Top

Software Quality Journal

Published in:

28-03-2017

Estimating software robustness in relation to input validation vulnerabilities using Bayesian networks

Authors: Ekincan Ufuktepe, Tugkan Tuglular

Published in: Software Quality Journal | Issue 2/2018

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Estimating the robustness of software in the presence of invalid inputs has long been a challenging task owing to the fact that developers usually fail to take the necessary action to validate inputs during the design and implementation of software. We propose a method for estimating the robustness of software in relation to input validation vulnerabilities using Bayesian networks. The proposed method runs on all program functions and/or methods. It calculates a robustness value using information on the existence of input validation code in the functions and utilizing common weakness scores of known input validation vulnerabilities. In the case study, ten well-known software libraries implemented in the JavaScript language, which are chosen because of their increasing popularity among software developers, are evaluated. Using our method, software development teams can track changes made to software to deal with invalid inputs.

previous article Semantic languages for developing correct language translations

next article Investigating relationships between functional coupling and the energy efficiency of embedded software

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Available only for authorised users

Alkhalaf, M.A. (2014). Automatic Detection and Repair of Input Validation and Sanitization Bugs (PhD dissertation, University Of California Santa Barbara).

Avizienis, A., Laprie, J., Randell, B. (2001). Fundamental Concepts of Dependability, Tech. Rep. 1145, University of Newcastle.

Ben-Gal, I. (2007). Bayesian networks. In F. Ruggeri, F. Faltin, & R. Kenett (Eds.), Encyclopedia of statistics in Quality & Reliability. New York: Wiley.

Bobbio, A., Portinale, L., Minichino, M., & Ciancamerla, E. (2001). Improving the analysis of dependable systems by mapping fault trees into Bayesian networks. Reliability Engineering & System Safety, 71(3), 249–260.CrossRef

Christey, S. (2005). Preliminary list of vulnerability examples for researchers. NIST Workshop Defining the State of the Art of Software Security Tools, Gaithersburg, MD.

Dejaeger, K., Verbraken, T., & Baesens, B. (2013). Toward comprehensible software fault prediction models using bayesian network classifiers. IEEE Transactions on Software Engineering, 39(2), 237–257. doi:10.1109/TSE.2012.20.CrossRef

Fenton, N., & Neil, M. (2012). Risk assessment and decision analysis with Bayesian networks. Boca Raton: CRC Press.MATH

Franke, U., Johnson, P., König, J., & Marcks von Würtemberg, L. (2011). Availability of enterprise IT systems: an expert-based Bayesian framework. Software Quality Journal, 20(2), 369–394. doi:10.1007/s11219-011-9141-z.CrossRef

Frigault, M., & Wang, L. (2008). Measuring network security using Bayesian network-based attack graphs. In 32nd annual IEEE international conference on computer software and applications (COMPSAC '08) (pp. 698–703).

Guarnieri, S., & Livshits, V.B. (2010). Gulfstream: Incremental static analysis for streaming Java Script applications. In Proc. of the USENIX Conference on Web Application Development, accessible through http://static.usenix.org/event/webapps10/tech/full_papers/Guarnieri.pdf .

Halfond, W.G., Viegas, J., & Orso, A., (2006). A classification of SQL-injection attacks and countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering (Vol. 1, pp. 13–15). IEEE.

Heckerman, D. (1996). A tutorial on learning with Bayesian networks. Technical Report Microsoft Research, MSR-TR-96-06, http://research.microsoft.com/apps/pubs/?id=69588.

Holm, H., Korman, M., & Ekstedt, M. (2014). A Bayesian network model for likelihood estimations of acquirement of critical software vulnerabilities and exploits. Information and Software Technology, 58, 304–318. doi:10.1016/j.infsof.2014.07.001.CrossRef

IEEE Std 610.12-1990 (1990). IEEE Standard Glossary of Software Engineering Terminology.

Jensen, S.H., Møller, A., & Thiemann, P. (2009). Type analysis for Java Script. In Proc. 16th International Static Analysis Symposium, SAS ‘09, LNCS (vol. 5673, pp. 238–255). Berlin Heidelberg New York: Springer.

Jourdan, G. V. (2008). Data validation, data neutralization, data footprint: a framework against injection attacks. Open Software Engineering Journal, 2, 45–54.CrossRef

Kondakci, S. (2010). Network security risk assessment using Bayesian belief networks. In IEEE international conference on social computing (social com) (pp. 952–960).

Korb, K. B., & Nicholson, A. E. (2003). Bayesian artificial intelligence. Boca Raton: CRC Press.CrossRefMATH

Kuperman, B. A., Brodley, C. E., Ozdoganoglu, H., Vijaykumar, T. N., & Jalote, A. (2005). Detection and prevention of stack buffer overflow attacks. Communications of the ACM, 48(11), 50–56.CrossRef

National Vulnerability Database (2014). http://web.nvd.nist.gov/view/vuln/statistics. Accessed 5 June 2015.

Okutan, A., & Yıldız, O. T. (2012). Software defect prediction using Bayesian networks. Empirical Software Engineering, 2, 154–181. doi:10.1007/s10664-012-9218-8.

OpenMarkov (2014). http://www.openmarkov.org/. Accessed 5 June 2015.

Perkusich, M., Soares, G., Almeida, H., & Perkusich, A. (2015). A procedure to detect problems of processes in software development projects using Bayesian networks. Expert Systems with Applications, 42(1), 437–450. doi:10.1016/j.eswa.2014.08.015.CrossRef

Shahrokni, A., & Feldt, R. (2013). A systematic review of software robustness. Information and Software Technology, 55, 1–17.CrossRef

Smithline, N. (2013). OWASP Top 10 2013. https://www.owasp.org/index.php/Top_10_2013-Top_10. Accessed 5 June 2015.

Wagner, S. (2010). A Bayesian network approach to assess and predict software quality using activity-based quality models. Information and Software Technology, 52, 1230–1241.CrossRef

Weber, P., Medina-Oliva, G., Simon, C., & Iung, B. (2012). Overview on Bayesian networks applications for dependability, risk analysis and maintenance areas. Engineering Applications of Artificial Intelligence, 25(4), 671–682. doi:10.1016/j.engappai.2010.06.002.CrossRef

Title: Estimating software robustness in relation to input validation vulnerabilities using Bayesian networks
Authors: Ekincan Ufuktepe
Tugkan Tuglular
Publication date: 28-03-2017
Publisher: Springer US
Published in: Software Quality Journal / Issue 2/2018
Print ISSN: 0963-9314
Electronic ISSN: 1573-1367
DOI: https://doi.org/10.1007/s11219-017-9359-5

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Other articles of this Issue 2/2018

Coherence of comments and method implementations: a dataset and an empirical investigation

The effect of requests for user feedback on Quality of Experience

In this issue

A model for estimating change propagation in software

Challenges of software process and product quality improvement: catalyzing defect root-cause investigation by process enactment data analysis

Evaluating perceived and estimated data quality for Web 2.0 applications: a gap analysis

Premium Partner