In vulnerability assessments, software component-based CVE attribution is a common method to identify possibly vulnerable systems at scale. However, such version-centric approaches yield high false-positive rates for binary distributed Linux kernels in firmware images. Not filtering included vulnerable components is a reason for unreliable matching, as heterogeneous hardware properties, modularity, and numerous development streams result in a plethora of vendor-customized builds. To make a step towards increased result reliability while retaining scalability of the analysis method, we enrich version-based CVE matching with kernel-specific build data from binary images using automated static firmware analysis. We open source an attribution pipeline that gathers kernel configuration and target architecture to dry build the present kernel version and filter CVEs based on affected file references in record descriptions. In a case study with 127 router firmware images, we show that in comparison to naive version matching, our approach identifies 68% of all version CVE matches as false-positives and reliably removes them from the result set. For 12% of all matches it provides additional evidence of issue applicability. For 19.4%, our approach does not improve reliability because required file references in CVEs are missing.
翻译:在脆弱性评估中,基于软件元件的CVE属性是一种常见的方法,用以在规模上确定可能的脆弱系统。然而,这种以版本为中心的方法对固态软件图像中二进制分布的Linux内核产生很高的假阳性率。没有过滤包括脆弱部件,这是不可靠匹配的原因,因为各种硬件属性、模块性和多种开发流导致供应商定制结构过多。为了提高结果可靠性,同时保留分析方法的可缩放性,我们通过自动静态软件分析,将基于版本的CVE与来自二进制图像的特定内核构建数据相匹配。我们打开了一种收集内核配置和目标结构以干燥当前内核版本和基于记录描述中受影响文件引用过滤的CVE的归属管道。在一项案例研究中,我们用127个路由器固软件图像显示,与天真版本匹配相比,我们的方法将所有版本CVE匹配的68%确定为假阳性,并将这些数据可靠地从结果集中去除。所有匹配的12%提供了问题适用性的额外证据。关于19.4%,我们的方法没有改进可靠性,因为CVE的参考文件缺失。