Technical Report -- Expected Exploitability: Predicting the Development of Functional Vulnerability Exploits

TL;DR

This paper introduces Expected Exploitability (EE), a novel, time-aware metric for predicting the likelihood of functional exploit development for software vulnerabilities, improving accuracy over existing methods and aiding vulnerability prioritization.

Contribution

The paper proposes a new time-varying exploitability metric, EE, and develops data-driven techniques to learn it, addressing label bias and noise issues in exploit prediction.

Findings

EE improves exploit prediction precision from 49% to 86%.

EE's accuracy increases over time, aiding early vulnerability assessment.

The authors provide an online platform for EE accessible to the public.

Abstract

Assessing the exploitability of software vulnerabilities at the time of disclosure is difficult and error-prone, as features extracted via technical analysis by existing metrics are poor predictors for exploit development. Moreover, exploitability assessments suffer from a class bias because "not exploitable" labels could be inaccurate. To overcome these challenges, we propose a new metric, called Expected Exploitability (EE), which reflects, over time, the likelihood that functional exploits will be developed. Key to our solution is a time-varying view of exploitability, a departure from existing metrics. This allows us to learn EE using data-driven techniques from artifacts published after disclosure, such as technical write-ups and proof-of-concept exploits, for which we design novel feature sets. This view also allows us to investigate the effect of the label biases on the classifiers. We characterize the noise-generating process for exploit prediction, showing that our problem is subject to the most challenging type of label noise, and propose techniques to learn EE in the presence of noise. On a dataset of 103,137 vulnerabilities, we show that EE increases precision from 49% to 86% over existing metrics, including two state-of-the-art exploit classifiers, while its precision substantially improves over time. We also highlight the practical utility of EE for predicting imminent exploits and prioritizing critical vulnerabilities. We develop EE into an online platform which is publicly available at https://exploitability.app/.