This repository is a companion to the paper:
Towards Reliable and Scalable Linux Kernel CVE Attribution in Automated Static Firmware Analyses
It provides stage two of the proposed static bug attribution pipeline for linux kernel CVEs, consisting of two general packages:
- The cve-attribution-s2 script to apply our enriched version-based attribution, and ...
- ... the nvd-database component that serves CVE data. It is a self-updating docker container that harvests NVD json feeds and provides them in a mongodb instance listening on
127.0.0.1:28000
Each package has its own subfolder, a corresponding README.md and setup guidelines. General usage is as follows:
- Reconstruct the Home Router Security Report 2020 firmware corpus used in our case study. (We can not just re-distribute copyrighted firmware images, sorry)
- Execute stage one: Analyze the corpus with FACT, enable the analysis plugins
kernel_config,architecture_detection, andsoftware_components - Start the
nvd-database, wait until it is fully seeded - Apply the
cve-attribution-s2script to generateoutput_*.jsonfiles. Their respective names correspond to the filter verdict confidence scale used in our paper
Feel free to open an issue if you have any further questions.