Software Updates Strategies: a Quantitative Evaluation against Advanced Persistent Threats (ICSE 2023 - Journal-First Papers) - ICSE 2023

Write a Blog >>

Sun 14 - Sat 20 May 2023 Melbourne, Australia

Who

Giorgio Di Tizio, Michele Armellini, Fabio Massacci

Track

ICSE 2023 Journal-First Papers

Time Zone

The program is currently displayed in (GMT+10:00) Hobart.

Use conference time zone: (GMT+10:00) HobartSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

When

Fri 19 May 2023 16:37 - 16:45 at Meeting Room 105 - Vulnerability testing and patching Chair(s): Cristian Cadar

Abstract

Software updates reduce the opportunity of exploitation. However, since updates can also introduce breaking changes, enterprises face the problem of balancing the need to secure software with updates with the need to support operations. We propose a methodology to quantitatively investigate the effectiveness of software updates strategies against attacks of Advanced Persistent Threats (APTs). We consider strategies where the vendor updates are the only limiting factors to cases in which enterprises delay updates from 1 to 7 months based on SANS data. Our manually curated dataset of APT attacks covers 86 APTs and 350 campaigns from 2008 to 2020. It includes information about attack vectors, exploited vulnerabilities (e.g. 0 days vs public vulnerabilities), and affected software and versions. Contrary to common belief, most APT campaigns employed publicly known vulnerabilities. If an enterprise could theoretically update as soon as an update is released, it would face lower odds of being compromised than those waiting one (4.9x) or three (9.1x) months. However, if attacked, it could still be compromised from 14% to 33% of the times. As in practice enterprises must do regression testing before applying an update, our major finding is that one could perform 12% of all possible updates restricting oneself only to versions fixing publicly known vulnerabilities without significant changes to the odds of being compromised compared to a company that updates for all versions.

Giorgio Di Tizio

University of Trento

Michele Armellini

University of Trento

Fabio Massacci

University of Trento; Vrije Universiteit Amsterdam

Italy

Time Zone

The program is currently displayed in (GMT+10:00) Hobart.

Use conference time zone: (GMT+10:00) HobartSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Session Program

Fri 19 May
Displayed time zone: Hobart change

	15:45 - 17:15	Vulnerability testing and patchingTechnical Track / Journal-First Papers / DEMO - Demonstrations at Meeting Room 105 Chair(s): Cristian Cadar Imperial College London, UK

	15:45 15m Talk		Silent Vulnerable Dependency Alert Prediction with Vulnerability Key Aspect Explanation Technical Track Jiamou Sun CSIRO's Data61, Zhenchang Xing , Qinghua Lu CSIRO’s Data61, Xiwei (Sherry) Xu CSIRO’s Data61, Liming Zhu CSIRO’s Data61, Thong Hoang Data61, CSIRO, Dehai Zhao Australian National University, Australia
	16:00 15m Talk		Compatible Remediation on Vulnerabilities from Third-Party Libraries for Java Projects Technical Track Lyuye Zhang Nanyang Technological University, Chengwei Liu Nanyang Technological University, Singapore, Zhengzi Xu Nanyang Technological University, Sen Chen Tianjin University, Lingling Fan Nankai University, Lida Zhao Nanyang Technological University, Wu Jiahui Nanyang Technological University, Yang Liu Nanyang Technological University
	16:15 15m Talk		Automated Black-box Testing of Mass Assignment Vulnerabilities in RESTful APIs Technical Track Davide Corradini University of Verona, Michele Pasqua University of Verona, Mariano Ceccato University of Verona Pre-print
	16:30 7m Talk		Patchmatch: A Tool for Locating Patches of Open Source Project Vulnerabilities DEMO - Demonstrations Kedi Shen Zhejiang university city college, Yun Zhang Zhejiang University City College, Lingfeng Bao Zhejiang University, Zhiyuan Wan Zhejiang University, Zhuorong Li Zhejiang university city college, Minghui Wu Zhejiang University City College}
	16:37 8m Talk		Software Updates Strategies: a Quantitative Evaluation against Advanced Persistent Threats Journal-First Papers Giorgio Di Tizio University of Trento, Michele Armellini University of Trento, Fabio Massacci University of Trento; Vrije Universiteit Amsterdam
	16:45 7m Talk		SSPCatcher: Learning to Catch Security Patches Journal-First Papers Arthur D. Sawadogo Université du Québec à Montréal, Tegawendé F. Bissyandé SnT, University of Luxembourg, Naouel Moha École de Technologie Supérieure (ETS), Kevin Allix CentraleSupelec Rennes, Jacques Klein University of Luxembourg, Li Li Beihang University, Yves Le Traon University of Luxembourg, Luxembourg
	16:52 15m Talk		CoLeFunDa: Explainable Silent Vulnerability Fix Identification Technical Track Jiayuan Zhou Huawei, Michael Pacheco Centre for Software Excellence, Huawei, Jinfu Chen Centre for Software Excellence, Huawei, Canada, Xing Hu Zhejiang University, Xin Xia Huawei, David Lo Singapore Management University, Ahmed E. Hassan Queen’s University