UC Riverside

Open-source projects are widely reused in commercial software, yet its collabora-tive nature exposes it to significant security challenges, particularly N-day vulnerabilities. These vulnerabilities remain exploitable after patches have been released, largely due to delayed patch propagation in decentralized ecosystems. This research addresses the criti- cal issue of prolonged vulnerability exposure by exploring the underlying causes of patch delays and developing automated tools that can help accelerate the patch porting process and reduce the window for attackers. We first present a comprehensive measurement study of the Android kernel patch ecosystem, which systematically analyzes how security patches move from the Linux main- line through various layers of customization by chipset manufacturers and OEM vendors. Our findings indicate that patch delays are a systemic issue, with some patches taking months—or even over a year—to fully reach end-users, which increases the risk of exploita- tion. We analyzed the underlying causes, and one significant reason is that maintainers lack knowledge about which versions are affected by vulnerabilities. In other words, they are unsure when a vulnerability was introduced and which versions are impacted, making it unclear whether the versions they maintain need to be patched. Based on the above observations, we need to speed up the patch porting process to reduce the attack window of N-day vulnerabilities. Identifying the affected versions of these vulnerabilities is crucial for the patch porting process. Therefore, we tackle the challenge of bug bisection—the process of tracing vulnerabilities back to their originating commits. Tra- ditional methods, such as dynamic testing and heuristic-based BIC (bug-inducing-commit, the change that first introduced the vulnerability into the codebase) identification, have shown limitations due to environmental inconsistencies and oversimplified assumptions. To overcome these issues, we introduce a novel approach that uses under-constrained sym- bolic execution to analyze code statically across multiple versions. This method precisely identifies whether the vulnerability logic exists in a given version, thereby isolating the bug-inducing commit. However, the above method still faces several limitations. It requires a proof- of-concept, supports only a narrow range of bug types, and its accuracy is not very high (although it is higher than that of traditional methods). These shortcomings drive us to ex- plore alternative approaches. Finally, we enhance bug bisection by employing large language models (LLMs) that combine code diffs and contextual commit messages. This multi-step filtering approach, which uses both coarse-grained and fine-grained analysis, significantly improves the accuracy of vulnerability detection. Together, these integrated techniques can help accelerate the patching process and reduce the exposure window for N-day vulner- abilities, contributing to a more secure open-source ecosystem. These contributions offer practical solutions for swiftly mitigating vulnerabilities, enhancing open-source security, and ensuring robust resilience in critical software systems.