An Empirical Study of Secret Security Patch in Open Source Software

Abstract

Security patches of Open Source Software (OSS) point out the vulnerable source code and provide security fixes, which can be misused by attackers to generate exploits as N-day attacks. Though the best practice for defending this type of N-day attacks is to timely patch the software, it becomes a challenge considering that a system may bundle multiple OSS with a large number of patches including security fixes, bug fixes, and new features. Even worse, software vendors may secretly patch their vulnerabilities without reporting to CVE or providing any explicit descriptions in change logs. Hence, armored attackers may compromise not only unpatched versions of the same software, but also other software with similar functionalities due to code clone or similar logic. We consider it as one type of “0-day” vulnerability. Since those secret security patches should be correctly identified and fixed with high priority, we develop a machine learning based toolset to help distinguish security patches from non-security patches. We then conduct an empirical analysis on three popular open source SSL libraries to study the existence of security patches. Our experimental results suggest that a joint effort is needed to eliminate this type of “0-day” attacks introduced by secret patches.