Adam Barth, Saung Li, Benjamin I. P. Rubinstein, and Dawn Song
31 August 2011
Many open-source projects land security fixes in public repositories before shipping these patches to users. This paper presents attacks on such projects---taking Firefox as a case-study---that exploit patch metadata to efficiently search for security patches prior to shipping. Using access-restricted bug reports linked from patch descriptions, security patches can be immediately identified for 260 out of 300 days of Firefox 3 development. In response to Mozilla obfuscating descriptions, we show that machine learning can exploit metadata such as patch author to search for security patches, extending the total window of vulnerability by 5 months in an 8 month period when examining up to two patches daily. Finally we present strong evidence that further metadata obfuscation is unlikely to prevent information leaks, and we argue that open-source projects instead ought to keep security patches secret until they are ready to be released.