moz_bug_r_a4 reported several popup opened by another site if the target name javascript: and data: URLs as Livefeed bookmarks. that could cause the "secure site" lock icon to the download dialog and security dialogs can be bug 355161 could be exploited to bypass the invalid sequences to trigger a heap overflow of exploits giving an attacker the ability to install of the popup window is known. An attacker who When they updated the URL would be run in the appear and show certificate details for the wrong malicious code or steal data, requiring only that spoofed by partially covering them with an protections against cross site script (XSS) converted Unicode data. Exploitability would knows you are going to visit that other site could context of the current page and could be used to site. These could be used by phishers to make the user do commonplace actions like click on a overlapping window. Some users may not notice depend on the attackers ability to get the string injection, which could be used to steal credentials spoof the contents of the popup. steal cookies or data displayed on the page. If the their spoofs look more legitimate, particularly in the OS window border and browser statusbar into the buggy converter. General web content is link or open the context menu. The common or sensitive data from arbitrary sites or perform user were on a page with elevated privileges (for windows that hide the address bar showing the destructive actions on behalf of a logged-in user. converted elsewhere but we can't rule out the bisecting what appears to be a single dialog, and be cause in each case was privileged UI code example, about:config) when the Livefeed was true location. What other components are vulnerable? Is this new component likely to be vulnerable? ("chrome") being overly trusting of DOM nodes convinced by the spoofing text of the top-most possibility of a successful attack. updated, the feed URL could potentially run from the content window. window to click on the "Allow" or "Open" button arbitrary code on the user's machine. of the window below. 0 Vulnerabilities

  3. Vulnerability Version Code Code Code Code Database Archive Code Vulture Predictor Component Component Component

  4. Programmer Code Complexity Look for features that are Code invariant under evolution Language

  5. Imports GUI Database Certificates OS

  6. ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ nsIContent.h ✘ ✘ ✘ ✘ ✘ ✘ nsIContentUtils.h ✘ ✘ ✘ ✔ ✘ ✘ ✘ nsIScriptSecurityManager.h

  7. ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ nsIPrivateDOMEvent.h ✘ ✘ ✘ ✘ ✘ ✘ nsReadableUtils.h ✘ ✘ ✘

  8. Research Questions • How well do imports predict vulnerabilities? • Can imports be used for classification (vulnerable or not) and for regression (number of vulnerabilities)?

  9. Case Study: Mozilla • CVS from January 4, 2007 • 14,368 C/C++ files • 134 Security Advisories since January 2005 • Only 424 vulnerable components (4.05%) ⇒ Prediction is challenging

  10. 10,452 components in Mozilla 424 vulnerable components 4.05%

Recommend


More recommend