PhD Dissertation International Doctorate School in Information and Communication Technologies DISI - University of Trento Security Assessment of Open Source Third-parties Applications Stanislav Dashevskyi Advisors: Advisor: Prof. Fabio Massacci Universita` degli Studi di Trento Co-advisor: Dr. Antonino Sabetta SAP Labs France May 2017 Acknowledgements First of all, I would like to thank Professor Fabio Massacci (University of Trento, Italy) whohadbeenthesupervisorofmyPhDstudies. Iwouldliketothankhimforhissupport, his patience and for everything that he has taught me. It would be impossible to write this dissertation without his help and extremely valuable feedback. I would like to thank Dr. Antonino Sabetta (SAP Labs France) for co-supervising me. I am very thankful to Professor Achim D. Brucker (University of Sheffield, United Kingdom) for mentoring me during my stay in Germany and hosting me during my visit to the UK, for all the discussions that we had, for his invaluable contribution to my work, and for many more. I am extremely grateful to Professor Andrea De Lucia (University of Salerno, Italy), Professor Massimiliano Di Penta (University of Sannio, Italy) and Professor Paolo Tonella (Fondazione Bruno Kessler, Italy) for dedicating their valuable time to be the members of my PhD defense committee. I am very thankful to them for providing the extremely helpful feedback on this dissertation. I would like to thank my colleagues Katsiaryna Labunets, Luca Allodi, Viet Hung Nguyen, Avinash Sudhodanan, Nadia Metoui, Mojtaba Eskandari, and Daniel Ricardo Dos Santos. I was fortunate to meet you. I would like to thank all the wonderful people that I met (there are too many names, but I remember you all). I thank you for the good moments that we shared together during this period of my life. My special gratitude goes to my future wife Kateryna Tymoshenko and to my family for being with me throughout the bad moments, and for their love and support. Abstract Free and Open Source Software (FOSS) components are ubiquitous in both proprietary and open source applications. In this dissertation we discuss challenges that large software vendors face when they must integrate and maintain FOSS components into their software supply chain. Each time a vulnerability is disclosed in a FOSS component, a software vendor mustdecide whether toupdate the component, patch the applicationitself, or justdo nothing as the vulnerability is not applicable to the deployed version that may be old enough to be not vulnerable. This is particularly challenging for enterprise software vendors that consume thousands of FOSS components, and offer more than a decade of support and security fixes for applications that include these components. First, we design a framework for performing security vulnerability experimentations. In particular, for testing known exploits for publicly disclosed vulnerabilities against different versions and software configurations. Second, we provide an automatic screening test for quickly identifying the versions of FOSS components likely affected by newly disclosed vulnerabilities: a novel method that scans across the entire repository of a FOSS component in a matter of minutes. We show that our screening test scales to large open source projects. Finally, for facilitating the global security maintenance of a large portfolio of FOSS components, we discuss various characteristics of FOSS components and their potential impact on the security maintenance effort, and empirically identify the key drivers. Keywords Security Vulnerabilities; Security Maintenance; Third-party Components; Free and Open Source Software; Vulnerability Screening Test Contents 1 Introduction 1 1.1 Problems of Secure FOSS Integration and Consumption . . . . . . . . . . . 2 1.2 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.3 Dissertation Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2 Background 7 2.1 Overview of Third-party Components . . . . . . . . . . . . . . . . . . . . . 7 2.2 What Makes FOSS Special? . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.3 Certification and Empirical Assessment of Third-party Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.3.1 Selection and Integration of FOSS components . . . . . . . . . . . . 10 2.3.2 Empirical Assessment of Vulnerabilities . . . . . . . . . . . . . . . . 12 2.4 The Economic Impact of Security Maintenance . . . . . . . . . . . . . . . . 15 3 An Exploratory Case Study at a Large Software Vendor 17 3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 3.2 Secure Software Development Lifecycle . . . . . . . . . . . . . . . . . . . . 18 3.3 FOSS Components Approval Processes . . . . . . . . . . . . . . . . . . . . 21 3.3.1 Outbound FOSS Approval Process . . . . . . . . . . . . . . . . . . 22 3.3.2 Inbound FOSS Approval Process . . . . . . . . . . . . . . . . . . . 22 3.3.3 Security Checks Revisited . . . . . . . . . . . . . . . . . . . . . . . 23 3.4 FOSS Maintenance And Response . . . . . . . . . . . . . . . . . . . . . . . 24 3.5 Preliminary Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 3.5.1 FOSS Integration and Maintenance Checklist . . . . . . . . . . . . 26 3.5.2 FOSS Organizational and Process Measures . . . . . . . . . . . . . 27 3.6 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 4 TestREx: a Testbed for Repeatable Exploits 31 4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 4.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 i 4.3 Overview of TestREx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 4.3.1 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 4.3.2 Typical workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 4.4 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 4.4.1 Execution Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 4.4.2 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 4.4.3 Images and Containers . . . . . . . . . . . . . . . . . . . . . . . . . 39 4.4.4 Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 4.4.5 Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 4.4.6 Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 4.5 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 4.6 Contributing to TestREx . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 4.6.1 Deploying an Application . . . . . . . . . . . . . . . . . . . . . . . 46 4.6.2 Creating Configuration Files and Building Containers . . . . . . . . 46 4.6.3 Creating and Running an Exploit . . . . . . . . . . . . . . . . . . . 47 4.7 Potential Industrial Application . . . . . . . . . . . . . . . . . . . . . . . . 49 4.7.1 Support for Internal Security Testing and Validation . . . . . . . . 49 4.7.2 Support for Testing of Third-parties Applications . . . . . . . . . . 49 4.7.3 Analysis and Training . . . . . . . . . . . . . . . . . . . . . . . . . 50 4.8 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 4.8.1 Lessons learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 4.8.2 Future work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 5 A Screening Test for Disclosed Vulnerabilities in FOSS Components 53 5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 5.2 Research Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 5.3 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 5.3.1 Identifying the vulnerable coding . . . . . . . . . . . . . . . . . . 56 5.3.2 The SZZ approach: tracking the origin of the vulnerable coding . 57 5.3.3 Empirical studies on trade-offs between the security risk posed by the presence of the vulnerable coding and the maintainability . . . 58 5.4 Terminology and Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . 59 5.5 Vulnerability Screening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 5.5.1 Deletion Screening . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 5.5.2 Method Screening . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 5.5.3 “Combined” Deletion Screening . . . . . . . . . . . . . . . . . . . . 64 5.5.4 Fix Dependency Screening . . . . . . . . . . . . . . . . . . . . . . . 64 5.6 Implementing the Fix Dependency Sphere . . . . . . . . . . . . . . . . . . 65 5.7 Data Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 ii 5.8 Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 5.9 Decision Support for Security Maintenance . . . . . . . . . . . . . . . . . . 81 5.10 Threats to Validity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 5.11 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 6 Effort Models for Security Maintenance of FOSS Components 89 6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 6.2 A Conceptual Model of Business And Technical Drivers . . . . . . . . . . . 91 6.2.1 Proxy For Code Complexity Drivers . . . . . . . . . . . . . . . . . . 93 6.2.2 FOSS Community Drivers . . . . . . . . . . . . . . . . . . . . . . . 93 6.2.3 Secure Development, Testing, Maintenance And Contribution Drivers 94 6.3 From Drivers to Effort Model for FOSS Maintenance . . . . . . . . . . . . 95 6.4 Identification of Empirical Data . . . . . . . . . . . . . . . . . . . . . . . . 100 6.5 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 6.6 Threats to validity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 6.7 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 7 Conclusions and Future Work 109 Bibliography 111 iii List of Tables 2.1 Vulnerability and bug prediction approaches . . . . . . . . . . . . . . . . . 13 3.1 Popular Java projects used by our industrial partner . . . . . . . . . . . . 21 3.2 Historical vulnerabilities of 166 FOSS components . . . . . . . . . . . . . . 26 4.1 Available exploits in TestREx corpus . . . . . . . . . . . . . . . . . . . . 32 4.2 Security testing and experimentation tools . . . . . . . . . . . . . . . . . . 34 4.3 Applications in the corpus . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 4.4 Software components for generic images currently provided with TestREx 40 4.5 Security flaws of web applications . . . . . . . . . . . . . . . . . . . . . . . 43 4.6 Number of exploits in the corpus . . . . . . . . . . . . . . . . . . . . . . . 45 5.1 Maintenance Cycles of Enterprise Software . . . . . . . . . . . . . . . . . . 55 5.2 The sample of FOSS projects used in this chapter . . . . . . . . . . . . . . 68 5.3 Runtime performance of fix dependency evidence . . . . . . . . . . . . . . 73 5.4 Construction of a fix dependency sphere . . . . . . . . . . . . . . . . . . . 74 5.4 Construction of a fix dependency sphere . . . . . . . . . . . . . . . . . . . 75 5.4 Construction of a fix dependency sphere . . . . . . . . . . . . . . . . . . . 76 5.5 Performance of the screening tests . . . . . . . . . . . . . . . . . . . . . . . 79 6.1 Proxy for code complexity drivers . . . . . . . . . . . . . . . . . . . . . . . 93 6.2 FOSS community drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 6.3 Secure development and testing, maintenance and contribution model drivers 96 6.4 Cross correlations of the explanatory variables . . . . . . . . . . . . . . . . 103 6.5 Variables used for analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 6.6 Descriptive statistics of the variables used for the analysis . . . . . . . . . . 105 6.7 Regression Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 v