Top

Software Quality Journal

Published in:

01-03-2016

Assessing vulnerability exploitability risk using software properties

Authors: Awad Younis, Yashwant K. Malaiya, Indrajit Ray

Published in: Software Quality Journal | Issue 1/2016

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Attacks on computer systems are now attracting increased attention. While the current trends in software vulnerability discovery indicate that the number of newly discovered vulnerabilities continues to be significant, the time between the public disclosure of vulnerabilities and the release of an automated exploit is shrinking. Thus, assessing the vulnerability exploitability risk is critical because this allows decision-makers to prioritize among vulnerabilities, allocate resources to patch and protect systems from these vulnerabilities, and choose between alternatives. Common vulnerability scoring system (CVSS) metrics have become the de facto standard for assessing the severity of vulnerabilities. However, the CVSS exploitability measures assign subjective values based on the views of experts. Two of the factors in CVSS, Access Vector and Authentication, are the same for almost all vulnerabilities. CVSS does not specify how the third factor, Access Complexity, is measured, and hence it is unknown whether it considers software properties as a factor. In this work, we introduce a novel measure, Structural Severity, which is based on software properties, namely attack entry points, vulnerability location, the presence of the dangerous system calls, and reachability analysis. These properties represent metrics that can be objectively derived from attack surface analysis, vulnerability analysis, and exploitation analysis. To illustrate the proposed approach, 25 reported vulnerabilities of Apache HTTP server and 86 reported vulnerabilities of Linux Kernel have been examined at the source code level. The results show that the proposed approach, which uses more detailed information, can objectively measure the risk of vulnerability exploitability and results can be different from the CVSS base scores.

previous article Normalizing variations in feature vector structure in keystroke dynamics authentication systems

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Available only for authorised users

Alhazmi, O. H., & Malaiya,Y. K. (2005). Modeling the vulnerability discovery process. In: Proceedings of the 16th IEEE international symposium on software reliability engineering (ISSRE’05) (pp. 1–10). doi:10.1109/ISSRE.2005.30.

Alhazmi, O. H., Malaiya, Y. K., & Ray, I. (2007). Measuring, analyzing and predicting security vulnerabilities in software systems. Computers & Security, 26(3), 219–228. doi:10.1016/j.cose.2006.10.002.CrossRef

Allodi, L., & Massacci, F. (2012). A preliminary analysis of vulnerability scores for attacks in wild. In: Proceedings of the 2012 ACM workshop on Building analysis datasets and gathering experience returns for security (BADGERS 12) (pp. 17–24). ISBN: 978-1-4503-1661-3. doi:10.1145/2382416.2382427

Allodi, L., & Massacci, F. (2013). My Software has a vulnerability, should I worry? Corrnel Univsity Library (pp. 12). arXiv:1301.1275. http://www.arxiv.org/pdf/1301.1275v3.pdf. Accessed 2 Aug 2013.

Allodi, L., Shim, W., & Massacci, F. (2013). Quantitative Assessment of risk reduction with cybercrime black market monitoring. IEEE Security and Privacy Workshops (SPW) (pp. 165–172). doi: 10.1109/SPW.2013.16

Apache-SVN. (2014). the apache software foundation. http://www.svn.apache.org/viewvc/. Accessed 27 Mar 2014.

Arbaugh, W. A., Fithen, W. L., & John, M. (2000). Windows of vulnerability: A case study analysis. Computer, 33(12), 52–59. doi:10.1109/2.889093.CrossRef

Archive.apache.org. (2014). The apache software foundation. http://www.archive.apache.org/dist/httpd/. Accessed 2 Aug 2014.

Avgerinos, T., Cha, S. K., Rebert, A., Schwartz, E. J., Woo, M., & Brumley, D. (2014). Automatic exploit generation. Communications of the ACM, 26(3), 74–84. doi:10.1145/2560217.2560219.CrossRef

Bhattacharya, P., Iliofotou, M., Neamtiu, I., & Faloutsos, M. (2012). Graph-based analysis and prediction for software evolution. In: Proceedings of the 34th international conference on software engineering (ICSE ‘12) (pp. 419–429). ISBN: 978-1-4673-1067-3.

Bozorgi, M., Saul, L. K., Savage, S., & Voelker, G. M. (2010). Beyond heuristics: Learning to classify vulnerabilities and predict exploits. In: Proceedings of the 16th ACM SIGKDD international conference on knowledge discovery and data mining (KDD ‘10) (pp. 105–114). doi:10.1145/1835804.1835821

Brenneman, D. (2012). Improving software security by identifying and securing paths linking attack surface to attack target. McCabe Software Inc. White Paper. http://www.mccabe.com/. Accessed 4 Aug 2014.

Evans, D., & Larochelle, D. (2002). Improving security using extensible lightweight static analysis. IEEE Software, 19(1), 42–51. doi:10.1109/52.976940.CrossRef

Ferrante, J., Ottenstein, K. J., & Warren, J. D. (1987). The program dependence graph and its use in optimization. ACM Transactions on Programming Languages and Systems (TOPLAS), 9(3), 319–349. doi:10.1145/24039.24041.MATHCrossRef

Frei, S., Tellenbach, B., & Plattner, B. (2008). 0-day Patch: Exposing vendors (in) security performance. Black Hat Europe. http://www.techzoom.net/papers/blackhat 0 day Patch 2008.pdf. Accessed 10 Aug 2013.

GNU Cflow (2013) http://www.gnu.org/software/cflow/manual/cflow.html. Accessed 2 Aug 2013.

Horwitz, S., Reps, T., & Binkley, D. (1990). Interprocedural slicing using dependence graphs. ACM Transactions on Programming Languages and Systems (TOPLAS), 12(1), 26–60. doi:10.1145/77606.77608.CrossRef

Howard, M., Pincus, J., & Wing, J. (2005). Measuring relative attack surfaces. Computer Security in the 21st Century (pp. 109–137). Springer. ISBN 0-387-24005-5, 0-387-24006-3. http://www.link.springer.com/chapter/10.1007/0-387-24006-3_8.

Imperva, a provider of cyber and data security products (2012). http://www.imperva.com/docs/HII_Web_Application_Attack_Report_Ed3.pdf. Accesses 19 Apr 2014.

Jansen, W. (2009). Directions in Security Metrics Research. NIST. http://www.csrc.nist.gov/publications/nistir/ir7564/nistir-7564_metrics-research.pdf. Accessed 15 March 2013.

Joh, H., & Malaiya, Y. K. (2011). Defining and assessing quantitative security risk measures using vulnerability lifecycle and CVSS metrics. In: The 2011 international conference on security and management (SAM’11) (pp. 10–16).

Kuck, D. J., Muraoka, Y., & Chen, S. (1972). On the number of operations simultaneously executable in fortran-like programs and their resulting speedup. The IEEE Transactions on Computers, 100(12), 1293–1310. doi:10.1109/T-C.1972.223501.MathSciNetCrossRef

Manadhata, P. K., & Wing, J. M. (2011). An attack surface metric. The IEEE Transactions on Software Engineering, 37(3), 371–386. doi:10.1109/TSE.2010.60.CrossRef

Manadhata, P. K, Wing, J., Flynn M., & McQueen, M. (2006). Measuring the attack surfaces of two FTP daemons. In: Proceedings of the 2nd ACM workshop on quality of protection (QoP’06) (pp. 3–10). doi:10.1145/1179494.1179497.

Massimo, B., Gabrielli, E., & Mancini, L. (2002). Remus: A security-enhanced operating system. ACM Transactions on Information and System Security (TISSEC), 5(1), 36–61. doi:10.1145/504909.504911.CrossRef

Mell, P., Scarfone, K., & Romanosky, S. (2007). A complete guide to the common vulnerability scoring system version 2.0. Published by FIRST-Forum of Incident Response and Security Teams (pp. 1–23). http://www.first.org/cvss/cvss-guide.pdf. Accessed 15 Mar 2013.

Metasploit Database. (2014). http://www.metasploit.com/. Accessed 27 March 2014.

National Vulnerability Database. (2013). http://www.nvd.nist.gov/. Accessed 2 Aug 2013.

OSVDB: Open Sourced Vulnerability Database. (2014). http://www.osvdb.org/. Accessed 19 Feb 2014.

Pfleeger, C. P., & Pfleeger, S. L. (2006). Security in computing. New Jersey: Prentice Hall PTR.

Ponemon Institute. (2013). 2013 Cost of data breach study: Global analysis. Benchmark research sponsored by Symantec, Independently Conducted by Ponemon Institute. https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf. Accessed 10 Mar 2013.

Red Hat Bugzilla Main Page. (2014). https://bugzilla.redhat.com/. Accessed 2 Mar 2014.

Scientific Toolworks Understand. (2014). http://www.scitools.com/. Accessed 22 Mar 2014.

SecurityFocus. (2015). http://www.securityfocus.com/archive/1. Accessed 2 Mar 2015.

Silberschatz, A., Galvin, P. B., & Gagne, G. (2009). Operating system concepts. Wiley.

Skape. (2007). Improving software security analysis using exploitation properties. Uninformed. http://www.uninformed.org/?o=about. Accessed 29 Mar 2014.

Sparks, S., Embleton, S., Cunningham, R., & Zou, C. (2007). Automated vulnerability analysis: Leveraging control flow for evolutionary input crafting. In: Computer Security Applications Conference (ACSAC 2007) (pp. 477–486). doi:10.1109/ACSAC.2007.27.

Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk management guide for information technology systems. NIST. http://www.security-science.com/pdf/risk-management-guide-for-information-technology-systems.pdf. Accessed 23 Mar 2013.

The Exploits Database. (2013). http://www.exploit-db.com/. Accessed 7 Aug 2013.

Usage Statistics and Market Share of Web Servers for Websites. (2013). http://www.w3techs.com/technologies/overview/web_server/all. Accessed 2 Aug 2013.

Younis, A. A., & Malaiya,Y. K. (2012). Relationship between attack surface and vulnerability density: A case study on apache HTTP server. In: The 2012 international conference on internet computing (ICOMP’12) (pp. 197–203).

Title: Assessing vulnerability exploitability risk using software properties
Authors: Awad Younis
Yashwant K. Malaiya
Indrajit Ray
Publication date: 01-03-2016
Publisher: Springer US
Published in: Software Quality Journal / Issue 1/2016
Print ISSN: 0963-9314
Electronic ISSN: 1573-1367
DOI: https://doi.org/10.1007/s11219-015-9274-6

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Other articles of this Issue 1/2016

Special issue on High Assurance Systems Engineering

Finding fault with fault injection: an empirical exploration of distortion in fault injection experiments

Toward high assurance software systems with adaptive fault management

Accelerating temporal verification of Simulink diagrams using satisfiability modulo theories

In this issue

Experiences with software-based soft-error mitigation using AN codes

Premium Partner