[Research] Number of lines of code
Hi all, Is there reliable information about the number of lines of code in the kvm code base? I already counted virt/kvm from the git://git.kernel.org/pub/scm/virt/kvm/kvm.git repository. But ~7000 LOC seems too little to me. Or is that correct? Thank you in advance! -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[RESEARCH] Patch delivery delay
Hello all, I am currently analyzing the delay between vulnerability disclosure (CVE release) and the release of a corresponding patch. Firstly, i noticed that some vulnerabilities are patched before the CVE was assigned. How is that possible? Was the vulnerability "accitendally" fixed? (Example: According to NVD CVE-2013-1943 was fixed on 2011-05-22) Second, does someone know why some vulnerabilities get a fix on CVE release day while some only recieve a fix after weeks or even month? (Maximum delay I observed is 183 days) Regards, Stefan -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [RESEARCH] Patch delivery delay
I am currently analyzing the delay between vulnerability disclosure (CVE release) and the release of a corresponding patch. Firstly, i noticed that some vulnerabilities are patched before the CVE was assigned. How is that possible? Was the vulnerability "accitendally" fixed? (Example: According to NVD CVE-2013-1943 was fixed on 2011-05-22) Yes, the vulnerability was not recognized as such. The CVE is then typically assigned when a Linux distribution decides to backport the fix. Second, does someone know why some vulnerabilities get a fix on CVE release day while some only recieve a fix after weeks or even month? (Maximum delay I observed is 183 days) There could be many reasons. For example the problem could be very minor, the patches could have problems, or a second patch was needed because the first fix was insufficient so. It's difficult to say without seeing the CVE and patch for the 183-day record. The delay belongs to CVE-2013-4587. According to NVD the patch (a git commit) was submitted on 2013-12-12 while the CVE number was assigned on 2013-06-12. But since i have some cases in my dataset that show similar (~80% of identified vulnerabilities are fixed within 100 days) behaviour i am more interested in the general info you already provided. Stefan -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[Research] Correlation of Patch Delivery Delay and Access Complexity
Hello all, In context of my analysis of the delay between vulnerability disclosure (CVE release) and the release of a corresponding patch I am also analyzing the relation between the delay and various vulnerability characteristics. The attached figure shows the relation between Access Complexity as used by NVD and defined in CVSS. The Y-Axis shows the average delay for each category (Low, Medium, High). The numbers on top of the bars show the number of vulnerabilities in the respective category. I was hoping, that someone is able to help me explain the relation that can be seen in the figure. Why would a higher Access Complexity lead to shorter patching delay? Or is the relation maybe just random and there is no actual connection between the two metrics? Stefan
KVM: Security Policy
Hello kvm mailing list, I assume, this is a rather uncommon mailing list post since it is not directly related to the usage or development of KVM. Instead, the following is the case: I am a student of computer science and am currently working on my masters thesis. The work in progress topic is "Mining vulnerability databases for information on hypervisor vulnerabilities: Analyses and Predictions". In the context of this research work i am analyzing various security related aspects regarding different hypervisors including KVM (A simple example contained in my analysis is the discovery process of security vulnerabilities and how the total number of disclosed vulnerabilities developes over time). The reason i am writing this post to the public mailing list is, that i am looking for someone who might be willing to support me during my work with (for example) information and/or personal experience. Or simply said: May i post questions and ask for help explaining my findings from time to time or is this too much off-topic for this mailing list? For now the question would be, whether there is some kind of a formal documentation of the vulnerability disclosure process or a security policy specific for KVM? If someone has any information regarding this, feel free to contact me directly through my personal mail address. Any help and information will be greatly appreciated! If this post is misplaced at this mailing list maybe someone could point me at the right place. Kind regards and thank you in advance, Stefan Geißler -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
