Research Paper by Dumitras Presented at IEEE Symposium on Security and Privacy

A research paper co-authored by a University of Maryland expert in software vulnerabilities is being presented tomorrow (May 20) at the 36th IEEE Symposium on Security and Privacy in San Jose, Calif.

Tudor Dumitras, an assistant professor of electrical and computer engineering with appointments in UMIACS and the Maryland Cybersecurity Center (MC2), collaborated with researchers from the University of Maryland, IMDEA Software Institute, Symantec Research Labs, and Universidad Politécnica de Madrid to examine how well software updating mechanisms work.

Their paper, "The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability Patching,” analyzed the software patching process on 8.4 million hosts—computers connected to one another via the Internet—over a period of five years.

The research team noted 1,593 vulnerabilities—weaknesses that allow a system to be compromised—from 10 client-side applications. They then measured how quickly users adopted security patches for the vulnerabilities.

The team used Symantec’s Worldwide Intelligence Network Environment (WINE) for their research, a platform built by Dumitras for the purpose of experimenting with big data techniques in cybersecurity.

They found that patching rates vary widely among applications and application versions, Dumitras says, often leaving large numbers of hosts open to attack for long periods of time.

“Patching vulnerabilities completely is difficult because a host may be affected by multiple instances of the same vulnerability,” Dumitras says.

For example, the vulnerability may affect a library that is used in multiple applications—Adobe Flash Player and Adobe Reader share similar vulnerabilities because Reader includes a library for playing Flash files embedded in PDFs.

Users may also install multiple versions of the application; for example, device drivers such as printers often install an old version of Adobe Reader to allow the user to read the manual.

In these situations, many hosts patch only one instance of the vulnerability, giving attackers a long window of opportunity for attacking the vulnerable hosts. The research team found that the median fraction of hosts patched when exploits are released is, at most, about 14 percent. This suggests that it is difficult to patch vulnerabilities before attackers can exploit them, Dumitras says.

He notes that the research team’s findings will enable system administrators and security analysts to assess the risks associated with vulnerabilities, taking into account all the phases in the patch deployment process.

Learn more about the team's research here.