Phoenix: Surviving Unpatched Vulnerabilities via Accurate and Efficient Filtering of Syscall Sequences
Hugo Kermabon-Bobinnec
Network and Distributed System Security (NDSS) Symposium 2024 · Day 2 · Software Security
The digital landscape is relentlessly challenged by unpatched vulnerabilities, posing a severe dilemma for businesses: risk exposure by keeping vulnerable services online or incur significant financial and social costs by shutting them down. Research indicates an average time-to-patch of approximately 100 days for zero-day vulnerabilities, with an additional 422 days often required for vendors to release patched container images. This protracted vulnerability window has led to catastrophic incidents, such as the Equifax data breach (CVE-2017-5638) and the Log4Shell crisis, which forced the Canadian government to disable nearly 4,000 services. The problem is particularly acute in container-based cloud services, where container images are frequently buggy, and weaker isolation mechanisms can enable adversaries to escape compromised containers and attack the underlying host system.