Hello xen-devel,

In context of my master's thesis I am performing an analysis of
hypervisor security vulnerabilities. Content of this analysis is, among
others, the relation of Patch Delivery Delay and various characteristics
of the identified vulnerabilities.

Patch delivery delay has been definined in my work as the time between
CVE assignment (taken from http://cve.mitre.org/) and the public release
date of a corresponding security advisory or patch. Advisory release
dates have been taken from http://xenbits.xen.org/xsa/ and the wiki page
for historical releases.
For vulnerabilities before XSA-1 it is the date of the fixing git commit.

During the analysis I came accross the attached figure that shows the
relation of above mentioned "Patch Delivery Delay" and the "Access
Complexity" as defined in https://www.first.org/cvss/cvss-v2-guide.pdf.
In short, Access Complexity describes the complexity of an attack after
an attacker has gained access to the vulnerable system. The data for
each vulnerability has been obtained from the National Vulnerability
Database (https://nvd.nist.gov/).

The attached figure contains the three possible Access Complexity values
(Low, Medium, High) along the X-Axis. The Y-Axis shows the average delay
in days (calculated by using a trimmed mean) of all vulnerabilities
featuring the respective access complexity. The numbers atop of the bars
indicate the number of vulnerabilities used to calculate the average value.

The figure suggests that a "higher" Access Complexity leads to a
prolonged Patch Delivery Delay. Why is that? I was hoping, that someone
with a little more insight in the process could maybe explain, why such
relation makes sense - Or maybe it does not and the correlation is just
a coincidence in that case.

Thank you and regards,
Stefan Geißler
Xen-devel mailing list

Reply via email to