Visible to the public Human Behavior and Cyber Vulnerabilities - UMD - July 2015Conflict Detection Enabled

Submitted by tdumitra on Thu, 07/02/2015 - 6:15pm

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s): VS Subrahmanian
Researchers: Ziyun Zhu, Arunesh Mathur,  Sorour Amiri, and Liangzhe Chen (graduate students), and Tudor Dumitras, Marshini Chetty, and Aditya Prakash (faculty)

 

HARD PROBLEM(S) ADDRESSED
This refers to Hard Problems, released November 2012.

Understanding and Accounting for Human Behavior

Security-Metrics-Driven Evaluation, Design, Development, and Deployment

PROJECT SYNOPSIS
When a vulnerability is exploited, software vendors often release patches fixing the vulnerability. However, our prior research has shown that some vulnerabilities continue to be exploited more than four years after their disclosure. Why? We posit that there are both technical and sociological reasons for this. On the technical side, it is unclear how quickly security patches are disseminated, and how long it takes to patch all the vulnerable hosts on the Internet. On the sociological side, users/administrators may decide to delay the deployment of security patches. Our goal in this task is to validate and quantify these explanations. Specifically, we seek to characterize the rate of vulnerability patching, and to determine the factors--both technical and sociological--that influence the rate of applying patches.

PUBLICATIONS
Papers published in this quarter as a result of this research. Include title, author(s), venue published/presented, and a short description or abstract. Identify which hard problem(s) the publication addressed. Papers that have not yet been published should be reported in region 2 below.

Antonio Nappa, Richard Johnson, Leyla Bilge, Juan Caballero, and Tudor Dumitras. The attack of the clones: A study of the impact of shared code on vulnerability patching. In IEEE Symposium on Security and Privacy, San Jose, CA, May 2015. 

ACCOMPLISHMENT HIGHLIGHTS

We conducted a large-scale measurement of security patch deployment. Our paper on this work was accepted at Oakland’15. Main contributions: 

  • We collected a corpus of daily patch-deployment measurements for 1,593 vulnerabilities from 10 popular client applications (e.g. document readers and editors, Web browsers, multimedia players). These applications are difficult to monitor through network scanning, and they are often targeted in spear phishing attacks. 
  • For 77% of the vulnerabilities analyzed, patching started within 7 days of the disclosure date
  • We observed important differences in the patching rate of different applications: none of the applications considered, except for the Chrome browser (which employs automated updates for all the versions in our study) were able to reach 90% of the vulnerable host population for more than 90% of the patches released during our 5-year observation period.
  • A host may be affected by several instances of a vulnerability because of shared code, in the form of libraries used in several applications or multiple versions of an application installed in parallel. 
  • We have identified two attacks that take advantage of multiple instance of a an application, installed in parallel on a host but patched separately, and we quantified the magnitude of the problem. 
  • More information is available at http://www.umiacs.umd.edu/~tdumitra/blog/2015/04/15/impact-of-shared-code-on-vulnerability-patching/

 

Groups: