Patching configurable systems is challenging due to the complexity of testing these systems. Some of the problems that need to be addressed in this context include identification of the configurations that can reveal the bugs related to the patches and identification of the configurations that should be used for validating the patched version. We present a tool, CONFER, that can help developers in solving these problems. Our approach uses the patch report to identify configuration variables related to the vulnerable version and those that are related to the fixed version. We apply CONFER to BusyBox, a configurable system that is popular in the Internet of Things (IoT) domain. Analyzing the patches related to the memory vulnerabilities in BusyBox reveals that approximately half of the patched vulnerabilities are somehow configuration related although only 16% of the patches explicitly refer to the configuration variables. Half of the configuration relevant vulnerabilities involve configuration variable settings that are consistent with the default configuration defined for Android. We show effectiveness of CONFER in generating patch relevant configurations for BusyBox and discuss its modes and limitations.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Exploring the Configuration Space of BusyBox Vulnerabilities with CONFER

  • Tuba Yavuz

摘要

Patching configurable systems is challenging due to the complexity of testing these systems. Some of the problems that need to be addressed in this context include identification of the configurations that can reveal the bugs related to the patches and identification of the configurations that should be used for validating the patched version. We present a tool, CONFER, that can help developers in solving these problems. Our approach uses the patch report to identify configuration variables related to the vulnerable version and those that are related to the fixed version. We apply CONFER to BusyBox, a configurable system that is popular in the Internet of Things (IoT) domain. Analyzing the patches related to the memory vulnerabilities in BusyBox reveals that approximately half of the patched vulnerabilities are somehow configuration related although only 16% of the patches explicitly refer to the configuration variables. Half of the configuration relevant vulnerabilities involve configuration variable settings that are consistent with the default configuration defined for Android. We show effectiveness of CONFER in generating patch relevant configurations for BusyBox and discuss its modes and limitations.