Strengthening Supply Chain Security with Fine-grained Safe Patch Identification
Authors: 
Changhua Luo, Wei Meng, Shuai WangAuthors Info & Claims
Changhua Luo, Wei Meng, Shuai WangAuthors Info & ClaimsArticle No.: 89, Pages 1 - 12
Abstract
Enhancing supply chain security is crucial, often involving the detection of patches in upstream software. However, current security patch analysis works yield relatively low recall rates (i.e., many security patches are missed). In this work, we offer a new solution to detect safe patches and assist downstream developers in patch propagation. Specifically, we develop SPatch to detect fine-grained safe patches. SPatch leverages fine-grained patch analysis and a new differential symbolic execution technique to analyze the functional impacts of code changes.
We evaluated SPatch on various software, including the Linux kernel and OpenSSL, and demonstrated that it outperformed existing methods in detecting safe patches, resulting in observable security benefits. In our case studies, we updated hundreds of functions in modern software using safe patches detected by SPatch without causing any regression issues. Our detected safe security patches have been merged into the latest version of downstream software like ProtonVPN.
References
[1]
2023. Lua version used for wireshark dissectors. https://github.com/o-gs/dji-firmware-tools/issues/153.
[2]
Proton AG. 2023. Proton VPN. https://play.google.com/store/apps/details?id=ch.protonvpn.android&utm_campaign=ww-all-2a-vpn-int_site-g_acq-apps_links_free_vpn_page&utm_source=protonvpn.com&utm_medium=link&utm_content=free_vpn_page&utm_term=android&pli=1.
[3]
Sahar Badihi, Faridah Akinotcho, Yi Li, and Julia Rubin. 2020. ARDiff: scaling program equivalence checking via iterative abstraction and refinement of common code. In Proceedings of the 28th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE). Sacramento, CA, USA.
[4]
David Brumley, Pongsin Poosankam, Dawn Song, and Jiang Zheng. 2008. Automatic patch-based exploit generation is possible: Techniques and implications. In 2008 IEEE Symposium on Security and Privacy (sp 2008). Oakland, CA, USA.
[5]
Jiarun Dai, Yuan Zhang, Hailong Xu, Haiming Lyu, Zicheng Wu, Xinyu Xing, and Min Yang. 2021. Facilitating vulnerability assessment through poc migration. In Proceedings of the 28th ACM Conference on Computer and Communications Security (CCS). Virtual Event, Korea.
[6]
Yaniv David, Xudong Sun, Raphael J Sofaer, Aditya Senthilnathan, Junfeng Yang, Zhiqiang Zuo, Guoqing Harry Xu, Jason Nieh, and Ronghui Gu. 2020. {UPGRADVISOR}: Early Adopting Dependency Updates Using Hybrid Program Analysis and Hardware Tracing. In Proceedings of the 17th USENIX Symposium on Operating Systems Design and Implementation (OSDI). Carlsbad, CA, USA.
[7]
Jean-Rémy Falleri, Floréal Morandat, Xavier Blanc, Matias Martinez, and Martin Monperrus. 2014. Fine-grained and accurate source code differencing. In Proceedings of the 29th ACM/IEEE international conference on Automated software engineering. 313--324.
[8]
Mohammad Gharehyazie, Baishakhi Ray, and Vladimir Filkov. 2017. Some from here, some from there: Cross-project code reuse in github. In 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR). IEEE, 291--301.
[9]
Google. 2023. Bad Binder: Android In-The-Wild Exploit. https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html.
[10]
Zhen Huang, David Lie, Gang Tan, and Trent Jaeger. 2019. Using safety properties to generate vulnerability patches. In Proceedings of the 40th IEEE Symposium on Security and Privacy (Oakland). San Francisco, CA, USA.
[11]
Takashi Ishio, Yusuke Sakaguchi, Kaoru Ito, and Katsuro Inoue. 2017. Source file set search for clone-and-own reuse analysis. In 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR). IEEE, 257--268.
[12]
Zheyue Jiang, Yuan Zhang, Jun Xu, Xinqian Sun, Zhuang Liu, and Min Yang. 2022. AEM: Facilitating Cross-Version Exploitability Assessment of Linux Kernel Vulnerabilities. In Proceedings of the 43nd IEEE Symposium on Security and Privacy (Oakland). San Francisco, CA, USA.
[13]
Seulbae Kim, Seunghoon Woo, Heejo Lee, and Hakjoo Oh. 2017. Vuddy: A scalable approach for vulnerable code clone discovery. In Proceedings of the 38th IEEE Symposium on Security and Privacy (Oakland). San Jose, CA, USA.
[14]
Klee. 2023. KLEE Symbolic Execution Engine. KLEESymbolicExecutionEngine.
[15]
Nir Kshetri and Jeffrey Voas. 2019. Supply chain trust. IT Professional 21, 2 (2019), 6--10.
[16]
Yuxiang Lei and Yulei Sui. 2019. Fast and precise handling of positive weight cycles for field-sensitive pointer analysis. In Static Analysis: 26th International Symposium, SAS 2019, Porto, Portugal, October 8--11, 2019, Proceedings 26. Springer, 27--47.
[17]
Kangjie Lu and Hong Hu. 2019. Where does it go? refining indirect-call targets with multi-layer type analysis. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 1867--1881.
[18]
Lua. 2015. Potential arithmetic overflow in Lua. https://clang-analyzer.llvm.org/scan-build.html.
[19]
Lannan Luo, Jiang Ming, Dinghao Wu, Peng Liu, and Sencun Zhu. 2014. Semantics-based obfuscation-resilient binary code similarity comparison with applications to software plagiarism detection. In Proceedings of the 22nd ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE). Hong Kong.
[20]
Yunlong Lyu, Yi Fang, Yiwei Zhang, Qibin Sun, Siqi Ma, Elisa Bertino, Kangjie Lu, and Juanru Li. 2022. Goshawk: Hunting Memory Corruptions via Structure-Aware and Object-Centric Memory Operation Synopsis. In Proceedings of the 43nd IEEE Symposium on Security and Privacy (Oakland). San Francisco, CA, USA.
[21]
Aravind Machiry, Nilo Redini, Eric Camellini, Christopher Kruegel, and Giovanni Vigna. 2020. Spider: Enabling fast patch propagation in related software repositories. In Proceedings of the 41st IEEE Symposium on Security and Privacy (Oakland). San Francisco, CA, USA.
[22]
Changwoo Min, Sanidhya Kashyap, Byoungyoung Lee, Chengyu Song, and Taesoo Kim. 2015. Cross-checking semantic correctness: The case of finding file system bugs. In Proceedings of the 25th ACM Symposium on Operating Systems Principles (SOSP). Monterey, CA, USA.
[23]
openvpn. 2023. Compatiblity issues in OpenVPN. https://forums.openvpn.net/viewtopic.php?t=35028.
[24]
Suzette Person, Matthew B Dwyer, Sebastian Elbaum, and Corina S Pǎsǎreanu. 2008. Differential symbolic execution. In Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of software engineering. 226--237.
[25]
Redis. 2023. Redis. https://github.com/redis/redis/blob/unstable/deps/README.md.
[26]
David Reid, Mahmoud Jahanshahi, and Audris Mockus. 2022. The extent of orphan vulnerabilities from code reuse in open source software. In Proceedings of the 44th International Conference on Software Engineering (ICSE). Pittsburgh, PA, USA.
[27]
Mauricio Soto, Ferdian Thung, Chu-Pan Wong, Claire Le Goues, and David Lo. 2016. A deeper look into bug fixes: patterns, replacements, deletions, and additions. In Proceedings of the 13th International Conference on Mining Software Repositories. 512--515.
[28]
Yuan Tian, Julia Lawall, and David Lo. 2012. Identifying linux bug fixing patches. In Proceedings of the 34th International Conference on Software Engineering (ICSE). Zurich, Switzerland.
[29]
Yuchi Tian and Baishakhi Ray. 2017. Automatically diagnosing and repairing error handling bugs in c. In Proceedings of the 11th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE). Paderborn, Germany.
[30]
Shu Wang, Xinda Wang, Kun Sun, Sushil Jajodia, Haining Wang, and Qi Li. 2022. GraphSPD: Graph-Based Security Patch Detection with Enriched Code Semantics. In Proceedings of the 43nd IEEE Symposium on Security and Privacy (Oakland). San Francisco, CA, USA.
[31]
Xinda Wang, Kun Sun, Archer Batcheller, and Sushil Jajodia. 2020. An empirical study of secret security patch in open source software. Adaptive Autonomous Secure Cyber Systems (2020), 269--289.
[32]
Xinda Wang, Shu Wang, Pengbin Feng, Kun Sun, and Sushil Jajodia. 2021. Patchdb: A large-scale security patch dataset. In 2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 149--160.
[33]
Xinda Wang, Shu Wang, Pengbin Feng, Kun Sun, Sushil Jajodia, Sanae Benchaaboun, and Frank Geck. 2021. Patchrnn: A deep learning-based system for security patch identification. In MILCOM 2021-2021 IEEE Military Communications Conference (MILCOM). IEEE, 595--600.
[34]
Xinda Wang, Shu Wang, Kun Sun, Archer Batcheller, and Sushil Jajodia. 2020. A machine learning approach to classify security patches into vulnerability types. In 2020 IEEE Conference on Communications and Network Security (CNS). IEEE, 1--9.
[35]
Seunghoon Woo, Hyunji Hong, Eunjin Choi, and Heejo Lee. 2022. {MOVERY}: A Precise Approach for Modified Vulnerable Code Clone Discovery from Modified { Open-Source } Software Components. In Proceedings of the 29th ACM Conference on Computer and Communications Security (CCS). Los Angeles, CA, USA.
[36]
Seunghoon Woo, Sunghan Park, Seulbae Kim, Heejo Lee, and Hakjoo Oh. 2022. CENTRIS: A precise and scalable approach for identifying modified open-source software reuse. In Proceedings of the 44th International Conference on Software Engineering (ICSE). Pittsburgh, PA, USA.
[37]
Qiushi Wu, Yang He, Stephen McCamant, and Kangjie Lu. 2020. Precisely characterizing security impact in a flood of patches via symbolic rule comparison. In Proceedings of the 2020 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA, USA.
[38]
Yang Xiao, Bihuan Chen, Chendong Yu, Zhengzi Xu, Zimu Yuan, and Feng Li. 2020. MVP : Detecting Vulnerabilities using Patch-Enhanced Vulnerability Signatures. In Proceedings of the 29th USENIX Security Symposium (Security). Virtual Event.
[39]
Fabian Yamaguchi, Nico Golde, Daniel Arp, and Konrad Rieck. 2014. Modeling and discovering vulnerabilities with code property graphs. In Proceedings of the 35th IEEE Symposium on Security and Privacy (Oakland). San Jose, CA, USA.
[40]
Zheng Zhang, Hang Zhang, Zhiyun Qian, and Billy Lau. 2020. An Investigation of the Android Kernel Patch Ecosystem. In Proceedings of the 29th USENIX Security Symposium (Security). Virtual Event.
[41]
Yaqin Zhou, Jing Kai Siow, Chenyu Wang, Shangqing Liu, and Yang Liu. 2021. Spi: Automated identification of security patches via commits. ACM Transactions on Software Engineering and Methodology (TOSEM) 31, 1 (2021), 1--27.
[42]
Xiaochen Zou, Guoren Li, Weiteng Chen, Hang Zhang, and Zhiyun Qian. 2022. {SyzScope}: Revealing {High-Risk} Security Impacts of {Fuzzer-Exposed} Bugs in Linux kernel. In Proceedings of the 31st USENIX Security Symposium (Security). Boston, MA, USA.
Index Terms
- Strengthening Supply Chain Security with Fine-grained Safe Patch Identification
Recommendations
Towards Mapping the Security Challenges of the Internet of Things (IoT) Supply Chain
AbstractThe flow complexity in today’s IoT supply chain is enormous. To produce an item in a global network of suppliers requires a delicate dance of people, assets, systems, information, companies, and even governments. The opportunities for security ...
A survey on the use of blockchains to achieve supply chain security
AbstractSupply chain networks are becoming more complex and vulnerable to various attacks. We must tackle these attacks properly to ensure the required supply chain security. In this paper, I have classified major supply chain security issues ...
Highlights- Comparison of other blockchain related works and my work.
- Noteworthy supply ...
Achieving high security and efficiency in RFID-tagged supply chains
While RFID technology has greatly facilitated visible supply chain management, designing a secure and efficient RFID-tagged supply chain system is still a challenge. To achieve high security and efficiency at the same time, we categorise RFID-tagged ...
Comments
Information & Contributors
Information
Published In
May 2024
2942 pages
ISBN:9798400702174
DOI:10.1145/3597503
- Co-chairs:
- Ana Paiva,
- Rui Abreu,
- Program Co-chairs:
- Abhik Roychoudhury,
- Margaret Storey
Copyright © 2024 Copyright is held by the owner/author(s). Publication rights licensed to ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
- Faculty of Engineering of University of Porto
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 12 April 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- CUHK
Conference
ICSE '24
Sponsor:
ICSE '24: IEEE/ACM 46th International Conference on Software Engineering
April 14 - 20, 2024
Lisbon, Portugal
Acceptance Rates
Overall Acceptance Rate 276 of 1,856 submissions, 15%
Upcoming Conference
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 343Total Downloads
- Downloads (Last 12 months)343
- Downloads (Last 6 weeks)56
Reflects downloads up to 22 Dec 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in