Método de análise de tempo para correções de vulnerabilidades em distribuições Linux

Imagem de Miniatura

Arquivos

dissertacao_daniel_ettore_storolli_franca_2025.pdf (19.08 MB)

Data

2025-12-03

Autores

Título da Revista

ISSN da Revista

Título de Volume

Editor

Universidade Federal de São Carlos

Resumo

Linux-based operating systems are widely used; however, like any software, they are susceptible to security vulnerabilities that can lead to critical service disruptionsor unauthorized access to sensitive data. These flaws, formally cataloged as Common Vulnerabilities and Exposures (CVE) after identification by a CVE Numbering Authority (CNA), are registered with a Common Vulnerabilities and Exposures ID (CVE ID). Immediate public disclosure of these records does not always occur, as premature exposure can be exploited by malicious actors before patches are available, making swift resolution essential. This work proposes and applies the Collection and Analysis of Correction Time method (ColATeC) to investigate the lifecycle of vulnerabilities in Linux distributions. The analyzed distributions include Red Hat (6, 7, 8, and 9), AlmaLinux (8 and 9), Rocky Linux (8 and 9), Debian (10, 11, 12, Sid, and Trixie), and Ubuntu (16.04, 18.04, 20.04, and 22.04), with the following objectives: (i) map vulnerability disclosure mechanisms adopted by each distribution; (ii) compare public data with records from the National Institute of Standards and Technology (NIST); (iii) quantify vulnerabilities per distribution; (iv) measure average patching times; and (v) evaluate disclosure policies across versions of the same distribution. The results revealed significant variations in patching efficiency among distributions, identifying those with higher vulnerability density and faster response times. Additionally, discrepancies in published data were detected, suggesting opportunities for improvement in transparency and the adoption of structured formats (e.g. JavaScript Object Notation (JSON)). In conclusion, the ColATeC method establishes itself as a strategic tool for continuous monitoring of cybersecurity metrics. Its adoption aims to support decision-making and strengthen security postures in Linux-based ecosystems and other software environments.

Descrição

Palavras-chave

Segurança da Informação, Linux, Métricas temporais

Citação

FRANÇA, Daniel Ettore Storolli. Método de análise de tempo para correções de vulnerabilidades em distribuições Linux. 2025. Dissertação (Mestrado em Ciência da Computação) – Universidade Federal de São Carlos, São Carlos, 2025. Disponível em: https://repositorio.ufscar.br/handle/20.500.14289/23171.

URI

https://hdl.handle.net/20.500.14289/23171

Coleções

Teses e Dissertações

item.page.endorsement

item.page.review

item.page.supplemented

item.page.referenced

Licença Creative Commons

Attribution-NonCommercial-NoDerivs 3.0 Brazil
Exceto quando indicado de outra forma, a licença deste item é descrita como Attribution-NonCommercial-NoDerivs 3.0 Brazil