CVECenter: Industry Practice of Automated Vulnerability Management for Linux Distribution Community
Vulnerability management is important but labor-intensive for Linux distribution communities to continuously identify, assess, and fix vulnerabilities related to the system. However, due to the complexity of the vulnerability management process and the gap between maintainers’ needs and existing tools, there is little systematic study on the implementation of automated vulnerability management for Linux distributions. In this paper, in collaboration with Alibaba developers and community maintainers, we develop a vulnerability management system called CVECenter and conduct the industry practice on 3 Linux distributions, which are responsible for many companies’ internal business and external elastic computing services. We address the following challenges in developing CVECenter and deploying it to Linux distributions: cross-platform vulnerability sorting failure, multi-source vulnerability record structure inconsistency, large-scale vulnerability retrieval response delay, manual vulnerability assessment cost, vulnerability auto-fixing tools absence, and continuous vulnerability management complexity. At CVECenter, we have successfully managed over 9,000 CVEs that have affected Anolis OS. The system reduces the median time in the overall management by 4X, 19X, and 27X compared to the traditional three-step approach in the OpenAnolis community, Debian, and Fedora, respectively.
Fri 19 JulDisplayed time zone: Brasilia, Distrito Federal, Brazil change
14:00 - 15:30 | |||
14:00 18mTalk | PPM: Automated Generation of Diverse Programming Problems for Benchmarking Code Generation Models Research Papers Simin Chen University of Texas at Dallas, XiaoNing Feng Taiyuan University of Technology, Xiaohong Han Taiyuan University of Technology, Cong Liu University of California, Riverside, Wei Yang University of Texas at Dallas | ||
14:18 18mTalk | Demystifying Invariant Effectiveness for Securing Smart Contracts Research Papers Zhiyang Chen University of Toronto, Ye Liu Nanyang Technological University, Sidi Mohamed Beillahi University of Toronto, Yi Li Nanyang Technological University, Fan Long University of Toronto Link to publication Pre-print Media Attached | ||
14:36 18mTalk | Static Application Security Testing (SAST) Tools for Smart Contracts: How Far Are We? Research Papers Kaixuan Li East China Normal University, Yue Xue Metatrust Labs, Sen Chen Tianjin University, Han Liu East China Normal University, Kairan Sun Nanyang Technological University, Ming Hu Singapore Management University, Haijun Wang Xi'an Jiaotong University, Yang Liu Nanyang Technological University, Yixiang Chen East China Normal University Pre-print | ||
14:54 18mTalk | On the Contents and Utility of IoT Cybersecurity Guidelines Research Papers Jesse Chen University of Arizona, Dharun Anandayuvaraj Purdue University, James C. Davis Purdue University, Sazzadur Rahaman University of Arizona DOI Pre-print | ||
15:12 18mTalk | CVECenter: Industry Practice of Automated Vulnerability Management for Linux Distribution Community Industry Papers Jing Luo Central South University, Heyuan Shi Central South University, Yongchao Zhang Alibaba, Runzhe Wang Alibaba Group, Yuheng Shen Tsinghua University, Yuao Chen Alibaba, Rongkai Liu Central South University, Xiaohai Shi Alibaba Group, Chao Hu Central South University, Yu Jiang Tsinghua University | ||