Should I Bother? Fast Patch Filtering for Statically-Configured Software Variants
Pages 12 - 23
Abstract
In the face of critical security vulnerabilities, patch and update management are a crucial and challenging part of the software life cycle. In software product families, patching becomes even more challenging as we have to support different variants, which are not equally affected by critical patches. While the naive “better-patched-than-sorry” approach will apply all necessary updates, it provokes avoidable costs for developers and customers.
In this paper we introduce SiB (Should I Bother?), a heuristic patch-filtering method for statically-configurable software that efficiently identifies irrelevant patches for specific variants. To solve the variability-aware patch-filtering problem, SiB compares modified line ranges from patches with those source-code ranges included in variants currently deployed. We apply our prototype for CPP-managed variability to four open-source projects (Linux, OpenSSL, SQLite, Bochs), demonstrating that SiB is both effective and efficient in reducing the number of to-be-considered patches for unaffected software variants. It correctly classifies up to 68 percent of variants as unaffected, with a recall of 100 percent, thus reducing deployments significantly, without missing any relevant patches.
References
[1]
Mathieu Acher, Luc Lesoil, Georges Aaron Randrianaina, Xhevahire Tërnava, and Olivier Zendra. 2023. A Call for Removing Variability. In 17th Intl. Working Conf. on Variability Modelling of Software-Intensive Systems. ACM. https://doi.org/10.1145/3571788.3571801
[2]
Florian Angerer, Andreas Grimmer, Herbert Prahofer, and Paul Grunbacher. 2015. Configuration-Aware Change Impact Analysis (T). In 2015 30th IEEE/ACM Intl. Conf. on Automated Software Engineering (ASE). IEEE. https://doi.org/10.1109/ASE.2015.58
[3]
Florian Angerer, Herbert Prähofer, Daniela Lettner, Andreas Grimmer, and Paul Grünbacher. 2014. Identifying inactive code in product lines with configuration-aware system dependence graphs. In 18th Intl. Software Product Line Conf. - Volume 1. ACM. https://doi.org/10.1145/2648511.2648517
[4]
Apache. 2021. CVE - CVE-2021-44228. https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228
[5]
Robert S Arnold. 1996. Software change impact analysis. IEEE Computer Society Press.
[6]
Maider Azanza, Leticia Montalvillo, and Oscar Díaz. 2021. 20 years of industrial experience at SPLC: a systematic mapping study. In 25th ACM Intl. Systems and Software Product Line Conf.
[7]
T. Berger, S. She, R. Lotufo, A. Wasowski, and K. Czarnecki. 2013. A Study of Variability Models and Languages in the Systems Software Domain. IEEE Trans. on Software Engineering 39, 12 (2013). https://doi.org/10.1109/TSE.2013.34
[8]
Paul Clements and Linda Northrop. 2001. Software Product Lines: Practices and Patterns. Addison-Wesley.
[9]
Christian Dietrich, Valentin Rothberg, Ludwig Füracker, Andreas Ziegler, and Daniel Lohmann. 2017. cHash: Detection of Redundant Compilations via AST Hashing. In 2017 USENIX Annual Technical Conf. (USENIX ’17). USENIX Association. https://www.usenix.org/conference/atc17/technical-sessions/presentation/dietrich
[10]
Christian Dietrich, Reinhard Tartler, Wolfgang Schröder-Preikschat, and Daniel Lohmann. 2012. A Robust Approach for Variability Extraction from the Linux Build System. In 16th Software Product Line Conf. (SPLC ’12), Eduardo Santana de Almeida, Christa Schwanninger, and David Benavides (Eds.). ACM Press. https://doi.org/10.1145/2362536.2362544
[11]
Nesara Dissanayake, Asangi Jayatilaka, Mansooreh Zahedi, and M Ali Babar. 2022. Software security patch management-A systematic literature review of challenges, approaches, tools and practices. Information and Software Technology 144 (2022).
[12]
Zakir Durumeric, Frank Li, James Kasten, Johanna Amann, Jethro Beekman, Mathias Payer, Nicolas Weaver, David Adrian, Vern Paxson, Michael Bailey, and J. Alex Halderman. 2014. The Matter of Heartbleed. In 2014 Conf. on Internet Measurement Conf.(IMC ’14). Association for Computing Machinery. https://doi.org/10.1145/2663716.2663755
[13]
Paul Gazzillo and Robert Grimm. 2012. SuperC: parsing all of C by taming the preprocessor. In ACM SIGPLAN Conf. on Programming Language Design and Implementation (PLDI ’12). ACM Press. https://doi.org/10.1145/2254064.2254103
[14]
Christian Kästner, Paolo G. Giarrusso, Tillmann Rendel, Sebastian Erdweg, Klaus Ostermann, and Thorsten Berger. 2011. Variability-Aware Parsing in the Presence of Lexical Macros and Conditional Compilation. In 26th ACM Conf. on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA ’11). ACM Press. https://doi.org/10.1145/2048066.2048128
[15]
Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, 2020. Spectre attacks: Exploiting speculative execution. Commun. ACM 63, 7 (2020).
[16]
Hsuan-Chi Kuo, Jianyan Chen, Sibin Mohan, and Tianyin Xu. 2020. Set the Configuration for the Heart of the OS: On the Practicality of Operating System Kernel Debloating. ACM on Measurement and Analysis of Computing Systems 4, 1, Article 03 (2020). https://doi.org/10.1145/3379469
[17]
Tobias Landsberg, Christian Dietrich, and Daniel Lohmann. 2024. Should I Bother? Fast Patch Filtering for Statically-Configured Software Variants – Artifacts. https://doi.org/10.5281/zenodo.11611859
[18]
Ryan M. Layer, Kevin Skadron, Gabriel Robins, Ira M. Hall, and Aaron R. Quinlan. 2012. Binary Interval Search: a scalable algorithm for counting interval intersections. Bioinformatics 29, 1 (2012). https://doi.org/10.1093/bioinformatics/bts652
[19]
Jörg Liebig, Christian Kästner, and Sven Apel. 2011. Analyzing the discipline of preprocessor annotations in 30 million lines of C code. In 10th Intl. Conf. on Aspect-Oriented Software Development (AOSD ’11), Shigeru Chiba (Ed.). ACM Press. https://doi.org/10.1145/1960275.1960299
[20]
Jörg Liebig, Alexander von Rhein, Christian Kästner, Sven Apel, Jens Dörre, and Christian Lengauer. 2013. Scalable analysis of variable software. In 2013 9th Joint Meeting on Foundations of Software Engineering. ACM. https://doi.org/10.1145/2491411.2491437
[21]
Max Lillack, Christian Kästner, and Eric Bodden. 2014. Tracking load-time configuration options. In 29th ACM/IEEE Intl. Conf. on Automated Software Engineering. ACM. https://doi.org/10.1145/2642937.2643001
[22]
Daniel Lohmann. 2022. ’What is the Ideal Operating System?’: Technical Perspective. Commun. ACM 65, 5 (2022). https://doi.org/10.1145/3524299
[23]
Francesco Lomio, Emanuele Iannone, Andrea De Lucia, Fabio Palomba, and Valentina Lenarduzzi. 2022. Just-in-time software vulnerability detection: Are we there yet?Journal of Systems and Software 188 (2022). https://doi.org/10.1016/j.jss.2022.111283
[24]
Aravind Machiry, Nilo Redini, Eric Camellini, Christopher Kruegel, and Giovanni Vigna. 2020. SPIDER: Enabling Fast Patch Propagation In Related Software Repositories. In 2020 IEEE Symp. on Security and Privacy (SP). IEEE. https://doi.org/10.1109/SP40000.2020.00038
[25]
Willian D. F. Mendonça, Silvia R. Vergilio, Gabriela K. Michelon, Alexander Egyed, and Wesley K. G. Assunção. 2022. Test2Feature: feature-based test traceability tool for highly configurable software. In 26th ACM Intl. Systems and Software Product Line Conf. - Volume B. ACM. https://doi.org/10.1145/3503229.3547031
[26]
Neel Metha, Riku, Antii, and Matti. 2014. Heartbleed Bug. https://heartbleed.com/
[27]
Gabriela K. Michelon, Wesley K. G. Assunção, Paul Grünbacher, and Alexander Egyed. 2023. Analysis and Propagation of Feature Revisions in Preprocessor-based Software Product Lines. In 2023 IEEE Intl. Conf. on Software Analysis, Evolution and Reengineering (SANER). https://doi.org/10.1109/SANER56733.2023.00035
[28]
Gabriela K. Michelon, Wesley K. G. Assunção, David Obermann, Lukas Linsbauer, Paul Grünbacher, and Alexander Egyed. 2021. The life cycle of features in highly-configurable software systems evolving in space and time. In 20th ACM SIGPLAN Intl. Conf. on Generative Programming: Concepts and Experiences. ACM. https://doi.org/10.1145/3486609.3487195
[29]
Gabriela Karoline Michelon, David Obermann, Lukas Linsbauer, Wesley Klewerton G. Assunção, Paul Grünbacher, and Alexander Egyed. 2020. Locating feature revisions in software systems evolving in space and time. In 24th ACM Conf. on Systems and Software Product Line: Volume A - Volume A. ACM. https://doi.org/10.1145/3382025.3414954
[30]
Alessandro Murgia, Giulio Concas, Michele Marchesi, and Roberto Tonelli. 2010. A machine learning approach for text categorization of fixing-issue commits on CVS. In 2010 ACM-IEEE Intl. Symp. on Empirical Software Engineering and Measurement. ACM. https://doi.org/10.1145/1852786.1852794
[31]
Henrik Plate, Serena Elisa Ponta, and Antonino Sabetta. 2015. Impact assessment for vulnerabilities in open-source software libraries. In 2015 IEEE Intl. Conf. on Software Maintenance and Evolution (ICSME). IEEE. https://doi.org/10.1109/ICSM.2015.7332492
[32]
Matthew Prince. 2014. The Hidden Costs of Heartbleed. https://blog.cloudflare.com/the-hard-costs-of-heartbleed/
[33]
Rick Rabiser, Klaus Schmid, Martin Becker, Goetz Botterweck, Matthias Galster, Iris Groher, and Danny Weyns. 2018. A Study and Comparison of Industrial vs. Academic Software Product Line Research Published at SPLC. In 22nd Intl. Systems and Software Product Line Conf. - Volume 1(SPLC ’18). Association for Computing Machinery. https://doi.org/10.1145/3233027.3233028
[34]
Georges Aaron Randrianaina, Djamel Eddine Khelladi, Olivier Zendra, and Mathieu Acher. 2022. Towards incremental build of software configurations. In ACM/IEEE 44th Intl. Conf. on Software Engineering: New Ideas and Emerging Results. ACM. https://doi.org/10.1145/3510455.3512792
[35]
Joel Rosdahl. 2010. Ccache — Compiler cache. https://ccache.dev
[36]
Gregg Rothermel and Mary Jean Harrold. 1996. Analyzing Regression Test Selection Techniques. IEEE Trans. Softw. Eng. 22, 8 (1996). https://doi.org/10.1109/32.536955
[37]
Andreas Ruprecht, Bernhard Heinloth, and Daniel Lohmann. 2014. Automatic Feature Selection in Large-Scale System-Software Product Lines. In 13th Intl. Conf. on Generative Programming and Component Engineering (GPCE ’14), Matthew Flatt (Ed.). ACM Press. https://doi.org/10.1145/2658761.2658767
[38]
Arthur D. Sawadogo, Tegawendé F. Bissyandé, Naouel Moha, Kevin Allix, Jacques Klein, Li Li, and Yves Le Traon. 2022. SSPCatcher: Learning to catch security patches. Empirical Software Engineering 27, 6 (2022). https://doi.org/10.1007/s10664-022-10168-9
[39]
Roland Schwarzkopf, Matthias Schmidt, Christian Strack, and Bernd Freisleben. 2011. Checking Running and Dormant Virtual Machines for the Necessity of Security Updates in Cloud Environments. In 2011 IEEE Third Intl. Conf. on Cloud Computing Technology and Science. IEEE. https://doi.org/10.1109/CloudCom.2011.40
[40]
Reinhard Tartler, Christian Dietrich, Julio Sincero, Wolfgang Schröder-Preikschat, and Daniel Lohmann. 2014. Static Analysis of Variability in System Software: The 90,000 #ifdefs Issue. In 2014 USENIX Annual Technical Conf. (USENIX ’14). USENIX Association. https://www.usenix.org/conference/atc14/technical-sessions/presentation/tartler
[41]
Reinhard Tartler, Daniel Lohmann, Julio Sincero, and Wolfgang Schröder-Preikschat. 2011. Feature Consistency in Compile-Time-Configurable System Software: Facing the Linux 10,000 Feature Problem. In ACM SIGOPS/EuroSys European Conf. on Computer Systems 2011 (EuroSys ’11), Christoph M. Kirsch and Gernot Heiser (Eds.). ACM Press. https://doi.org/10.1145/1966445.1966451
[42]
The Clang Team. 2023. JSON Compilation Database Format Specification. https://clang.llvm.org/docs/JSONCompilationDatabase.html
[43]
The kernel development community. 2019. The Linux Kernel — Reproducible builds. https://www.kernel.org/doc/html/latest/kbuild/reproducible-builds.html
[44]
Thomas Thüm, Sven Apel, Christian Kästner, Ina Schaefer, and Gunter Saake. 2014. A Classification and Survey of Analysis Strategies for Software Product Lines. ACM Computing Survey 47, 1, Article 6 (2014). https://doi.org/10.1145/2580950
[45]
Thomas Thüm, Leopoldo Teixeira, Klaus Schmid, Eric Walkingshaw, Mukelabai Mukelabai, Mahsa Varshosaz, Goetz Botterweck, Ina Schaefer, and Timo Kehrer. 2019. Towards Efficient Analysis of Variation in Time and Space. In 23rd Intl. Systems and Software Product Line Conf. - Volume B. ACM. https://doi.org/10.1145/3307630.3342414
[46]
Mahsa Varshosaz, Mustafa Al-Hajjaji, Thomas Thüm, Tobias Runge, Mohammad Reza Mousavi, and Ina Schaefer. 2018. A Classification of Product Sampling for Software Product Lines. In 22nd Intl. Systems and Software Product Line Conf. - Volume 1(SPLC ’18). Association for Computing Machinery. https://doi.org/10.1145/3233027.3233035
[47]
Alan Wang, Nick Feng, and Marsha Chechik. 2023. Code-Level Functional Equivalence Checking of Annotative Software Product Lines. In 27th ACM Intl. Systems and Software Product Line Conf. - Volume A. ACM. https://doi.org/10.1145/3579027.3608978
[48]
Shangwen Wang, Ming Wen, Bo Lin, Hongjun Wu, Yihao Qin, Deqing Zou, Xiaoguang Mao, and Hai Jin. 2020. Automated patch correctness assessment: how far are we?. In 35th IEEE/ACM Intl. Conf. on Automated Software Engineering. ACM. https://doi.org/10.1145/3324884.3416590
[49]
Scott Yilek, Eric Rescorla, Hovav Shacham, Brandon Enright, and Stefan Savage. 2009. When private keys are public: Results from the 2008 Debian OpenSSL vulnerability. In 9th ACM SIGCOMM Conf. on Internet Measurement.
[50]
Bo Zhang and Martin Becker. 2012. Code-based variability model extraction for software product line improvement. In 16th Intl. Software Product Line Conf. - Volume 2. ACM. https://doi.org/10.1145/2364412.2364428
Index Terms
- Should I Bother? Fast Patch Filtering for Statically-Configured Software Variants
Recommendations
Synchronizing software variants with variantsync
SPLC '16: Proceedings of the 20th International Systems and Software Product Line ConferenceDeveloping and managing software variants is a key challenge in today's software development. Due to conflicting requirements, software is developed in multiple variants to satisfy the needs of individual customers. While software product lines allow ...
Extending the reflexion method for consolidating software variants into product lines
Software variants emerge from ad-hoc copying in-the-large with adaptations to a specific context. As the number of variants increases, maintaining such software variants becomes more and more difficult and expensive. In contrast to such ad-hoc reuse, ...
Special section on the 17th International Software Product Line Conference
Today, companies develop, maintain and deploy families of similar software products (e.g., games for different models of smartphones) rather than a single product. Software product lines engineering refers to software engineering methods, tools and ...
Comments
Information & Contributors
Information
Published In
September 2024
103 pages
ISBN:9798400705939
DOI:10.1145/3646548
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution-ShareAlike International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 02 September 2024
Check for updates
Badges
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Funding Sources
Conference
SPLC '24
Sponsor:
SPLC '24: 28th ACM International Systems and Software Product Line Conference
September 2 - 6, 2024
Dommeldange, Luxembourg
Acceptance Rates
Overall Acceptance Rate 167 of 463 submissions, 36%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 103Total Downloads
- Downloads (Last 12 months)103
- Downloads (Last 6 weeks)26
Reflects downloads up to 03 Jan 2025
Other Metrics
Citations
View Options
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML FormatLogin options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in