Annual Computer Security Applications Conference 2010

Full Program »

Familiarity Breeds Contempt: The Honeymoon Effect and The Role of Legacy Code in Zero-Day Vulnerabilities

 Final Paperpdf1.1MB

Sandy Clark
University of Pennsylvania
United States

Stefan Frei
Secunia
Sweden

Matt Blaze
University of Pennsylvania
United States

Jonathan Smith
University of Pennsylvania
United States

Abstract:
Security vulnerabilities in software are believed to be fundamentally
different than software defects (bugs''). Previous efforts to
understand software vulnerabilities have primarily focused on three
points in the life-cycle: (1) finding and removing software defects,
(2) patching or hardening software after vulnerabilities have
been discovered, and (3) attempts to measure the rate of
vulnerability exploitation.
The focus of this paper is on an earlier phase of
the software vulnerability life-cycle, from the date of release of
each version through the discovery of the fourth publicly disclosed
vulnerability, and particularly with the earliest phase, the time up
to disclosure of the very first vulnerability.

Analysis of software vulnerability data, including up to a decade of
data for several versions of the most popular operating systems,
server applications and user applications (both open and closed
source), shows that {\it properties extrinsic to the software play a
much greater role in the rate of vulnerability discovery than do
intrinsic properties such as software quality}. This leads to the
observation that (at least in the first phase of a product's
existence), software vulnerabilities have different properties than
software defects.

We call the period after the
release of a software product (or version) and before the discovery
of the first vulnerability the 'Honeymoon', and show that familiarity with
the system is the primary driver for the length of the honeymoon
period. We also demonstrate that legacy code resulting from code
re-use is also a major contributor to both the rate of vulnerability
discovery and the numbers of vulnerabilities found; this has significant
implications for software engineering principles and practice.