Should I Bother?

Fast Patch Filtering for Statically-Configured Software Variants

authored by: Tobias Landsberg, Christian Dietrich, Daniel Lohmann
Abstract: In the face of critical security vulnerabilities, patch and update management are a crucial and challenging part of the software life cycle. In software product families, patching becomes even more challenging as we have to support different variants, which are not equally affected by critical patches. While the naive “better-patched-than-sorry” approach will apply all necessary updates, it provokes avoidable costs for developers and customers. In this paper we introduce SiB (Should I Bother?), a heuristic patch-filtering method for statically-configurable software that efficiently identifies irrelevant patches for specific variants. To solve the variability-aware patch-filtering problem, SiB compares modified line ranges from patches with those source-code ranges included in variants currently deployed. We apply our prototype for CPP-managed variability to four open-source projects (Linux, OpenSSL, SQLite, Bochs), demonstrating that SiB is both effective and efficient in reducing the number of to-be-considered patches for unaffected software variants. It correctly classifies up to 68 percent of variants as unaffected, with a recall of 100 percent, thus reducing deployments significantly, without missing any relevant patches.
Organisation(s): Systems and Computer Architecture Section
External Organisation(s): Technische Universität Braunschweig
Type: Conference contribution
Pages: 12-23
No. of pages: 12
Publication date: 02.09.2024
Publication status: Published
Peer reviewed: Yes
ASJC Scopus subject areas: Human-Computer Interaction, Computer Networks and Communications, Computer Vision and Pattern Recognition, Software
Electronic version(s): https://doi.org/10.1145/3646548.3672585 (Access: Open)

BibTeX

@inproceedings{0519c4f1c8f6496fb311d28488f69508,
title = "Should I Bother?: Fast Patch Filtering for Statically-Configured Software Variants",
abstract = "In the face of critical security vulnerabilities, patch and update management are a crucial and challenging part of the software life cycle. In software product families, patching becomes even more challenging as we have to support different variants, which are not equally affected by critical patches. While the naive “better-patched-than-sorry” approach will apply all necessary updates, it provokes avoidable costs for developers and customers. In this paper we introduce SiB (Should I Bother?), a heuristic patch-filtering method for statically-configurable software that efficiently identifies irrelevant patches for specific variants. To solve the variability-aware patch-filtering problem, SiB compares modified line ranges from patches with those source-code ranges included in variants currently deployed. We apply our prototype for CPP-managed variability to four open-source projects (Linux, OpenSSL, SQLite, Bochs), demonstrating that SiB is both effective and efficient in reducing the number of to-be-considered patches for unaffected software variants. It correctly classifies up to 68 percent of variants as unaffected, with a recall of 100 percent, thus reducing deployments significantly, without missing any relevant patches.",
keywords = "Patch Filtering, Software Evolution, Software Product Lines",
author = "Tobias Landsberg and Christian Dietrich and Daniel Lohmann",
note = "Publisher Copyright: {\textcopyright} 2024 Copyright held by the owner/author(s).; 28th ACM International Systems and Software Product Line Conference, SPLC 2024 ; Conference date: 02-09-2024 Through 06-09-2024",
year = "2024",
month = sep,
day = "2",
doi = "10.1145/3646548.3672585",
language = "English",
series = "ACM International Conference Proceeding Series",
publisher = "Association for Computing Machinery",
pages = "12--23",
editor = "Maxime Cordy and Daniel Struber and Daniel Struber and Monica Pinto and Iris Groher and Deepak Dhungana and Jacob Kruger and {Alves Pereira}, Juliana and Mathieu Acher and Thomas Thum and Thomas Thum and {ter Beek}, {Maurice H.} and Jessie Galasso-Carbonnel and Paolo Arcaini and Mousavi, {Mohammad Reza} and Xhevahire Ternava and Galindo, {Jose A.} and Tao Yue and Lidia Fuentes and Horcas, {Jose Miguel}",
booktitle = "28th ACM International Systems and Software Product Line Conference, Proceedings",
}