the beauty and the beast
play

The Beauty and the Beast Vulnerabilities in Red Hats Packages - PowerPoint PPT Presentation

The Beauty and the Beast Vulnerabilities in Red Hats Packages Stephan Neuhaus <Stephan.Neuhaus@disi.unitn.it> Thomas Zimmermann <tzimmer@microsoft.com> Vulnerabilities are important because fixing them costs a lot of money (2005


  1. The Beauty and the Beast Vulnerabilities in Red Hat’s Packages Stephan Neuhaus <Stephan.Neuhaus@disi.unitn.it> Thomas Zimmermann <tzimmer@microsoft.com>

  2. Vulnerabilities are important because fixing them costs a lot of money (2005 FBI study: 67 Bn $). There are 3241 packages (or were, by August 2008) o fg ered by Red Hat. (There are certainly more being o fg ered for Red Hat!)

  3. Vulnerabilities are important because fixing them costs a lot of money (2005 FBI study: 67 Bn $). There are 3241 packages (or were, by August 2008) o fg ered by Red Hat. (There are certainly more being o fg ered for Red Hat!)

  4. Vulnerabilities are important because fixing them costs a lot of money (2005 FBI study: 67 Bn $). There are 3241 packages (or were, by August 2008) o fg ered by Red Hat. (There are certainly more being o fg ered for Red Hat!)

  5. Explain colours: white = no vulnerabilities, blue -> red: progressively more

  6. Explain colours: white = no vulnerabilities, blue -> red: progressively more

  7. Explain colours: white = no vulnerabilities, blue -> red: progressively more

  8. Explain colours: white = no vulnerabilities, blue -> red: progressively more

  9. Explain colours: white = no vulnerabilities, blue -> red: progressively more

  10. Explain colours: white = no vulnerabilities, blue -> red: progressively more

  11. 2/3 of packages Distribution of RHSAs top not shown 600 kernel , kernel-doc 100 Number of Packages php -related 10 1 0 8 18 30 41 73 88 112 129 Number of RHSAs Note logarithmic y-axis. 3241 packages in total, about 2/3 with no known vulnerabilities.

  12. Properties of packages, not properties of the software in the package

  13. Are there properties that correlate with vulnerabilities? Properties of packages, not properties of the software in the package

  14. Are there properties that correlate with vulnerabilities? Are there properties that increase or decrease the risk? Properties of packages, not properties of the software in the package

  15. Are there properties that correlate with vulnerabilities? Are there properties that increase or decrease the risk? Can we predict whether a package contains unknown vulnerabilities? Properties of packages, not properties of the software in the package

  16. Are there properties that ✔ Dependencies correlate with vulnerabilities? Are there properties that increase or decrease the risk? Can we predict whether a package contains unknown vulnerabilities? Properties of packages, not properties of the software in the package

  17. Are there properties that ✔ Dependencies correlate with vulnerabilities? Are there properties that ✔ Beauties and increase or decrease the risk? Beasts Can we predict whether a package contains unknown vulnerabilities? Properties of packages, not properties of the software in the package

  18. Are there properties that ✔ Dependencies correlate with vulnerabilities? Are there properties that ✔ Beauties and increase or decrease the risk? Beasts Can we predict whether a package ✔ Machine Learning contains unknown vulnerabilities? Properties of packages, not properties of the software in the package

  19. Dependencies

  20. Dependencies amanda-server

  21. Dependencies amanda-server glibc

  22. Dependencies libtermcap coreutils grep amanda-server perl gnuplot readline amanda glibc xinetd

  23. Dependencies and Vulnerabilities • Dependency A → B exists because A wants to use the services offered by B • Vulnerability exists in A if • A is in an insecure domain (domains are characterised by dependencies) • B is insecure and fix in B spills over to A; or • B is difficult to use securely Packages in same domain will tend to have same dependencies. Domain examples are: compilers, games, o ffj ce applications,

  24. Red Hat Dependencies

  25. Distribution of Package Dependencies development packages 400 containing headers 300 kdebase Number of Dependencies 200 100 0 0 4 8 13 19 25 31 37 43 50 56 62 75 81 88 96 Number of Packages Distribution is apparently logarithmic with a long tail. This is not transitive closure. kdebase has 14 RHSAs (but 96 dependencies), kernel has 129 (but 0 dependencies), so number of dependencies is not a good predictor of number of RHSAs

  26. Are there properties that ✔ Dependencies correlate with vulnerabilities? Are there properties that ✔ Beauties and increase or decrease the risk? Beasts Can we predict whether a package ✔ Machine Learning contains unknown vulnerabilities?

  27. Where does the addition of dependencies significantly increase/ decrease the risk?

  28. Where does the addition of dependencies significantly increase/ decrease the risk? 1. Data structure: concept lattice

  29. Where does the addition of dependencies significantly increase/ decrease the risk? 1. Data structure: concept lattice 2. Compute change in risk

  30. Where does the addition of dependencies significantly increase/ decrease the risk? 1. Data structure: concept lattice 2. Compute change in risk 3. Include only statistically significant changes

  31. Step 1: Data Structure Start with no knowledge about dependencies (top node contains all packages). Add knowledge of glibc (node contains all packages depending on glibc), then qt (node contains all packages depending on qt and glibc), then xorg-x11-libs (node contains all packages

  32. Step 1: Data Structure ∅ Start with no knowledge about dependencies (top node contains all packages). Add knowledge of glibc (node contains all packages depending on glibc), then qt (node contains all packages depending on qt and glibc), then xorg-x11-libs (node contains all packages

  33. Step 1: Data Structure ∅ glibc Block 1: All packages depending on glibc Start with no knowledge about dependencies (top node contains all packages). Add knowledge of glibc (node contains all packages depending on glibc), then qt (node contains all packages depending on qt and glibc), then xorg-x11-libs (node contains all packages

  34. Step 1: Data Structure ∅ … glibc kdelibs Block 1: All packages depending on glibc Start with no knowledge about dependencies (top node contains all packages). Add knowledge of glibc (node contains all packages depending on glibc), then qt (node contains all packages depending on qt and glibc), then xorg-x11-libs (node contains all packages

  35. Step 1: Data Structure ∅ … glibc kdelibs qt xorg-x11-libs Block 1: All packages depending on glibc Block 2: All packages depending on glibc, qt Block 3: All packages depending on glibc, qt, xorg-x11-libs Start with no knowledge about dependencies (top node contains all packages). Add knowledge of glibc (node contains all packages depending on glibc), then qt (node contains all packages depending on qt and glibc), then xorg-x11-libs (node contains all packages

  36. Step 1: Data Structure ∅ … glibc kdelibs qt xorg-x11-libs Block 1: All packages depending on glibc Block 2: All packages depending on glibc, qt Block 3: All packages depending on glibc, qt, xorg-x11-libs Start with no knowledge about dependencies (top node contains all packages). Add knowledge of glibc (node contains all packages depending on glibc), then qt (node contains all packages depending on qt and glibc), then xorg-x11-libs (node contains all packages

  37. Step 2: ∅ 32.9% vulnerable Compute Risk Change (1065 out of 3241) glibc kdelibs 33.5% vulnerable 85.6% vulnerable (692 out of 2066) (143 out of 167) glibc, qt 77.4% vulnerable (120 out of 155) glibc, qt, xorg-x11-libs 79.4% vulnerable (27 out of 34) Question: Is the rise of 43.9% when going from {glibc} to {glibc, qt} just some random fluctuation? We test this using statistical tests (Chi^2 or Fischer exact) and discard the “random fluctuation” hypothesis when the probability of such a increase happening

  38. Step 2: ∅ 32.9% vulnerable Compute Risk Change (1065 out of 3241) +0.6% +52.7% glibc kdelibs 33.5% vulnerable 85.6% vulnerable (692 out of 2066) (143 out of 167) +43.9% glibc, qt 77.4% vulnerable (120 out of 155) +2.0% glibc, qt, xorg-x11-libs 79.4% vulnerable (27 out of 34) Question: Is the rise of 43.9% when going from {glibc} to {glibc, qt} just some random fluctuation? We test this using statistical tests (Chi^2 or Fischer exact) and discard the “random fluctuation” hypothesis when the probability of such a increase happening

  39. Step 2: ∅ 32.9% vulnerable Compute Risk Change (1065 out of 3241) +0.6% +52.7% glibc kdelibs 33.5% vulnerable 85.6% vulnerable (692 out of 2066) (143 out of 167) +43.9% Risk change by adding qt glibc, qt 77.4% vulnerable only when already dependent (120 out of 155) on glibc! (glibc is the context ) +2.0% glibc, qt, xorg-x11-libs 79.4% vulnerable (27 out of 34) Question: Is the rise of 43.9% when going from {glibc} to {glibc, qt} just some random fluctuation? We test this using statistical tests (Chi^2 or Fischer exact) and discard the “random fluctuation” hypothesis when the probability of such a increase happening

  40. Step 3: Include Only Significant Changes • Risk changes with significance p < 0.01 • No significant and more general context exists for this dependency • Risk goes up: “beast” • Risk goes down: “beauty”

Recommend


More recommend