## For running on Google Colab
1. Upload this notebook
2. On the left pane of Google Colab UI, there will an option to upload more files
3. Upload the `for_colab.zip` archive
4. Execute the cells below sequentially

In [None]:
!unzip -o for_colab.zip

In [None]:
import json
import copy
import os
import numpy as np
from collections import defaultdict

# CVE Impact: Section 7.2 Figure 5

This notebook generates a cumulative distribution function (CDF) plot for CVE Impact. The file `data/vuln_table.json` lists, for each CVE, the binaries impacted at the function level and at the ELF level. We compute function-level reachability by running a reverse breadth-first search (BFS) from each vulnerable function associated with a CVE and recording all binaries in which at least one function is impacted; this yields the number of binaries impacted at the function level. Since the function-level call graph is large and dense (~16.2 million nodes, ~70 million edges), performing graph traversals is compute-intensive.

### Computing CVE Impact
The file `data/vuln_table.json` was generated by the script `scripts/get_vuln_reach.py`. Running this script across 500+ CVEs in the dataset requires a significant number of hours and substantial compute resources. Because the reverse BFS can be computed independently for each CVE, the task parallelizes well. To process 500+ CVEs, we used a 48-core, 372GB memory server and ran the script for several hours.

#### Performing scaled down version of this experiment
For artifact evaluation, we propose a scaled-down experiment: Compute the impact of all 9 CVEs reported for the `libxml2.so.2` library.
```
$ cd scripts
$ conda activate supply_chain_py311
$ python3 get_vuln_reach.py
```
The results will be printed on `stdout` and will also be dumped in the `scripts/results` directory.

#### Regenerating Figure 5
To regenerate Figure 5, run the cells below. They load the raw CVE impact data from `data/vuln_table.json` and generate a CDF. The cells compute the percentage reduction in the number of binaries impacted per CVE from ELF-level analysis to function-level analysis.

In [None]:
vuln_table = json.load(open('./data/vuln_table.json', 'r'))

In [None]:
cve_spread_dict = defaultdict(lambda: defaultdict(dict))
weird_cves = defaultdict(list)
for cve, dets in vuln_table.items():
    max_spread = 0
    max_det = {}
    for det in dets:
        if det['FUNC_REACH'] > det['ELF_REACH']:
            weird_cves[cve].append(det)
            det.update({'ELF_REACH':det['FUNC_REACH']})
            cve_spread_dict[cve] = copy.deepcopy(det)
        if det['FUNC_REACH'] > max_spread:
            max_spread = det['FUNC_REACH']
            max_det['FUNC_REACH'] = max_spread
            max_det['ELF_REACH'] = det['ELF_REACH']
            max_det['VULN_FUNC'] = det['VULN_FUNC']
            max_det['VULN_DEB'] = det['VULN_DEB']
            max_det['VULN_ELF'] = det['VULN_ELF']
    cve_spread_dict[cve] = max_det

In [None]:
cve_spread_reduction = {}
cve_spread_reduction_log = {}
cve_spread_reduction_nums_dict = {}
cve_spread_reduction_nums_dict_log2 = {}
cve_spread_reduction_nums_and_diff = {}
cve_spread_reduction_nums_and_diff_log10 = {}
cve_spread_reduction_percent = {}
cve_spread_reduction_percent_rdict = defaultdict(list)

less_than_threshold = 0

total_reduction_cve = 0
total_cve_impact_elf = 0
for cve, dets in cve_spread_dict.items():
    if not dets:
        print(f"{cve} hoo")
        continue
    if dets['ELF_REACH'] < 10:
        less_than_threshold += 1
        continue
    cve_spread_reduction[cve] = dets['ELF_REACH'] - dets['FUNC_REACH']
    cve_spread_reduction_nums_dict[cve] = {"ELF": dets['ELF_REACH'], "FUNC": dets['FUNC_REACH']}
    cve_spread_reduction_nums_and_diff[cve] = {"ELF": dets['ELF_REACH'], "FUNC": dets['FUNC_REACH'], "DIFF": (dets['ELF_REACH'] - dets['FUNC_REACH'])}
    cve_spread_reduction_percent[cve] = (dets["ELF_REACH"] - dets["FUNC_REACH"])/dets["ELF_REACH"]
    cve_spread_reduction_percent_rdict[(dets["ELF_REACH"] - dets["FUNC_REACH"])/dets["ELF_REACH"]].append(cve)

    total_reduction_cve += (dets["ELF_REACH"] - dets["FUNC_REACH"])
    total_cve_impact_elf += dets["ELF_REACH"]

Described in `Section 7.2`, we choose this threshold based on popularity of libraries across the ecosystem. For vulnerable libraries that have less than 10 dependents, we choose to ignore these from our CVE Impact evaluation since we want to present the benefit of the technique on the entire supply chain of 24,000+ binaries rather than specialized binaries.

In [None]:
less_than_threshold

### Average Reduction in CVE Impact Scores

In [None]:
total_reduction_cve/total_cve_impact_elf

## Plotting CVE Impact numbers

In [None]:
from scripts import plot_common as my_plt
import importlib

In [None]:
importlib.reload(my_plt)
os.makedirs("figs", exist_ok=True)
my_plt.plot_cdf_and_hist(
    input_dict=cve_spread_reduction_percent,
    xlabel="% Reduction in number of ELF binaries",
    ylabel_cdf="Cumulative % of CVEs",
    ylabel_hist="Number of CVEs",
    x_percent=True,
    xticks=np.arange(0,1.1,0.1),
    xticks_sparse=False,
    legend_loc="center right",
    aspect=0.7,
    fontsize=13,
    save_path=('figs/cve_spread_redn_percent_cdf_hist.pdf')
)

# Functions per CVE: Appendix 1 Figure 7
The cells below compute a CDF denoting the number of vulnerable functions identified per CVE

In [None]:
cve_unique_func_dict = defaultdict(list)
unique_func_names = []
for cve, dets in vuln_table.items():
    for det in dets:
        func_name = det['VULN_FUNC'].split("@")[0]
        if det['VULN_FUNC'] not in unique_func_names:
            unique_func_names.append(det['VULN_FUNC'])
        if func_name not in cve_unique_func_dict[cve]:
            cve_unique_func_dict[cve].append(func_name)
cve_unique_func_dict_nums = {}
for cve, dets in cve_unique_func_dict.items():
    cve_unique_func_dict_nums[cve] = len(dets)

In [None]:
len(unique_func_names)

In [None]:
importlib.reload(my_plt)
my_plt.plot_cdf(
    input_dict=cve_unique_func_dict_nums,
    xlabel="Number of vulnerable functions",
    ylabel="Cumulative % of CVEs",
    x_percent=False,
    xticks=np.arange(0,35,5),
    xticks_sparse=False,
    aspect=20,
    fontsize=13 ,
    save_path='figs/funcs_per_cve.pdf',
)

# Appendix Table 3
The cells below generate dump the raw CVE Impact scores for 50 CVEs sorted in decreasing order of their ELF-level impact

In [None]:
elf_reach_cve_dict_sorted = dict(sorted(cve_spread_dict.items(), key=lambda x: x[1]['ELF_REACH'], reverse=True))

In [None]:
paper_table = {}
for cve, dets in elf_reach_cve_dict_sorted.items():
    if dets["VULN_ELF"] not in paper_table:
        paper_table[dets["VULN_ELF"]] = f"{cve},{dets['VULN_FUNC'].split('@')[0]},{dets['VULN_ELF']},{dets['VULN_DEB']},{dets['ELF_REACH']},{dets['FUNC_REACH']}"
    # print(cve, dets["VULN_FUNC"], dets["VULN_ELF"], dets["VULN_DEB"], dets["ELF_REACH"], dets["FUNC_REACH"])

In [None]:
cnt = 0
with open("data/cve_spread_per_elf_50.csv", "w") as f:
    for cve, dets in paper_table.items():
        f.write(f"{dets}\n")
        cnt += 1
        if cnt == 53:
            break