技术控

    今日:0| 主题:63445
收藏本版 (1)
最新软件应用技术尽在掌握

[其他] Security bug lifetime

[复制链接]
一瞬间的记忆 发表于 2016-10-19 17:56:14
142 1
In several of myrecent presentations, I’ve discussed the lifetime of security flaws in the Linux kernel. Jon Corbet did an analysis in 2010 , and found that security bugs appeared to have roughly a 5 year lifetime. As in, the flaw gets introduced in a Linux release, and then goes unnoticed by upstream developers until another release 5 years later, on average. I updated this research for 2011 through 2016, and used the Ubuntu Security Team’s CVE Tracker to assist in the process. The Ubuntu kernel team already does the hard work of trying to identify when flaws were introduced in the kernel, so I didn’t have to re-do this for the 557 kernel CVEs since 2011.
   As the README details, the raw CVE data is spread across the active/ , retired/ , and ignored/ directories. By scanning through the CVE files to find any that contain the line “Patches_linux:”, I can extract the details on when a flaw was introduced and when it was fixed. For example CVE-2016-0728 shows:
  1. Patches_linux:
  2. break-fix: 3a50597de8635cd05133bd12c95681c82fe7b878 23567fd052a9abb6d67fe8e7a9ccdd9800a540f2
复制代码
  This means that CVE-2016-0728 is believed to have been introduced by commit 3a50597de8635cd05133bd12c95681c82fe7b878 and fixed by commit 23567fd052a9abb6d67fe8e7a9ccdd9800a540f2 . If there are multiple lines, then there may be multiple SHAs identified as contributing to the flaw or the fix. And a “ - ” is just short-hand for the start of Linux git history .
   Then for each SHA, I queried git to find its corresponding release, and made a mapping of release version to release date, wrote out theraw data, and rendered graphs. Each vertical line shows a given CVE from when it was introduced to when it was fixed. Red is “Critical”, orange is “High”, blue is “Medium”, and black is “Low”:
   

Security bug lifetime

Security bug lifetime

  And here it is zoomed in to just Critical and High:
   

Security bug lifetime

Security bug lifetime

  The line in the middle is the date from which I started the CVE search (2011). The vertical axis is actually linear time, but it’s labeled with kernel releases (which are pretty regular). The numerical summary is:
  
       
  • Critical: 2 @ 3.3 years   
  • High: 34 @ 6.4 years   
  • Medium: 334 @ 5.2 years   
  • Low: 186 @ 5.0 years  
  This comes out to roughly 5 years lifetime again, so not much has changed from Jon’s 2010 analysis.
   While we’re getting better at fixing bugs, we’re also adding more bugs. And for many devices that have been built on a given kernel version, there haven’t been frequent (or some times any) security updates, so the bug lifetime for those devices is even longer. To really create a safe kernel, we need to get proactive about self-protection technologies . The systems using a Linux kernel are right now running with security flaws. Those flaws are just not known to the developers yet, but they’re likely known to attackers.
      © 2016,Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License .
   

Security bug lifetime

Security bug lifetime
dwqmx 发表于 2016-11-15 23:19:29
挖贴技术哪家强?dwqmx
回复 支持 反对

使用道具 举报

我要投稿

推荐阅读


回页顶回复上一篇下一篇回列表
手机版/c.CoLaBug.com ( 粤ICP备05003221号 | 粤公网安备 44010402000842号 )

© 2001-2017 Comsenz Inc.

返回顶部 返回列表