Precisely Characterizing Security Impact in a Flood of Patches via Symbolic Rule Comparison

Qiushi Wu (University of Minnesota), Yang He (University of Minnesota), Stephen McCamant (University of Minnesota), Kangjie Lu (University of Minnesota)

A bug is a vulnerability if it has security impacts when triggered.
Determining the security impacts of a bug is important to both defenders
and attackers. Maintainers of large software systems are bombarded with
numerous bug reports and proposed patches, with missing or unreliable
information about their impact. Determining which few bugs are
vulnerabilities is difficult, and bugs that a maintainer believes do not
have security impact will be de-prioritized or even ignored. On the
other hand, a public report of a bug with a security impact is a
powerful first step towards exploitation. Adversaries may exploit such
bugs to launch devastating attacks if defenders do not fix them
promptly. Common practice is for maintainers to assess the security
impacts of bugs manually, but the scaling and reliability challenges of
manual analysis lead to missed vulnerabilities.

We propose an automated approach, Sid, to determine the security impacts
for a bug given a patch, so that maintainers can effectively prioritize
applying the patch to the affected programs. The insight behind Sid is
that both the effect of a patch (either submitted or applied) and
security-rule violations (e.g., out-of-bound access) can be modeled as
constraints that can be automatically solved. Sid incorporates rule
comparison, using under-constrained symbolic execution of a patch to
determine the security impacts of an un-applied patch. Sid can further
automatically classify vulnerabilities based on their security impacts.
We have implemented Sid and applied it to bug patches of the Linux
kernel and matching CVE-assigned vulnerabilities to evaluate its
precision and recall. We optimized Sid to reduce false positives, and
our evaluation shows that, from 66K recent commits, Sid detected 227
security bugs with at least 243 security impacts at a 97% precision
rate. Critically, 197 of them were not reported as vulnerabilities
before, leading to delayed or ignored patching in derivative programs.
Even worse, 21 of them are still unpatched in the latest Android kernel.
Once exploited, they can cause critical security impacts to Android
devices. The evaluation results confirm that Sid's approach is
effective and accurate in automatically determining security impacts for
a massive stream of bug patches.