Skip to content

Instantly share code, notes, and snippets.

@Rexbeast2

Rexbeast2/GSoC'23_Final_report.md

Created August 26, 2023 19:14
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Rexbeast2/19adb5d66864499453c92a5dfed89cdc to your computer and use it in GitHub Desktop.
Save Rexbeast2/19adb5d66864499453c92a5dfed89cdc to your computer and use it in GitHub Desktop.
Download ZIP
GSoC'23 Final report.
Raw
GSoC'23_Final_report.md

GSoC 2022

Google Summer of Code'23 Final Report

Executive Summary

CVE Bin Tool has played a vital role in identifying and assessing vulnerabilities through the Common Vulnerability Scoring System (CVSS), it has become evident that a more comprehensive and nuanced approach is needed to address the dynamic nature of cyber threats. The limitations of relying solely on Common Vulnerability Scoring System(CVSS) scores have become apparent, as they fail to capture the intricate interplay between vulnerability severity and the likelihood of exploitation. This discrepancy has led to challenges in prioritizing remediation efforts, allocating resources effectively, and staying ahead of rapidly evolving threat vectors.

The integration of the Exploit Probability Scoring System(EPSS) addresses this gap by introducing a probabilistic element that quantifies the likelihood of exploitation, providing a more accurate representation of vulnerability risk.

What is EPSS

EPSS addresses the limitations of CVSS by introducing a probabilistic approach to vulnerability assessment. This system evaluates the likelihood of a vulnerability being exploited, considering factors like historical attack patterns, attacker motivation, and system context. EPSS provides a more holistic view of risk by quantifying the probability of exploitation, which can significantly enhance the accuracy of vulnerability prioritization and resource allocation. The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited. For more information here

Summary

Database Schema Change

Previously, the database schema for CVE-Bin-Tool consisted of a mere three-table structure. One of these tables held information about CVE severity, another stored its details, and the final one contained CVE exploits. However, this structure proves to be lacking in expandability. As a result, a transition was made to a new, more comprehensive five-table schema. This enhancement introduced two additional tables: metric and cve-metric. The metric table is designed to accommodate the various types of metrics offered by CVE-Bin-Tool, while the CVE-metric table establishes the relationships between each CVE and its corresponding metrics. This updated structure now ensures future-proof flexibility, allowing not only for EPSS metrics but also for the incorporation of various other metrics down the line.

Adding EPSS

The integration of EPSS metrics into CVE-Bin-Tool involved four primary phases:

- Populating the Metric and CVE-Metric Tables:

This phase encompassed the downloading and storage of EPSS data within CVE-Bin-Tool.

- Query Updates:

Queries were modified to retrieve results incorporating EPSS metrics.

- Adding EPSS in Output

The existing output formats of CVE-Bin-Tool, including console, PDF, HTML, JSON, and CSV, were enhanced to include EPSS metrics.

- Adding EPSS filter

Two distinct filters were introduced to CVE-Bin-Tool. The first is the EPSS Probability Filter, which exclusively displays results meeting a specified minimum probability threshold. The second is the EPSS Percentile Filter, revealing outcomes surpassing a designated percentile threshold.

Tasks Achieved

- Database Schema Change:

PRs:

- Adding EPSS:

PRs:

Future

I plan on contributing significantly to the project after the GSoC period. Things I plan to do:

  • Improving the test cases for EPSS filters.
  • Change the output of cve-bin-tool for better reporting.

I am thankful to Google, Python Software Foundation, and Intel for providing me with this excellent opportunity and the mentors, Terri Oda, Anthony Harrison, Anant and Rhythm who guided me throughout the program.

I would also like to thank my fellow GSoC contributor Pramurta and the cve-bin-tool community for helping me during the program.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment