Should I Bother?:  Fast Patch Filtering for Statically-Configured Software Variants

Tobias Landsberg; Christian Dietrich; Daniel Lohmann

doi:10.1145/3646548.3672585

Details

Original language	English
Title of host publication	28th ACM International Systems and Software Product Line Conference, Proceedings
Subtitle of host publication	SPLC 2024
Editors	Maxime Cordy, Daniel Struber, Daniel Struber, Monica Pinto, Iris Groher, Deepak Dhungana, Jacob Kruger, Juliana Alves Pereira, Mathieu Acher, Thomas Thum, Thomas Thum, Maurice H. ter Beek, Jessie Galasso-Carbonnel, Paolo Arcaini, Mohammad Reza Mousavi, Xhevahire Ternava, Jose A. Galindo, Tao Yue, Lidia Fuentes, Jose Miguel Horcas
Pages	12-23
Number of pages	12
ISBN (electronic)	9798400705939
Publication status	Published - 2 Sept 2024
Event	28th ACM International Systems and Software Product Line Conference, SPLC 2024 - Dommeldange, Luxembourg Duration: 2 Sept 2024 → 6 Sept 2024

Publication series

Name	ACM International Conference Proceeding Series

Abstract

In the face of critical security vulnerabilities, patch and update management are a crucial and challenging part of the software life cycle. In software product families, patching becomes even more challenging as we have to support different variants, which are not equally affected by critical patches. While the naive “better-patched-than-sorry” approach will apply all necessary updates, it provokes avoidable costs for developers and customers. In this paper we introduce SiB (Should I Bother?), a heuristic patch-filtering method for statically-configurable software that efficiently identifies irrelevant patches for specific variants. To solve the variability-aware patch-filtering problem, SiB compares modified line ranges from patches with those source-code ranges included in variants currently deployed. We apply our prototype for CPP-managed variability to four open-source projects (Linux, OpenSSL, SQLite, Bochs), demonstrating that SiB is both effective and efficient in reducing the number of to-be-considered patches for unaffected software variants. It correctly classifies up to 68 percent of variants as unaffected, with a recall of 100 percent, thus reducing deployments significantly, without missing any relevant patches.

Keywords

Patch Filtering, Software Evolution, Software Product Lines

ASJC Scopus subject areas

Computer Science(all)
Human-Computer Interaction
Computer Science(all)
Computer Networks and Communications
Computer Science(all)
Computer Vision and Pattern Recognition
Computer Science(all)
Software

Cite this

Should I Bother? Fast Patch Filtering for Statically-Configured Software Variants. / Landsberg, Tobias; Dietrich, Christian; Lohmann, Daniel.
28th ACM International Systems and Software Product Line Conference, Proceedings: SPLC 2024. ed. / Maxime Cordy; Daniel Struber; Daniel Struber; Monica Pinto; Iris Groher; Deepak Dhungana; Jacob Kruger; Juliana Alves Pereira; Mathieu Acher; Thomas Thum; Thomas Thum; Maurice H. ter Beek; Jessie Galasso-Carbonnel; Paolo Arcaini; Mohammad Reza Mousavi; Xhevahire Ternava; Jose A. Galindo; Tao Yue; Lidia Fuentes; Jose Miguel Horcas. 2024. p. 12-23 (ACM International Conference Proceeding Series).

Research output: Chapter in book/report/conference proceeding › Conference contribution › Research › peer review

Landsberg, T, Dietrich, C & Lohmann, D 2024, Should I Bother? Fast Patch Filtering for Statically-Configured Software Variants. in M Cordy, D Struber, D Struber, M Pinto, I Groher, D Dhungana, J Kruger, J Alves Pereira, M Acher, T Thum, T Thum, MH ter Beek, J Galasso-Carbonnel, P Arcaini, MR Mousavi, X Ternava, JA Galindo, T Yue, L Fuentes & JM Horcas (eds), 28th ACM International Systems and Software Product Line Conference, Proceedings: SPLC 2024. ACM International Conference Proceeding Series, pp. 12-23, 28th ACM International Systems and Software Product Line Conference, SPLC 2024, Dommeldange, Luxembourg, 2 Sept 2024. https://doi.org/10.1145/3646548.3672585

Landsberg, T., Dietrich, C., & Lohmann, D. (2024). Should I Bother? Fast Patch Filtering for Statically-Configured Software Variants. In M. Cordy, D. Struber, D. Struber, M. Pinto, I. Groher, D. Dhungana, J. Kruger, J. Alves Pereira, M. Acher, T. Thum, T. Thum, M. H. ter Beek, J. Galasso-Carbonnel, P. Arcaini, M. R. Mousavi, X. Ternava, J. A. Galindo, T. Yue, L. Fuentes, & J. M. Horcas (Eds.), 28th ACM International Systems and Software Product Line Conference, Proceedings: SPLC 2024 (pp. 12-23). (ACM International Conference Proceeding Series). https://doi.org/10.1145/3646548.3672585

Landsberg T, Dietrich C, Lohmann D. Should I Bother? Fast Patch Filtering for Statically-Configured Software Variants. In Cordy M, Struber D, Struber D, Pinto M, Groher I, Dhungana D, Kruger J, Alves Pereira J, Acher M, Thum T, Thum T, ter Beek MH, Galasso-Carbonnel J, Arcaini P, Mousavi MR, Ternava X, Galindo JA, Yue T, Fuentes L, Horcas JM, editors, 28th ACM International Systems and Software Product Line Conference, Proceedings: SPLC 2024. 2024. p. 12-23. (ACM International Conference Proceeding Series). doi: 10.1145/3646548.3672585

Landsberg, Tobias ; Dietrich, Christian ; Lohmann, Daniel. / Should I Bother? Fast Patch Filtering for Statically-Configured Software Variants. 28th ACM International Systems and Software Product Line Conference, Proceedings: SPLC 2024. editor / Maxime Cordy ; Daniel Struber ; Daniel Struber ; Monica Pinto ; Iris Groher ; Deepak Dhungana ; Jacob Kruger ; Juliana Alves Pereira ; Mathieu Acher ; Thomas Thum ; Thomas Thum ; Maurice H. ter Beek ; Jessie Galasso-Carbonnel ; Paolo Arcaini ; Mohammad Reza Mousavi ; Xhevahire Ternava ; Jose A. Galindo ; Tao Yue ; Lidia Fuentes ; Jose Miguel Horcas. 2024. pp. 12-23 (ACM International Conference Proceeding Series).

Download

@inproceedings{0519c4f1c8f6496fb311d28488f69508,

title = "Should I Bother?: Fast Patch Filtering for Statically-Configured Software Variants",

abstract = "In the face of critical security vulnerabilities, patch and update management are a crucial and challenging part of the software life cycle. In software product families, patching becomes even more challenging as we have to support different variants, which are not equally affected by critical patches. While the naive “better-patched-than-sorry” approach will apply all necessary updates, it provokes avoidable costs for developers and customers. In this paper we introduce SiB (Should I Bother?), a heuristic patch-filtering method for statically-configurable software that efficiently identifies irrelevant patches for specific variants. To solve the variability-aware patch-filtering problem, SiB compares modified line ranges from patches with those source-code ranges included in variants currently deployed. We apply our prototype for CPP-managed variability to four open-source projects (Linux, OpenSSL, SQLite, Bochs), demonstrating that SiB is both effective and efficient in reducing the number of to-be-considered patches for unaffected software variants. It correctly classifies up to 68 percent of variants as unaffected, with a recall of 100 percent, thus reducing deployments significantly, without missing any relevant patches.",

keywords = "Patch Filtering, Software Evolution, Software Product Lines",

author = "Tobias Landsberg and Christian Dietrich and Daniel Lohmann",

note = "Publisher Copyright: {\textcopyright} 2024 Copyright held by the owner/author(s).; 28th ACM International Systems and Software Product Line Conference, SPLC 2024 ; Conference date: 02-09-2024 Through 06-09-2024",

year = "2024",

month = sep,

day = "2",

doi = "10.1145/3646548.3672585",

language = "English",

series = "ACM International Conference Proceeding Series",

pages = "12--23",

editor = "Maxime Cordy and Daniel Struber and Daniel Struber and Monica Pinto and Iris Groher and Deepak Dhungana and Jacob Kruger and {Alves Pereira}, Juliana and Mathieu Acher and Thomas Thum and Thomas Thum and {ter Beek}, {Maurice H.} and Jessie Galasso-Carbonnel and Paolo Arcaini and Mousavi, {Mohammad Reza} and Xhevahire Ternava and Galindo, {Jose A.} and Tao Yue and Lidia Fuentes and Horcas, {Jose Miguel}",

booktitle = "28th ACM International Systems and Software Product Line Conference, Proceedings",

}

Download

TY - GEN

T1 - Should I Bother?

T2 - 28th ACM International Systems and Software Product Line Conference, SPLC 2024

AU - Landsberg, Tobias

AU - Dietrich, Christian

AU - Lohmann, Daniel

PY - 2024/9/2

Y1 - 2024/9/2

N2 - In the face of critical security vulnerabilities, patch and update management are a crucial and challenging part of the software life cycle. In software product families, patching becomes even more challenging as we have to support different variants, which are not equally affected by critical patches. While the naive “better-patched-than-sorry” approach will apply all necessary updates, it provokes avoidable costs for developers and customers. In this paper we introduce SiB (Should I Bother?), a heuristic patch-filtering method for statically-configurable software that efficiently identifies irrelevant patches for specific variants. To solve the variability-aware patch-filtering problem, SiB compares modified line ranges from patches with those source-code ranges included in variants currently deployed. We apply our prototype for CPP-managed variability to four open-source projects (Linux, OpenSSL, SQLite, Bochs), demonstrating that SiB is both effective and efficient in reducing the number of to-be-considered patches for unaffected software variants. It correctly classifies up to 68 percent of variants as unaffected, with a recall of 100 percent, thus reducing deployments significantly, without missing any relevant patches.

AB - In the face of critical security vulnerabilities, patch and update management are a crucial and challenging part of the software life cycle. In software product families, patching becomes even more challenging as we have to support different variants, which are not equally affected by critical patches. While the naive “better-patched-than-sorry” approach will apply all necessary updates, it provokes avoidable costs for developers and customers. In this paper we introduce SiB (Should I Bother?), a heuristic patch-filtering method for statically-configurable software that efficiently identifies irrelevant patches for specific variants. To solve the variability-aware patch-filtering problem, SiB compares modified line ranges from patches with those source-code ranges included in variants currently deployed. We apply our prototype for CPP-managed variability to four open-source projects (Linux, OpenSSL, SQLite, Bochs), demonstrating that SiB is both effective and efficient in reducing the number of to-be-considered patches for unaffected software variants. It correctly classifies up to 68 percent of variants as unaffected, with a recall of 100 percent, thus reducing deployments significantly, without missing any relevant patches.

KW - Patch Filtering

KW - Software Evolution

KW - Software Product Lines

UR - http://www.scopus.com/inward/record.url?scp=85203839201&partnerID=8YFLogxK

U2 - 10.1145/3646548.3672585

DO - 10.1145/3646548.3672585

M3 - Conference contribution

AN - SCOPUS:85203839201

T3 - ACM International Conference Proceeding Series

SP - 12

EP - 23

BT - 28th ACM International Systems and Software Product Line Conference, Proceedings

A2 - Cordy, Maxime

A2 - Struber, Daniel

A2 - Pinto, Monica

A2 - Groher, Iris

A2 - Dhungana, Deepak

A2 - Kruger, Jacob

A2 - Alves Pereira, Juliana

A2 - Acher, Mathieu

A2 - Thum, Thomas

A2 - ter Beek, Maurice H.

A2 - Galasso-Carbonnel, Jessie

A2 - Arcaini, Paolo

A2 - Mousavi, Mohammad Reza

A2 - Ternava, Xhevahire

A2 - Galindo, Jose A.

A2 - Yue, Tao

A2 - Fuentes, Lidia

A2 - Horcas, Jose Miguel

Y2 - 2 September 2024 through 6 September 2024

ER -

Research@Leibniz University

Should I Bother? Fast Patch Filtering for Statically-Configured Software Variants

Authors

Research Organisations

External Research Organisations