-
VFCFinder: Seamlessly Pairing Security Advisories and Patches
Authors:
Trevor Dunlap,
Elizabeth Lin,
William Enck,
Bradley Reaves
Abstract:
Security advisories are the primary channel of communication for discovered vulnerabilities in open-source software, but they often lack crucial information. Specifically, 63% of vulnerability database reports are missing their patch links, also referred to as vulnerability fixing commits (VFCs). This paper introduces VFCFinder, a tool that generates the top-five ranked set of VFCs for a given sec…
▽ More
Security advisories are the primary channel of communication for discovered vulnerabilities in open-source software, but they often lack crucial information. Specifically, 63% of vulnerability database reports are missing their patch links, also referred to as vulnerability fixing commits (VFCs). This paper introduces VFCFinder, a tool that generates the top-five ranked set of VFCs for a given security advisory using Natural Language Programming Language (NL-PL) models. VFCFinder yields a 96.6% recall for finding the correct VFC within the Top-5 commits, and an 80.0% recall for the Top-1 ranked commit. VFCFinder generalizes to nine different programming languages and outperforms state-of-the-art approaches by 36 percentage points in terms of Top-1 recall. As a practical contribution, we used VFCFinder to backfill over 300 missing VFCs in the GitHub Security Advisory (GHSA) database. All of the VFCs were accepted and merged into the GHSA database. In addition to demonstrating a practical pairing of security advisories to VFCs, our general open-source implementation will allow vulnerability database maintainers to drastically improve data quality, supporting efforts to secure the software supply chain.
△ Less
Submitted 2 November, 2023;
originally announced November 2023.
-
S3C2 Summit 2023-02: Industry Secure Supply Chain Summit
Authors:
Trevor Dunlap,
Yasemin Acar,
Michel Cucker,
William Enck,
Alexandros Kapravelos,
Christian Kastner,
Laurie Williams
Abstract:
Recent years have shown increased cyber attacks targeting less secure elements in the software supply chain and causing fatal damage to businesses and organizations. Past well-known examples of software supply chain attacks are the SolarWinds or log4j incidents that have affected thousands of customers and businesses. The US government and industry are equally interested in enhancing software supp…
▽ More
Recent years have shown increased cyber attacks targeting less secure elements in the software supply chain and causing fatal damage to businesses and organizations. Past well-known examples of software supply chain attacks are the SolarWinds or log4j incidents that have affected thousands of customers and businesses. The US government and industry are equally interested in enhancing software supply chain security. On February 22, 2023, researchers from the NSF-supported Secure Software Supply Chain Center (S3C2) conducted a Secure Software Supply Chain Summit with a diverse set of 17 practitioners from 15 companies. The goal of the Summit is to enable sharing between industry practitioners having practical experiences and challenges with software supply chain security and helping to form new collaborations. We conducted six-panel discussions based upon open-ended questions regarding software bill of materials (SBOMs), malicious commits, choosing new dependencies, build and deploy,the Executive Order 14028, and vulnerable dependencies. The open discussions enabled mutual sharing and shed light on common challenges that industry practitioners with practical experience face when securing their software supply chain. In this paper, we provide a summary of the Summit. Full panel questions can be found in the appendix.
△ Less
Submitted 31 July, 2023;
originally announced July 2023.
-
Rank 2 affine MV polytopes
Authors:
Pierre Baumann,
Thomas Dunlap,
Joel Kamnitzer,
Peter Tingley
Abstract:
We give a realization of the infinity crystal for affine sl(2) using decorated polygons. The construction and proof are combinatorial, making use of Kashiwara and Saito's characterization of the infinity crystal in terms of the * involution. The polygons we use have combinatorial properties suggesting they are the analogues in this case of the Mirkovic-Vilonen polytopes defined by Anderson and the…
▽ More
We give a realization of the infinity crystal for affine sl(2) using decorated polygons. The construction and proof are combinatorial, making use of Kashiwara and Saito's characterization of the infinity crystal in terms of the * involution. The polygons we use have combinatorial properties suggesting they are the analogues in this case of the Mirkovic-Vilonen polytopes defined by Anderson and the third author in finite type. Using Kashiwara's similarity of crystals we also give MV polytopes for $A_2^{(2)}$, the only other rank two affine Kac-Moody algebra.
△ Less
Submitted 28 February, 2012;
originally announced February 2012.