Ubuntu Vulnerability Study

Project members: Moulika Bollinadi, Joshua Moore, and Stephen Tate

This page contains full information, data, and scripts used for a 2019 study of vulnerabilities in Ubuntu LTS releases, from 12.04 to 18.04.

Overview

This project undertook a careful study of vulnerabilities in open-source software, performing both a longitudinal study over 7 years of data and an in-depth exploration of a particular type of vulnerability. First, data was mined from Ubuntu security notices from 2012 to 2019, specifically pulling security notices published within the first year of each of the four stable releases during that time. This provided a dataset covering 3,232 security vulnerabilities, which were cross-referenced with other information, allowing us to identify trends in types of vulnerabilities over the past 7 years. Within these results, we see that out-of-bounds memory access (which includes the classic "buffer overflow" vulnerability) has consistently been the most pernicious security weakness, so in the second part of this research we performed an in-depth study of a random sample of 30 recent out-of-bounds access vulnerabilities. Beginning by evaluating each vulnerability in terms of seven features, we identified trends and patterns and expanded the analysis to a total of eleven features. These results help further understanding of how out-of-bounds access vulnerabilities occur in real software, which can help both researchers looking to improve tools for vulnerability analysis and developers learning how to avoid common pitfalls.

Publication

A report of this work has been published as

Stephen R. Tate, Moulika Bollinadi, and Joshua Moore. "Characterizing Vulnerabilities in a Major Linux Distribution," in Proceedings of the 32nd International Conference on Software Engineering and Knowlege Engineering (SEKE), 2020.

Detailed Results -- CWE classes

Due to page limitations in the published paper (above), only the most significant results were published. We give full results and information here.

CWEs in the general "Out-of-Bounds Access" class

• CWE-118: Incorrect Access of Indexable Resource ('Range Error')
• CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
• CWE-122: Heap-based Buffer Overflow
• CWE-123: Write-what-where Condition
• CWE-125: Out-of-bounds Read
• CWE-126: Buffer Over-read
• CWE-129: Improper Validation of Array Index
• CWE-787: Out-of-bounds Write

CWEs in the general "Permissions" class

• CWE-264: Permissions, Privileges, and Access Controls
• CWE-749: Exposed Dangerous Method or Function

CWEs in the general "Pointer issues" class

• CWE-415: Double Free
• CWE-416: Use After Free
• CWE-465: Pointer Issues
• CWE-824: Access of Uninitialized Pointer
• CWE-825: Expired Pointer Dereference

CWEs in the general "Input validation" class

• CWE-20: Improper Input Validation
• CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
• CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
• CWE-78: Improper Neutralization of Special Elements used in an OS Command (`OS Command Injection')
• CWE-79: Improper Neutralization of Input During Web Page Generation (`Cross-site Scripting')
• CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
• CWE-89: Improper Neutralization of Special Elements used in an SQL Command (`SQL Injection')
• CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
• CWE-91: XML Injection (aka Blind XPath Injection)
• CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')
• CWE-94: Improper Control of Generation of Code (`Code Injection')
• CWE-99: Improper Control of Resource Identifiers ('Resource Injection')
• CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
• CWE-134: Use of Externally-Controlled Format String
• CWE-943: Improper Neutralization of Special Elements in Data Query Logic

CWEs in the general "Resource management" class

• CWE-399: Resource Management Errors
• CWE-404: Improper Resource Shutdown or Release
• CWE-502: Deserialization of Untrusted Data
• CWE-769: Uncontrolled File Descriptor Consumption
• CWE-775: Missing Release of File Descriptor or Handle after Effective Lifetime
• CWE-913: Improper Control of Dynamically-Managed Code Resources
• CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes

CWEs in the general "Numeric errors" class

• CWE-189: Numeric Errors

Scripts

This full set of scripts that were used to process Ubuntu Security Notices, CVE Tracker data, and NVD database entries are in a GitHub repository at https://github.com/srtate/usn-processing. Using these scripts it is possible to fully replicate our process using public data. Note that the results might differ slightly, because both data used from the NIST National Vulnerability Database may have been changed/updated, as well as information from the Ubuntu CVE Tracker.

SPAN Lab - An Education and Research Lab at the University of North Carolina at Greensboro