Resident Evil: After-Life Vulnerabilities in Firefox. A Study on Firefox Evolution, its Vulnerabilities, and its Fixes

From TCS Group Internal Wiki

Jump to: navigation, search

Speaker: Fabio Massacci from University of Trento

Time and Place: 10:15 in Room 1537

Title: Resident Evil: After-Life Vulnerabilities in Firefox. A Study on Firefox Evolution, its Vulnerabilities, and its Fixes

Abstract

I will discuss the interplay between the evolution of Firefox source code and its vulnerabilities over six major versions (v1.0, v1.5, v2.0, v3.0, v3.5, and v3.6) spanning almost ten years of development, and integrating a numbers of sources (NVD, CVE, MFSA, Firefox CVS).

Somewhat surprisingly we found out that a large fraction of today's vulnerabilities apply to code from older versions no longer maintained. We call these after-life vulnerabilities. This somewhat contradicts and somewhat confirms the Milk-or-Wine study of Ozment and Schechter as we did not found enough evidence that most vulnerabilities are foundational while they are still more than they should.

The surprise will be spelled out after digging into a new metric which we call the LOC's market share (as opposed to the software or version market share), where we are able to show that old code is still very much in use both in terms of instances and as global codebase: versions might be replaced in the span of 6 months but we actually use the same code of 10 years ago.

This is empirical evidence that the software-evolution-as-security solution (patching software and automatic updates) might not work, and that vulnerabilities will have to be mitigated by other means.

Joint Work with S. Neuhaus and V. H. Nguyen.

Retrieved from "https://tcs-wiki.csc.kth.se/mediawiki/index.php/Resident_Evil:_After-Life_Vulnerabilities_in_Firefox._A_Study_on_Firefox_Evolution,_its_Vulnerabilities,_and_its_Fixes"