the beauty and the beast
play

The Beauty and the Beast Vulnerabilities in Red Hats Packages - PowerPoint PPT Presentation

May 02, 2023 •1.12k likes •1.9k views

The Beauty and the Beast Vulnerabilities in Red Hats Packages Stephan Neuhaus <Stephan.Neuhaus@disi.unitn.it> Thomas Zimmermann <tzimmer@microsoft.com> Vulnerabilities are important because fixing them costs a lot of money (2005

  1. The Beauty and the Beast Vulnerabilities in Red Hat’s Packages Stephan Neuhaus <Stephan.Neuhaus@disi.unitn.it> Thomas Zimmermann <tzimmer@microsoft.com>

  2. Vulnerabilities are important because fixing them costs a lot of money (2005 FBI study: 67 Bn $). There are 3241 packages (or were, by August 2008) o fg ered by Red Hat. (There are certainly more being o fg ered for Red Hat!)

  3. Vulnerabilities are important because fixing them costs a lot of money (2005 FBI study: 67 Bn $). There are 3241 packages (or were, by August 2008) o fg ered by Red Hat. (There are certainly more being o fg ered for Red Hat!)

  4. Vulnerabilities are important because fixing them costs a lot of money (2005 FBI study: 67 Bn $). There are 3241 packages (or were, by August 2008) o fg ered by Red Hat. (There are certainly more being o fg ered for Red Hat!)

  5. Explain colours: white = no vulnerabilities, blue -> red: progressively more

  6. Explain colours: white = no vulnerabilities, blue -> red: progressively more

  7. Explain colours: white = no vulnerabilities, blue -> red: progressively more

  8. Explain colours: white = no vulnerabilities, blue -> red: progressively more

  9. Explain colours: white = no vulnerabilities, blue -> red: progressively more

  10. Explain colours: white = no vulnerabilities, blue -> red: progressively more

  13. 2/3 of packages Distribution of RHSAs top not shown 600 kernel , kernel-doc 100 Number of Packages php -related 10 1 0 8 18 30 41 73 88 112 129 Number of RHSAs Note logarithmic y-axis. 3241 packages in total, about 2/3 with no known vulnerabilities.

  14. Properties of packages, not properties of the software in the package

  15. Are there properties that correlate with vulnerabilities? Properties of packages, not properties of the software in the package

  16. Are there properties that correlate with vulnerabilities? Are there properties that increase or decrease the risk? Properties of packages, not properties of the software in the package

  17. Are there properties that correlate with vulnerabilities? Are there properties that increase or decrease the risk? Can we predict whether a package contains unknown vulnerabilities? Properties of packages, not properties of the software in the package

  18. Are there properties that ✔ Dependencies correlate with vulnerabilities? Are there properties that increase or decrease the risk? Can we predict whether a package contains unknown vulnerabilities? Properties of packages, not properties of the software in the package

  19. Are there properties that ✔ Dependencies correlate with vulnerabilities? Are there properties that ✔ Beauties and increase or decrease the risk? Beasts Can we predict whether a package contains unknown vulnerabilities? Properties of packages, not properties of the software in the package

  20. Are there properties that ✔ Dependencies correlate with vulnerabilities? Are there properties that ✔ Beauties and increase or decrease the risk? Beasts Can we predict whether a package ✔ Machine Learning contains unknown vulnerabilities? Properties of packages, not properties of the software in the package

  21. Dependencies

  22. Dependencies amanda-server

  23. Dependencies amanda-server glibc

  24. Dependencies libtermcap coreutils grep amanda-server perl gnuplot readline amanda glibc xinetd

  25. Dependencies and Vulnerabilities • Dependency A → B exists because A wants to use the services offered by B • Vulnerability exists in A if • A is in an insecure domain (domains are characterised by dependencies) • B is insecure and fix in B spills over to A; or • B is difficult to use securely Packages in same domain will tend to have same dependencies. Domain examples are: compilers, games, o ffj ce applications,

  26. Red Hat Dependencies

  27. Distribution of Package Dependencies development packages 400 containing headers 300 kdebase Number of Dependencies 200 100 0 0 4 8 13 19 25 31 37 43 50 56 62 75 81 88 96 Number of Packages Distribution is apparently logarithmic with a long tail. This is not transitive closure. kdebase has 14 RHSAs (but 96 dependencies), kernel has 129 (but 0 dependencies), so number of dependencies is not a good predictor of number of RHSAs

  28. Are there properties that ✔ Dependencies correlate with vulnerabilities? Are there properties that ✔ Beauties and increase or decrease the risk? Beasts Can we predict whether a package ✔ Machine Learning contains unknown vulnerabilities?

  29. Where does the addition of dependencies significantly increase/ decrease the risk?

  30. Where does the addition of dependencies significantly increase/ decrease the risk? 1. Data structure: concept lattice

  31. Where does the addition of dependencies significantly increase/ decrease the risk? 1. Data structure: concept lattice 2. Compute change in risk

  32. Where does the addition of dependencies significantly increase/ decrease the risk? 1. Data structure: concept lattice 2. Compute change in risk 3. Include only statistically significant changes

  33. Step 1: Data Structure Start with no knowledge about dependencies (top node contains all packages). Add knowledge of glibc (node contains all packages depending on glibc), then qt (node contains all packages depending on qt and glibc), then xorg-x11-libs (node contains all packages

  34. Step 1: Data Structure ∅ Start with no knowledge about dependencies (top node contains all packages). Add knowledge of glibc (node contains all packages depending on glibc), then qt (node contains all packages depending on qt and glibc), then xorg-x11-libs (node contains all packages

  35. Step 1: Data Structure ∅ glibc Block 1: All packages depending on glibc Start with no knowledge about dependencies (top node contains all packages). Add knowledge of glibc (node contains all packages depending on glibc), then qt (node contains all packages depending on qt and glibc), then xorg-x11-libs (node contains all packages

  36. Step 1: Data Structure ∅ … glibc kdelibs Block 1: All packages depending on glibc Start with no knowledge about dependencies (top node contains all packages). Add knowledge of glibc (node contains all packages depending on glibc), then qt (node contains all packages depending on qt and glibc), then xorg-x11-libs (node contains all packages

  37. Step 1: Data Structure ∅ … glibc kdelibs qt xorg-x11-libs Block 1: All packages depending on glibc Block 2: All packages depending on glibc, qt Block 3: All packages depending on glibc, qt, xorg-x11-libs Start with no knowledge about dependencies (top node contains all packages). Add knowledge of glibc (node contains all packages depending on glibc), then qt (node contains all packages depending on qt and glibc), then xorg-x11-libs (node contains all packages

  38. Step 1: Data Structure ∅ … glibc kdelibs qt xorg-x11-libs Block 1: All packages depending on glibc Block 2: All packages depending on glibc, qt Block 3: All packages depending on glibc, qt, xorg-x11-libs Start with no knowledge about dependencies (top node contains all packages). Add knowledge of glibc (node contains all packages depending on glibc), then qt (node contains all packages depending on qt and glibc), then xorg-x11-libs (node contains all packages

  39. Step 2: ∅ 32.9% vulnerable Compute Risk Change (1065 out of 3241) glibc kdelibs 33.5% vulnerable 85.6% vulnerable (692 out of 2066) (143 out of 167) glibc, qt 77.4% vulnerable (120 out of 155) glibc, qt, xorg-x11-libs 79.4% vulnerable (27 out of 34) Question: Is the rise of 43.9% when going from {glibc} to {glibc, qt} just some random fluctuation? We test this using statistical tests (Chi^2 or Fischer exact) and discard the “random fluctuation” hypothesis when the probability of such a increase happening

  40. Step 2: ∅ 32.9% vulnerable Compute Risk Change (1065 out of 3241) +0.6% +52.7% glibc kdelibs 33.5% vulnerable 85.6% vulnerable (692 out of 2066) (143 out of 167) +43.9% glibc, qt 77.4% vulnerable (120 out of 155) +2.0% glibc, qt, xorg-x11-libs 79.4% vulnerable (27 out of 34) Question: Is the rise of 43.9% when going from {glibc} to {glibc, qt} just some random fluctuation? We test this using statistical tests (Chi^2 or Fischer exact) and discard the “random fluctuation” hypothesis when the probability of such a increase happening

  41. Step 2: ∅ 32.9% vulnerable Compute Risk Change (1065 out of 3241) +0.6% +52.7% glibc kdelibs 33.5% vulnerable 85.6% vulnerable (692 out of 2066) (143 out of 167) +43.9% Risk change by adding qt glibc, qt 77.4% vulnerable only when already dependent (120 out of 155) on glibc! (glibc is the context ) +2.0% glibc, qt, xorg-x11-libs 79.4% vulnerable (27 out of 34) Question: Is the rise of 43.9% when going from {glibc} to {glibc, qt} just some random fluctuation? We test this using statistical tests (Chi^2 or Fischer exact) and discard the “random fluctuation” hypothesis when the probability of such a increase happening

  42. Step 3: Include Only Significant Changes • Risk changes with significance p < 0.01 • No significant and more general context exists for this dependency • Risk goes up: “beast” • Risk goes down: “beauty”

Recommend

BEAUTY AND THE BEAUTY AND THE BEAST BEAST Eta Haskell for JVM JAREK RATAJSKI JAREK RATAJSKI

BEAUTY AND THE BEAUTY AND THE BEAST BEAST Eta Haskell for JVM JAREK RATAJSKI JAREK RATAJSKI

BEAUTY AND THE BEAUTY AND THE BEAST BEAST Eta Haskell for JVM JAREK RATAJSKI JAREK RATAJSKI @jarek000000 Loves programming since the first line I wrote for C64 Anarchitect @ Engenius GmbH Java developer (since 1999) with a functional

1.31k views • 114 slides
Fairytale By: David, Destinee, Erik, Lauren A is for Aladdin B is for Beauty and the Beast C is

Fairytale By: David, Destinee, Erik, Lauren A is for Aladdin B is for Beauty and the Beast C is

Fairytale By: David, Destinee, Erik, Lauren A is for Aladdin B is for Beauty and the Beast C is for Cinderella D is for Donkey (from shrek) E is for Evil Stepmother F is for Princess and the Frog G is for Goldilocks and the Three Bears H is

459 views • 27 slides
Beauty and the Beast: Diverting modern web browsers to build unique browser fingerprints Pierre

Beauty and the Beast: Diverting modern web browsers to build unique browser fingerprints Pierre

Beauty and the Beast: Diverting modern web browsers to build unique browser fingerprints Pierre Laperdrix, Walter Rudametkin, Benoit Baudry 2/19 Example of a fingerprint Attribute Value User agent Mozilla/5.0 (X11; Linux i686; rv:25.0)

215 views • 19 slides
Pinot Noir: The Savage Yet Seductive Grape The Beauty and the Beast Dr. Karl Kaiser

Pinot Noir: The Savage Yet Seductive Grape The Beauty and the Beast Dr. Karl Kaiser

Pinot Noir: The Savage Yet Seductive Grape The Beauty and the Beast Dr. Karl Kaiser CCOVI Professional Affiliate Brock University, St. Catharines, ON Introduction to Pinot Noir The Story of the Origin Quotes taken from Pinot

818 views • 38 slides
Pinot Noir: The Savage Yet Seductive Grape The Beauty and the Beast Dr. Karl Kaiser

Pinot Noir: The Savage Yet Seductive Grape The Beauty and the Beast Dr. Karl Kaiser

Pinot Noir: The Savage Yet Seductive Grape The Beauty and the Beast Dr. Karl Kaiser CCOVI Professional Affiliate Brock University, St. Catharines, ON Introduction to Pinot Noir The Story of the Origin Quotes taken from Pinot Noir

710 views • 39 slides
Revelation 13 The Beast and the Number 666 Becoming Closer The Beast from the Sea (Rev 13:1-2

Revelation 13 The Beast and the Number 666 Becoming Closer The Beast from the Sea (Rev 13:1-2

Revelation 13 The Beast and the Number 666 Becoming Closer The Beast from the Sea (Rev 13:1-2 NIV) And the dragon stood on the shore of the sea. And I saw a beast coming out of the sea. He had ten horns and seven heads, with ten crowns on

259 views • 15 slides
Automatic Abstraction for Congruences A Story of Beauty and the Beast Andy King and Harald

Automatic Abstraction for Congruences A Story of Beauty and the Beast Andy King and Harald

Automatic Abstraction for Congruences A Story of Beauty and the Beast Andy King and Harald Sndergaard Portcullis Computer Security University of Melbourne Andy King and Harald Sndergaard Automatic Abstraction for Congruences Structure of

516 views • 12 slides
BEAST 2 BEAST 2 RB subst model BEAST Add-Ons Remco R. Bouckaert

BEAST 2 BEAST 2 RB subst model BEAST Add-Ons Remco R. Bouckaert

BEAST 2 Remco Bouckaert BEAST 2 BEAST 2 RB subst model BEAST Add-Ons Remco R. Bouckaert remco@cs.{auckland|waikato}.ac.nz rrb@xm.co.nz Department of Computer Science University of Auckland &amp; University of Waikato 1 BEAST 2 What

659 views • 20 slides
Feeding Feeding the the beast: beast: science science cases cases for for SHAR(K)

Feeding Feeding the the beast: beast: science science cases cases for for SHAR(K)

Feeding Feeding the the beast: beast: science science cases cases for for SHAR(K) SHAR(K)-NIR@LB NIR@LBT Valentina DOrazi INAF Padova Francesca Bacciotti (INAF Arcetri), Angela Bongiorno (INAF Roma) and the science team ADONI 2016,

554 views • 18 slides
Taming the Beast Workshop Bayesian inference of species tree Species &amp; gene trees *BEAST

Taming the Beast Workshop Bayesian inference of species tree Species &amp; gene trees *BEAST

Taming the Beast Taming the Beast Workshop Bayesian inference of species tree Species &amp; gene trees *BEAST Species tree prior Multispecies coalescent Bayesian inference of species tree Molecular clock model Felsenstein likelihood and

205 views • 19 slides
OUR BUSINESS OUR BEAUTY IS multiplied BY SIX We also care for what is naturally beautiful:

OUR BUSINESS OUR BEAUTY IS multiplied BY SIX We also care for what is naturally beautiful:

BEAUTY IS OUR BUSINESS OUR BEAUTY IS multiplied BY SIX We also care for what is naturally beautiful: Brazil BEAUTY MADE IN 4,000 PLANTS retail stores So Jos dos Pinhais (iResearch Center) Camaari 1,750 DISTRIBUTION CENTERS cities

626 views • 23 slides
Beast II 101: Part 2 XML Add-ons Applications Remco R. Bouckaert

Beast II 101: Part 2 XML Add-ons Applications Remco R. Bouckaert

Beast II 101 Bouckaert Beast II 101: Part 2 XML Add-ons Applications Remco R. Bouckaert remco@cs.{auckland|waikato}.ac.nz Department of Computer Science University of Auckland &amp; University of Waikato 1 Beast II 101 What is XML?

492 views • 26 slides
OUTLINE THE BEAUTY SAMPLING BAR WHAT IS IT? CUSTOMIZED BEAUTY SAMPLING FOR A CAUSE Onsite

OUTLINE THE BEAUTY SAMPLING BAR WHAT IS IT? CUSTOMIZED BEAUTY SAMPLING FOR A CAUSE Onsite

PROGRAM OUTLINE THE BEAUTY SAMPLING BAR WHAT IS IT? CUSTOMIZED BEAUTY SAMPLING FOR A CAUSE Onsite sampling bar station located the highly-trafficked foyer area directly from the lobby High-end environment with clear dispensers

398 views • 8 slides
Beam background detection at SuperKEKB/Belle II Peter M. Lewis on behalf of the BEAST II

Beam background detection at SuperKEKB/Belle II Peter M. Lewis on behalf of the BEAST II

Beam background detection at SuperKEKB/Belle II Peter M. Lewis on behalf of the BEAST II Collaboration University of Hawai i at M noa 27 February 2017 INSTR-17 Overview This talk About BEAST II: a suite of detectors for measuring

273 views • 26 slides
Sally Beauty Holdings December 2013 1 Company Highlights Sally Beauty Holdings is a leading

Sally Beauty Holdings December 2013 1 Company Highlights Sally Beauty Holdings is a leading

Sally Beauty Holdings December 2013 1 Company Highlights Sally Beauty Holdings is a leading international specialty retailer and distributor of professional beauty products Annual consolidated sales of over $3.6 billion Strong cash flow

604 views • 25 slides
Sally Beauty Holdings Company Overview Company Highlights Sally Beauty Holdings is a leading

Sally Beauty Holdings Company Overview Company Highlights Sally Beauty Holdings is a leading

Sally Beauty Holdings Company Overview Company Highlights Sally Beauty Holdings is a leading international specialty retailer and distributor of professional beauty products Annual consolidated sales of over $3.8 billion Strong cash

626 views • 25 slides
NON-SURGICAL TREATMENT SOLUTIONS WHAT IS BEAUTY? Beauty is easy enough to spot, but tricky to

NON-SURGICAL TREATMENT SOLUTIONS WHAT IS BEAUTY? Beauty is easy enough to spot, but tricky to

NON-SURGICAL TREATMENT SOLUTIONS WHAT IS BEAUTY? Beauty is easy enough to spot, but tricky to definedespite countless attempts to do so. Sometime around 300 B.C., the Greek mathematician Euclid identified the &quot;Golden

503 views • 47 slides
PROFESSIONALS GUIDE www.glambolt.com V1- 1/2020 THE NEW BEAUTY APP Glambolt LTD is an

PROFESSIONALS GUIDE www.glambolt.com V1- 1/2020 THE NEW BEAUTY APP Glambolt LTD is an

PROFESSIONALS GUIDE www.glambolt.com V1- 1/2020 THE NEW BEAUTY APP Glambolt LTD is an exciting new geo location mobile beauty App Glambolt Beauty on the Go which will benefit you as a professional in growing your business, marketing your

179 views • 7 slides
BEAST results on SuperKEKB beam background: focus on the PLUME pixelated system Jerome Baudot on

BEAST results on SuperKEKB beam background: focus on the PLUME pixelated system Jerome Baudot on

BEAST results on SuperKEKB beam background: focus on the PLUME pixelated system Jerome Baudot on behalf of the BEAST/Belle II collaboration Beam induced background at SuperKEKB &amp; Belle II: BEAST The double-sided PLUME device

601 views • 38 slides
New Concept of Beauty Unique way to take Care of Hair Combines beauty style and shape with the

New Concept of Beauty Unique way to take Care of Hair Combines beauty style and shape with the

New Concept of Beauty Unique way to take Care of Hair Combines beauty style and shape with the styling line. We believe beauty starts from the Hair Hair represent the inner charm that each end one of us wish to show and take care of. Choose the

398 views • 10 slides
New Concept of Beauty Unique way to take Care of Hair Combines beauty style and shape with the

New Concept of Beauty Unique way to take Care of Hair Combines beauty style and shape with the

New Concept of Beauty Unique way to take Care of Hair Combines beauty style and shape with the styling line. We believe beauty starts from the Hair Hair represent the inner charm that each end one of us wish to show and take care of. This is why

265 views • 25 slides
1 BEAUTY ISTANBUL, THE NEW EXHIBITION BY IPEKYOLU, THE EXPERIENCED TEAM IPEKYOLU Exhibitions with

1 BEAUTY ISTANBUL, THE NEW EXHIBITION BY IPEKYOLU, THE EXPERIENCED TEAM IPEKYOLU Exhibitions with

1 BEAUTY ISTANBUL, THE NEW EXHIBITION BY IPEKYOLU, THE EXPERIENCED TEAM IPEKYOLU Exhibitions with 20 years experience, is back to cosmetics, beauty industry trade show business with its new project: Beauty Istanbul, October 2 3 4, 2019;

368 views • 11 slides
Wrangling the Bugzilla Beast Robinson Tryon September 23 rd , 2015 1 Wrangling the Bugzilla

Wrangling the Bugzilla Beast Robinson Tryon September 23 rd , 2015 1 Wrangling the Bugzilla

Wrangling the Bugzilla Beast Robinson Tryon September 23 rd , 2015 1 Wrangling the Bugzilla Beast - Aarhus 2015 About:me Robinson Tryon QA Engineer with The Document Foundation Dabble in Release Engineering Proofread English and lots of

608 views • 49 slides
Phase 2 1 cmarinas@uni-bonn.de Phase 2 Phase 2: BEAST and partial Belle II Phase 3: Full

Phase 2 1 cmarinas@uni-bonn.de Phase 2 Phase 2: BEAST and partial Belle II Phase 3: Full

Phase 2 1 cmarinas@uni-bonn.de Phase 2 Phase 2: BEAST and partial Belle II Phase 3: Full Belle II detector Phase 2 (BEAST II) The SuperKEKB accelerator will be operating, for the first time, with QCS magnets First operation with

597 views • 56 slides

More recommend