+ Moving Targets: Security and Rapid-Release in Firefox Presented by Carlos Bernal-Cárdenas.

Slides:



Advertisements
Similar presentations
Metrics and Databases for Agile Software Development Projects David I. Heimann IEEE Boston Reliability Society April 14, 2010.
Advertisements

Configuration Management
4 th DataGRID Project Conference, Paris, 5 March 2002 Testbed Software Test Plan I. Mandjavidze on behalf of L. Bobelin – CS SI; F.Etienne, E. Fede – CPPM;
On the Privacy of Private Browsing Kiavash Satvat, Matt Forshaw, Feng Hao, Ehsan Toreini Newcastle University DPM’13.
Copyright  2002, Medical Present Value, Inc. All rights reserved. Copyright © 2010 Texas Education Agency. All rights reserved. TEA confidential and proprietary.
SOFTWARE MAINTENANCE 24 March 2013 William W. McMillan.
David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.
Alternative Software Life Cycle Models By Edward R. Corner vol. 2, chapter 8, pp Presented by: Gleyner Garden EEL6883 Software Engineering II.
Computer Engineering 203 R Smith Project Tracking 12/ Project Tracking Why do we want to track a project? What is the projects MOV? – Why is tracking.
Software Security Growth Modeling: Examining Vulnerabilities with Reliability Growth Models Andy Ozment Computer Security Group Computer Laboratory University.
Software Quality Metrics
An Authentication Service Based on Trust and Clustering in Wireless Ad Hoc Networks: Description and Security Evaluation Edith C.H. Ngai and Michael R.
RIT Software Engineering
SE 450 Software Processes & Product Metrics 1 Defect Removal.
1 Predictors of customer perceived software quality Paul Luo Li (ISRI – CMU) Audris Mockus (Avaya Research) Ping Zhang (Avaya Research)
Software Architecture Quality. Outline Importance of assessing software architecture Better predict the quality of the system to be built How to improve.
Software Process and Product Metrics
Software Configuration Management
Agile Testing with Testing Anywhere The road to automation need not be long.
Learning From Mistakes—A Comprehensive Study on Real World Concurrency Bug Characteristics Shan Lu, Soyeon Park, Eunsoo Seo and Yuanyuan Zhou Appeared.
Software Engineering Lecture No:12. Lecture # 7
Chapter 16 Maintaining Information Systems
© Sam Ransbotham The Impact of Immediate Disclosure on Attack Diffusion and Volume Sam Ransbotham Boston College Sabyasachi Mitra Georgia Institute of.
State coverage: an empirical analysis based on a user study Dries Vanoverberghe, Emma Eyckmans, and Frank Piessens.
IT:Network:Microsoft Applications
Introduction to Network Defense
SEG Software Maintenance1 Software Maintenance “The modification of a software product after delivery to correct faults, to improve performance or.
P REDICTING ZERO - DAY SOFTWARE VULNERABILITIES THROUGH DATA - MINING --T HIRD P RESENTATION Su Zhang 1.
LÊ QU Ố C HUY ID: QLU OUTLINE  What is data mining ?  Major issues in data mining 2.
This chapter is extracted from Sommerville’s slides. Text book chapter
1 Software Maintenance and Evolution CSSE 575: Session 8, Part 2 Analyzing Software Repositories Steve Chenoweth Office Phone: (812) Cell: (937)
QWise software engineering – refactored! Testing, testing A first-look at the new testing capabilities in Visual Studio 2010 Mathias Olausson.
Software Quality Assurance Lecture #8 By: Faraz Ahmed.
Information Systems Security Computer System Life Cycle Security.
System Analysis and Design
Module CC3002 Post Implementation Issues Lecture for Week 6 AY 2013 Spring.
APPLYING EPSILON-DIFFERENTIAL PRIVATE QUERY LOG RELEASING SCHEME TO DOCUMENT RETRIEVAL Sicong Zhang, Hui Yang, Lisa Singh Georgetown University August.

Understand Application Lifecycle Management
University of Palestine software engineering department Testing of Software Systems Testing throughout the software life cycle instructor: Tasneem Darwish.
August 18, 2005 Jim Nindel-Edwards How Early, Proactive Test Planning Contributes to Project Success Based on a paper to be presented at the International.
CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.
Question To know that quality has improved, it would be helpful to be able to measure quality. How can we measure quality?
© 2006 ITT Educational Services Inc. System Analysis for Software Engineers: Unit 3 Slide 1 Chapter 16 Maintaining Information Systems.
Extreme Programming (XP). Agile Software Development Paradigm Values individuals and interactions over processes and tools. Values working software over.
Lecture 14 Maintaining the System and Managing Software Change SFDV Principles of Information Systems.
Alattin: Mining Alternative Patterns for Detecting Neglected Conditions Suresh Thummalapenta and Tao Xie Department of Computer Science North Carolina.
Software from Requirements Brent Haines April 12, 2007 Why Methodology Doesn’t Really Matter.
What is regression testing? Regression testing is a type of testing that ensures there are no defects/issues in exiting functionality because of new change.
1 Chapter 12 Configuration management This chapter is extracted from Sommerville’s slides. Text book chapter 29 1.
1 Object-Oriented Analysis and Design with the Unified Process Figure 13-1 Implementation discipline activities.
Is finding security holes a good idea? Presented By: Jeff Wheeler CSC 682.
A way to develop software that emphasizes communication, collaboration, and integration between development and IT operations teams.
By Ramesh Mannava.  Overview  Introduction  10 secure software engineering topics  Agile development with security development activities  Conclusion.
1 The FreeBSD Project: a Replication Case Study of Open Source Development.
Objective ICT : Internet of Services, Software & Virtualisation FLOSSEvo some preliminary ideas.
Chapter 16 Maintaining Information Systems. Objectives:  Explain and contrast four types of system maintenance.  Describe factors affecting maintenance.
Chapter 8: Maintenance and Software Evolution Ronald J. Leach Copyright Ronald J. Leach, 1997, 2009, 2014,
REGRESSION TESTING Software Quality Engineering NC Zunaira Tariq Bese 19B Software Quality Engineering NC Zunaira Tariq Bese 19B.
Founded by Big Five Consulting ex-employees Oracle Gold Partner Focus on PeopleSoft 15 years of PeopleSoft experience Worked in both technical and functional.
Testing under the Agile Method CSCI 521 Software Project Management based on the book Testing Extreme Programming by Lisa Crispin and Tip House.
SACM Vulnerability Assessment Scenario IETF 95 04/05/2016.
Chapter 25 – Configuration Management 1Chapter 25 Configuration management.
1 © Agitar Software, 2007 Automated Unit Testing with AgitarOne Presented by Eamon McCormick Senior Solutions Consultant, Agitar Software Inc. Presented.
Regression Testing with its types
Chapter 18 Maintaining Information Systems
MOZILLA FIRE FOX What is Mozilla? Mozilla Fire Fox File. Edit. View.
Figure 6-4: Installation and Patching
Chapter 8 Software Evolution.
Overview Activities from additional UP disciplines are needed to bring a system into being Implementation Testing Deployment Configuration and change management.
Presentation transcript:

+ Moving Targets: Security and Rapid-Release in Firefox Presented by Carlos Bernal-Cárdenas

+ Motivation

To design, build, and deploy secure applications, [...] integrate security into your application development life cycle and adapt your current soft- ware engineering practices and methodologies to include specific security-related activities

+ Related Work Woody et al. surveyed Agile developers about the impact of security engineering activities on software development using Agile approaches Seacord et al. notes that the traditional model of patching-and- install is problematic Bessey et al. discuss the prevailing attitudes towards software upgrades in terms of the number of bugs generated by each release Software Development

+ Related Work Firefox has been the focus of prior research concerning software quality in its long history as open source project Khomh et al. evaluates the effect of rapid release model using different metrics as proposed in this paper Number bug after release Median daily crash count Median uptime Almossawi’s work takes into account of the maintainability of Firefox since RRC version Firefox Software Engineering

+ Related Work Foundational work on vulnerabilities lifecycles concluded that “Windows of vulnerabilities” exist, during which software is more likely compromised Gopalakrishna and Spafford speculated that the increased rate of discovery of vulnerabilities was the result of a learning of time However, Ozment points out, this incorrectly assumes that a fixed number of users form the total are looking for vulnerabilities Clark et al. posited the existence of a grace period enjoyed by software immediately following its release Lifecycle Issues

+ Goals Validate whether the switch to Agile RRC development introduce large numbers of new vulnerabilities into software Identify the moment in which the code base are vulnerabilities being discovered Check if the number of vulnerabilities detected have increased since the switch to RRC

+ Outline Motivation Related Work Contributions Methodology Conclusion Quiz

+ Contributions New data set of Firefox vulnerabilities Quantitative evidence of: Low rate of increase on vulnerabilities since Firefox RRC Major vulnerabilities are not in the new code Vulnerabilities are not disclosed until RRC version gets obsolete Observation that frequent releases might provide some protection Further supporting evidence for an exploit-free grace period provided by attacker’s learning curve

+ Methodology With each addition of new code, a number of new software defects are also added New vulnerabilities are also introduces and will be discovered and disclosed The attackers are analyzing code bases searching for weaknesses in both old and new code Assumptions

+ Methodology Baseline Vulnerabilities Vulnerabilities that affect the original codebase on which RRC was based Regressive Vulnerabilities Vulnerabilities discovered and disclosed in code after the version in which it was introduced has been obsoleted by a more recent version New Vulnerabilities Vulnerabilities that affects the current version of code at the time the disclosure but that do not affect previous versions Vulnerability Taxonomy

+ Methodology Since the initial release in 2004 Firefox has been an open source project Firefox has a well maintained and frequently available bug database Frequent target of attackers Bug Bounty program Firefox has historical development in ESR and RRC approaches Why Firefox?

+ Methodology 617 Bug IDs were issued from the inception of RRC and the time of writing of this paper Extraction of the code from the mercurial repository Include file extensions such as.c,.cc,.cpp,.css,.h, … Look into the Firefox’s Extended Support Reseases Data Collection

+ Methodology Unknown vulnerabilities make the date of any given vulnerability hard to obtain In this paper the authors uses the disclosure date as an approximation for the discovery date Since Firefox is a frequent attack target, Mozilla responds fast issuing inter-cycle point releases for critical vulnerabilities Limitations

+ RRC Versus ESR “Rapid release advances our mission in important ways. We get features and improvements to users faster. We get new APIs and standards out to web developers faster.” “Maintenance of each ESR, through point releases, is limited to high- risk/high-impact security vulnerabilities and in rare cases may also include off-schedule releases that address live security vulnerabilities.” RRCESR

+ RRC Versus ESR “Rapid release advances our mission in important ways. We get features and improvements to users faster. We get new APIs and standards out to web developers faster.” “Maintenance of each ESR, through point releases, is limited to high- risk/high-impact security vulnerabilities and in rare cases may also include off-schedule releases that address live security vulnerabilities.” RRCESR Increase in the number of vulnerabilities What would we expect to see? The scope of vulnerabilities should change Frequent changes should increase the rate of vulnerabilities

+ Research Questions 1. Does the addition of 250k+ LOC every 42 days markedly increase the number of vulnerabilities discovered and disclosed? 2. Is the scope of disclosed vulnerabilities confined to RRC? 3. Are the RRC vulnerabilities easier to find?

+ RQ1

+

+ RQ2

+ RQ3

+ Conclusions Vulnerabilities are disclosed on the older code at least as often as they are in the newer code Firefox rapid-release cycles expose the software to a shorter window of vulnerability The authors’ study suggested that familiarity with a codebase is a useful heuristic for determining how quickly vulnerabilities will be discovered

+ Quiz What are the 4 reasons the authors choose Firefox as subject in their study? What is the main focus of Agile approaches compare to models intended to produce secure systems? Why rapid-release cycles expose Firefox to a shorter window of vulnerabilities?

+ Questions ?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.