Xen project Mailing List

[Xen-devel] [Research] Correlation of Patch Delivery Delay and Access Complexity

From: Stefan GeiÃler <info@xxxxxxxxxxxxxxxxxxx>

Date: Wed, 30 Sep 2015 11:21:46 +0200

Delivery-date: Wed, 30 Sep 2015 09:21:57 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

Hello xen-devel, In context of my master's thesis I am performing an analysis of hypervisor security vulnerabilities. Content of this analysis is, among others, the relation of Patch Delivery Delay and various characteristics of the identified vulnerabilities. Patch delivery delay has been definined in my work as the time between CVE assignment (taken from http://cve.mitre.org/) and the public release date of a corresponding security advisory or patch. Advisory release dates have been taken from http://xenbits.xen.org/xsa/ and the wiki page for historical releases. For vulnerabilities before XSA-1 it is the date of the fixing git commit. During the analysis I came accross the attached figure that shows the relation of above mentioned "Patch Delivery Delay" and the "Access Complexity" as defined in https://www.first.org/cvss/cvss-v2-guide.pdf. In short, Access Complexity describes the complexity of an attack after an attacker has gained access to the vulnerable system. The data for each vulnerability has been obtained from the National Vulnerability Database (https://nvd.nist.gov/). The attached figure contains the three possible Access Complexity values (Low, Medium, High) along the X-Axis. The Y-Axis shows the average delay in days (calculated by using a trimmed mean) of all vulnerabilities featuring the respective access complexity. The numbers atop of the bars indicate the number of vulnerabilities used to calculate the average value. The figure suggests that a "higher" Access Complexity leads to a prolonged Patch Delivery Delay. Why is that? I was hoping, that someone with a little more insight in the process could maybe explain, why such relation makes sense - Or maybe it does not and the correlation is just a coincidence in that case. Thank you and regards, Stefan GeiÃler

Attachment: PatchingDelay_Xen.png
Description: PNG image

_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.