Precisely Characterizing Security Impact in a Flood of Patches via Symbolic Rule Comparison

Qiushi Wu (University of Minnesota), Yang He (University of Minnesota), Stephen McCamant (University of Minnesota), Kangjie Lu (University of Minnesota)

A bug is a vulnerability if it has security impacts when triggered. Determining the security impacts of a bug is important to both defenders and attackers. Maintainers of large software systems are bombarded with numerous bug reports and proposed patches, with missing or unreliable information about their impact. Determining which few bugs are vulnerabilities is difficult, and bugs that a maintainer believes do not have security impact will be de-prioritized or even ignored. On the other hand, a public report of a bug with a security impact is a powerful first step towards exploitation. Adversaries may exploit such bugs to launch devastating attacks if defenders do not fix them promptly. Common practice is for maintainers to assess the security impacts of bugs manually, but the scaling and reliability challenges of manual analysis lead to missed vulnerabilities.

We propose an automated approach, Sid, to determine the security impacts for a bug given a patch, so that maintainers can effectively prioritize applying the patch to the affected programs. The insight behind Sid is that both the effect of a patch (either submitted or applied) and security-rule violations (e.g., out-of-bound access) can be modeled as constraints that can be automatically solved. Sid incorporates rule comparison, using under-constrained symbolic execution of a patch to determine the security impacts of an un-applied patch. Sid can further automatically classify vulnerabilities based on their security impacts. We have implemented Sid and applied it to bug patches of the Linux kernel and matching CVE-assigned vulnerabilities to evaluate its precision and recall. We optimized Sid to reduce false positives, and our evaluation shows that, from 66K recent commits, Sid detected 227 security bugs with at least 243 security impacts at a 97% precision rate. Critically, 197 of them were not reported as vulnerabilities before, leading to delayed or ignored patching in derivative programs. Even worse, 21 of them are still unpatched in the latest Android kernel. Once exploited, they can cause critical security impacts to Android devices. The evaluation results confirm that Sid's approach is effective and accurate in automatically determining security impacts for a massive stream of bug patches.