WIXLIB

nerabilities (291 CVE and 77 non-CVE)2 . Based on theinsights obtained from our measurements and user study,we create a comprehensive report for each case wherewe filled in the missing information, attached the correct PoC files, and created an appropriate Docker Image/File to facilitate a quick reproduction. This can serveas a much needed large-scale evaluation dataset for researchers.In summary, our contributions are four-fold: First, we perform the first in-depth analysis on the reproducibility of crowd-reported security vulnerabilities. Our analysis covers 368 real-world memory errorvulnerabilities, which is the largest benchmark datasetto the best of our knowledge. Second, our results provide quantitative evidence onthe poor reproducibility, due to the prevalence of missing information, in vulnerability reports. We alsoidentify key factors which contribute to reproductionfailures. Third, we conduct a user study with real-world security researchers from 10 different institutions to validate our findings, and provide suggestions on how toimprove the vulnerability reproduction efficiency. Fourth, we share our full benchmark dataset of reproducible vulnerabilities (which took 3000 man-hoursto construct).2Background and MotivationsWe start by introducing the background of security vulnerability reporting and reproduction. We then proceedto describe our research goals.Security Vulnerability Reporting. In the past decade,there has been a successful crowdsourcing effort fromsecurity professionals and software users to report andshare their identified security vulnerabilities. When people identify a vulnerability, they can request a CVE IDfrom CVE Numbering Authorities (i.e., MITRE Corporation). After the vulnerability can be publicly released,the CVE ID and corresponding vulnerability informationwill be added to the CVE list [5]. The CVE list is supplied to the National Vulnerability Database (NVD) [14]where analysts can perform further investigations andadd additional information to help the distribution and reproduction. The Common Vulnerability Scoring System(CVSS) also assigns “severity scores” to vulnerabilities.CVE Website and Vulnerability Report.The CVEwebsite [5] maintains a list of known vulnerabilities thathave obtained a CVE ID. Each CVE ID has a web page2 Datasetrelease: X Associationwith a short description about the vulnerability and a listof external references. The short description only provides a high-level summary. The actual technical detailsare contained in the external references. These references could be constituted by technical reports, blog/forum posts, or sometimes a PoC. It is often the case,however, that the PoC is not available and the reporteronly describes the vulnerability, leaving the task of crafting PoCs to the community.There are other websites that often act as “externalreferences” for the CVE pages. Some websites primarily collect and archive the public exploits and PoC filesfor known vulnerabilities (e.g., ExploitDB [9]). Otherwebsites directly accept vulnerability reports from users,and support user discussions (e.g., Redhat Bugzilla [16],OpenWall [15]). Websites such as SecurityTracker [20]and SecurityFocus [21] aim to provide more completeand structured information for known vulnerabilities.Memory Error Vulnerability.A memory error vulnerability is a security vulnerability that allows attackers to manipulate in-memory content to crash a programor obtain unauthorized access to a system. Memoryerror vulnerabilities such as “Stack Overflows”, “HeapOverflows”, and “Use After Free”, have been rankedamong the most dangerous software errors [7]. Popular real-world examples include the Heartbleed vulnerability (CVE-2014-0160) that affected millions of serversand devices running HTTPS. A more recent example isthe vulnerability exploited by the WannaCry cryptoworm(CVE-2017-0144) which shut down 300,000 servers(e.g., those in hospitals and schools) around the globe.Our paper primarily focuses on memory error vulnerabilities due to their high severity and real-world impact.Vulnerability Reproduction.Once a security vulnerability is reported, there is a constant need for peopleto reproduce the vulnerability, especially highly criticalones. First and foremost, developers and vendors of thevulnerable software will need to reproduce the reportedvulnerability to analyze the root causes and generate security patches. Analysts from security firms also need toreproduce and verify the vulnerabilities to assess the corresponding threats to their customers and facilitate threatmitigations. Finally, security researchers often rely onknown vulnerabilities to benchmark and evaluate theirvulnerability detection and mitigation techniques.Our Research Questions.While existing works focus on vulnerability identification and patches [53, 26,35, 43, 45], there is a lack of systematic understandingof the vulnerability reproduction problem. Reproducinga vulnerability is a prerequisite step when diagnosing andeliminating a security threat. Anecdotal evidence suggests that vulnerability reproduction is extremely laborintensive and time-consuming [18, 53]. Our study seeks27th USENIX Security Symposium921

to provide a first in-depth understanding of reproduction difficulties of crowd-reported vulnerabilities whileexploring solutions to boost the reproducibility. Usingthe memory error vulnerability reports as examples, weseek to answer three specific questions. First, how reproducible are existing security vulnerability reports basedon the provided information? Second, what are rootcauses that contribute to the difficulty of vulnerability reproduction? Third, what are possible ways to systematically improve the efficiency of vulnerability reproduction?3Methodology and DatasetTo answer these questions, we describe our high-levelapproach and collect the dataset for our experiments.3.1Methodology OverviewOur goal is to systemically measure the reproducibility ofexisting security vulnerability reports. There are a number of challenges to perform this measurement.Challenges.The first challenge is that reproducinga vulnerability based on existing reports requires almostexclusively manual efforts. All the key steps of reproduction (e.g., reading the technical reports, installing the vulnerable software, and triggering and analyzing the crash)are different for each case, and thus cannot be automated.To analyze a large number of vulnerability reports indepth, we are required to recruit a big group of analysts towork full time for months; this is an unrealistic expectation. The second challenge is that successful vulnerability reproduction may also depend on the knowledge andskills of the security analysts. In order to provide a reliable assessment, we need to recruit real domain expertsto eliminate the impact of the incapacity of the analysts.Approaches.Given the above challenges, it is difficult for our study to achieve both depth and scale at thesame time. We decide to prioritize the depth of the analysis while maintaining a reasonable scale for generalizable results. More specifically, we select one severe typeof vulnerability (i.e., memory error vulnerability), whichallows us to form a focused group of domain experts towork on the vulnerability reproduction experiments. Wedesign a systematic procedure to assess the reproducibility of the vulnerability based on available information(instead of the hacking skills of the experts). In addition,to complement our empirical measurements, we conducta user study with external security professionals fromboth academia and industry. The latter will provide uswith their perceptions towards existing vulnerability reports and the reproduction process. Finally, we combine92227th USENIX Security 68PoCs33280412All Refs6,04406,044Valid Refs4,69404,694Table 1: Dataset overview.the results of the first two steps to discuss solutions to facilitate efficient vulnerability reproduction and improvethe usability of current vulnerability reports.3.2Vulnerability Report DatasetFor our study, we gather a large collection of reportedvulnerabilities from the past 17 years. In total, we collect two datasets including a primary dataset of vulnerabilities with CVE IDs, and a complementary dataset forvulnerabilities that do not yet have a CVE ID (Table 1).We focus on memory error vulnerabilities due to theirhigh severity and significant real-world impact. In addition to the famous examples such as Heartbleed, andWannaCry, there are more than 10,000 memory errorvulnerabilities listed on the CVE website. We crawledthe pages of the current 95K entries (2001 – 2017) andanalyzed their severity scores (CVSS). Our result showsthat the average CVSS score for memory error vulnerabilities is 7.6, which is clearly higher than the overallaverage (6.2), confirming their severity.Defining Key Terms.To avoid confusion, we definea few terms upfront. We refer to the web page of eachCVE ID on the CVE website as a CVE entry. In eachCVE entry’s reference section, the cited websites are referred as information source websites or simply sourcewebsites. The source websites provide detailed technicalreports on each vulnerability. We consider these technical reports on the source websites as the crowd-sourcedvulnerability reports for our evaluation.Primary CVE Dataset.We first obtain a randomsample of 300 CVE entries [5] on memory error vulnerabilities in Linux software (2001 to 2017). We focuson Linux software for two reasons. First, reproducinga vulnerability typically requires the source code of thevulnerable software (e.g., compilation options may affect whether the binary is vulnerable). The open-sourcedLinux software and Linux kernel make such analysispossible. As a research group, we cannot analyze closedsourced software (e.g., most Windows software), but themethodology is generally applicable (i.e., software vendors have access to their own source code). Second,Linux-based vulnerabilities have a high impact. Most enterprise servers, data center nodes, supercomputers, andeven Android devices run Linux [8, 57].From the 300 CVE entries, we obtain 291 entrieswhere the software has the source code. In the past17 years, there have been about 10,000 CVE entries onUSENIX Association

150100Install vulnerablesoftwareAttempt totrigger thevulnerabilityCollectvulnerabilityreport(s)Set up suitableoperating systemConfigurevulnerablesoftwareVerify existenceof vulnerabilityReport GatheringEnvironment SetupSoftware 010620207-4-03201200ckHe Oveap rfloInOv wtege erflr O owvNu erflowllPoIn intvaerlBS idS FreOeFo verrm float wStringOtherStaFigure 2: # of vulnerabilities over time.memory error vulnerabilities and about 2,420 are relatedto Linux software 3 . Our sampling rate is about 12%.For each CVE entry, we collect the references directlylisted in the References section and also iteratively include references contained within the direct references.Out of the total 6,044 external reference links, 4,694 webpages were still available for crawling. In addition, wecollect the proof-of-concept (PoC) files for each CVE IDif the PoCs are attached in the vulnerability reports. Certain CVE IDs have multiple PoCs, representing differentways of exploiting the vulnerability.Complementary Non-CVE Dataset. Since some entities may not request CVE IDs for the vulnerabilitiesthey identified, we also obtain a small sample of vulnerabilities that do not yet have a CVE ID. In this way, wecan enrich and diversify our vulnerability reports. Ournon-CVE dataset is collected from ExploitDB [9], thelargest archive for public exploits. At the time of writing,there are about 1,219 exploits of memory error vulnerabilities in Linux software listed on ExploitDB. Of these,316 do not have a CVE ID. We obtain a random sampleof 80 vulnerabilities; 77 of them have their source codeavailable and are included in our dataset.Justifications on the Dataset Size.We believe the368 memory error vulnerabilities (291 on CVE, about12% of coverage) form a reasonably large dataset. Tobetter contextualize the size of the dataset, we referencerecent papers that use vulnerabilities on the CVE list toevaluate their vulnerability detection/patching systems.Most of the datasets are limited to less than 10 vulnerabilities [39, 34, 32, 30, 33, 25, 46, 40, 29], while only afew larger studies achieve a scale of tens [55, 56]. Theonly studies that can scale well are those which focus onthe high-level information in the CVE entries without theneed to perform any code analysis or vulnerability verifications [43].Preliminary Analysis.Our dataset covers a diverseset of memory error vulnerabilities, 8 categories in total as shown in Figure 1. We obtained the vulnerability3 We performed direct measurements instead of using 3rd-partystatistics (e.g., cvedetails.com). 3rd-party websites often mix memory error vulnerabilities with other bigger categories (e.g., “overflow”).USENIX AssociationRetrieve softwarename, version,and PoC00Figure 1: Vulnerability type.CVE ID/Non-CVE ID5020045# of Vulnerabilities90200# of Vulnerabilities135Figure 3: Workflow of reproducing a vulnerability.types from the CVE entry’s description or its references.The vulnerability type was further verified during the reproduction. Stack Overflow and Heap Overflow are themost common types. The Invalid Free category includesboth “Use After Free” and “Double Free”. The Othercategory covers a range of other memory related vulnerabilities such as “Uninitialized Memory” and “MemoryLeakage”. Figure 2 shows the number of vulnerabilities in different years. We divide the vulnerabilities into6 time bins (five 3-year periods and one 2-year period).This over-time trend of our dataset is relatively consistentwith that of the entire CVE database [23].4Reproduction Experiment DesignGiven the vulnerability dataset, we design a systematicprocedure to measure its reproducibility. Our experiments seek to identify the key information fields that contribute to the success of reproduction while measuringthe information fields that are commonly missing fromexisting reports. In addition, we examine the most popular information sources cited by the CVE entries andtheir contributions to the reproduction.4.1Reproduction WorkflowTo assess the reproducibility of a vulnerability, we design a workflow, which delineates vulnerability reproduction as a 4-stage procedure (see Figure 3). At thereport gathering stage, a security analyst collects reportsand sources tied to a vulnerability. At the environmentsetup stage, he identifies the target version(s) of a vulnerable software, finds the corresponding source code (or binary), and sets up the operating system for that software.At the software preparation stage, the security analystcompiles and installs the vulnerable software by following the compilation and configuration options given inthe report or software specification. Sometimes, he alsoneeds to ensure the libraries needed for the vulnerablesoftware are correctly installed. At the vulnerability re-27th USENIX Security Symposium923

Type of PoCShell commandsScript program (e.g., python)C/C codeA long stringA malformed file (e.g., jpeg)Default ActionRun the commands with the default shellRun the script with the appropriate interpreterCompile code with default options and run itDirectly input the string to the vulnerable programInput the file to the vulnerable programTable 2: Default trigger method for proof-of-concept (PoC) files.production stage, he triggers and verifies the vulnerability by using the PoC provided in the vulnerability report.In our experiment, we restrict security analysts to follow this procedure, and use only the instructions and references tied to vulnerability reports. In this way, we canobjectively assess the quality of the information in existing reports, making the results not (or less) dependent onthe personal hacking ability of the analysts.4.2The Analyst TeamWe have formed a strong team of 5 security analyststo carry out our experiment. Each analyst not only hasin-depth knowledge of memory error vulnerabilities, butalso has first-hand experience analyzing vulnerabilities,writing exploits, and developing patches. The analystsregularly publish at top security venues, have rich CTFexperience, and have discovered and reported over 20new vulnerabilities–which are listed on the CVE website. In this way, we ensure that the analysts are ableto: understand the information in the reports and followthe pre-defined workflow to generate reliable results. Toprovide the “ground-truth reproducibility”, the analystswork together to reproduce as many vulnerabilities aspossible. If a vulnerability cannot be reproduced by oneanalyst, other analysts will try again.4.3Default SettingsIdeally, a vulnerability report should contain all the necessary information for a successful reproduction. Inpractice, however, the reporters may assume that the reports will be read by security professionals or softwareengineers, and thus certain “common sense” informationcan be omitted. For example, if a vulnerability does notrely on special configuration options, the reporter mightbelieve it is unnecessary to include software installationdetails in the report. To account for this, we develop aset of default settings when corresponding details are notavailable in the original report. We set the default settings as a way of modeling the basic knowledge of software analysis. Vulnerable Software Version. This information isthe “must-have” information in a report. Exhaustively92427th USENIX Security SymposiumBuilding Systemautomakeautoconf &automakecmakeDefault Commandsmake; make install./configure; make;make installmkdir build; cd build;cmake ./; make; make installTable 3: Default install commands.guessing and validating the vulnerable version is extremely time-consuming; this is an unreasonable burden for the analysts. If the version information ismissing, we regard the reproduction as a failure. Operating System. If not explicitly stated, the defaultOS will be a Linux system that was released in (orslightly before) the year when the vulnerability wasreported. This allows us to build the software with theappropriate dependencies. Installation & Configuration. We prioritize compiling using the source code of the vulnerable program.If the compilation and configuration parameters arenot provided, we install the package based on the default building systems specified in software package(see Table 3). Note that we do not introduce any extracompilation flags beyond those required for installation. Proof-of-Concept (PoC). Without a PoC, the vulnerability reproduction will be regarded as a failed attempt because it is extremely difficult to infer the PoCbased on the vulnerability description alone. Trigger Method for PoC. If there is a PoC withoutdetails on the trigger method, we attempt to infer itbased on the type of the PoC. Table 2 shows thosedefault trigger methods tied to different PoC types. Vulnerability Verification. A report may not specify the evidence of a program failure pertaining to thevulnerability. Since we deal with memory error vulnerabilities, we deem the reproduction to be successful if we observe the unexpected program termination(or program “crash”).4.4Controlled Information SourcesFor a given CVE entry, the technical details are typically available in the external references. We seek toexamine the quality of the information from differentsources. More specifically, we select the most citedw

Understanding the Reproducibility of Crowd-reported Security Vulnerabilities †‡Dongliang Mu,‡Alejandro Cuevas, §Limin Yang, §Hang Hu ‡Xinyu Xing, †Bing Mao, §Gang Wang †National Key Laboratory for Novel Software Technology, Nanjing University, China ‡College of Information Sciences and Technology, The Pennsylvania State University, USA §Department of Computer Science .