nach oben

Software Quality Journal

Erschienen in:

28.03.2017

Estimating software robustness in relation to input validation vulnerabilities using Bayesian networks

verfasst von: Ekincan Ufuktepe, Tugkan Tuglular

Erschienen in: Software Quality Journal | Ausgabe 2/2018

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Estimating the robustness of software in the presence of invalid inputs has long been a challenging task owing to the fact that developers usually fail to take the necessary action to validate inputs during the design and implementation of software. We propose a method for estimating the robustness of software in relation to input validation vulnerabilities using Bayesian networks. The proposed method runs on all program functions and/or methods. It calculates a robustness value using information on the existence of input validation code in the functions and utilizing common weakness scores of known input validation vulnerabilities. In the case study, ten well-known software libraries implemented in the JavaScript language, which are chosen because of their increasing popularity among software developers, are evaluated. Using our method, software development teams can track changes made to software to deal with invalid inputs.

Vorheriger Artikel Semantic languages for developing correct language translations

Nächster Artikel Investigating relationships between functional coupling and the energy efficiency of embedded software

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Nur mit Berechtigung zugänglich

Alkhalaf, M.A. (2014). Automatic Detection and Repair of Input Validation and Sanitization Bugs (PhD dissertation, University Of California Santa Barbara).

Avizienis, A., Laprie, J., Randell, B. (2001). Fundamental Concepts of Dependability, Tech. Rep. 1145, University of Newcastle.

Ben-Gal, I. (2007). Bayesian networks. In F. Ruggeri, F. Faltin, & R. Kenett (Eds.), Encyclopedia of statistics in Quality & Reliability. New York: Wiley.

Bobbio, A., Portinale, L., Minichino, M., & Ciancamerla, E. (2001). Improving the analysis of dependable systems by mapping fault trees into Bayesian networks. Reliability Engineering & System Safety, 71(3), 249–260.CrossRef

Christey, S. (2005). Preliminary list of vulnerability examples for researchers. NIST Workshop Defining the State of the Art of Software Security Tools, Gaithersburg, MD.

Dejaeger, K., Verbraken, T., & Baesens, B. (2013). Toward comprehensible software fault prediction models using bayesian network classifiers. IEEE Transactions on Software Engineering, 39(2), 237–257. doi:10.1109/TSE.2012.20.CrossRef

Fenton, N., & Neil, M. (2012). Risk assessment and decision analysis with Bayesian networks. Boca Raton: CRC Press.MATH

Franke, U., Johnson, P., König, J., & Marcks von Würtemberg, L. (2011). Availability of enterprise IT systems: an expert-based Bayesian framework. Software Quality Journal, 20(2), 369–394. doi:10.1007/s11219-011-9141-z.CrossRef

Frigault, M., & Wang, L. (2008). Measuring network security using Bayesian network-based attack graphs. In 32nd annual IEEE international conference on computer software and applications (COMPSAC '08) (pp. 698–703).

Guarnieri, S., & Livshits, V.B. (2010). Gulfstream: Incremental static analysis for streaming Java Script applications. In Proc. of the USENIX Conference on Web Application Development, accessible through http://static.usenix.org/event/webapps10/tech/full_papers/Guarnieri.pdf .

Halfond, W.G., Viegas, J., & Orso, A., (2006). A classification of SQL-injection attacks and countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering (Vol. 1, pp. 13–15). IEEE.

Heckerman, D. (1996). A tutorial on learning with Bayesian networks. Technical Report Microsoft Research, MSR-TR-96-06, http://research.microsoft.com/apps/pubs/?id=69588.

Holm, H., Korman, M., & Ekstedt, M. (2014). A Bayesian network model for likelihood estimations of acquirement of critical software vulnerabilities and exploits. Information and Software Technology, 58, 304–318. doi:10.1016/j.infsof.2014.07.001.CrossRef

IEEE Std 610.12-1990 (1990). IEEE Standard Glossary of Software Engineering Terminology.

Jensen, S.H., Møller, A., & Thiemann, P. (2009). Type analysis for Java Script. In Proc. 16th International Static Analysis Symposium, SAS ‘09, LNCS (vol. 5673, pp. 238–255). Berlin Heidelberg New York: Springer.

Jourdan, G. V. (2008). Data validation, data neutralization, data footprint: a framework against injection attacks. Open Software Engineering Journal, 2, 45–54.CrossRef

Kondakci, S. (2010). Network security risk assessment using Bayesian belief networks. In IEEE international conference on social computing (social com) (pp. 952–960).

Korb, K. B., & Nicholson, A. E. (2003). Bayesian artificial intelligence. Boca Raton: CRC Press.CrossRefMATH

Kuperman, B. A., Brodley, C. E., Ozdoganoglu, H., Vijaykumar, T. N., & Jalote, A. (2005). Detection and prevention of stack buffer overflow attacks. Communications of the ACM, 48(11), 50–56.CrossRef

National Vulnerability Database (2014). http://web.nvd.nist.gov/view/vuln/statistics. Accessed 5 June 2015.

Okutan, A., & Yıldız, O. T. (2012). Software defect prediction using Bayesian networks. Empirical Software Engineering, 2, 154–181. doi:10.1007/s10664-012-9218-8.

OpenMarkov (2014). http://www.openmarkov.org/. Accessed 5 June 2015.

Perkusich, M., Soares, G., Almeida, H., & Perkusich, A. (2015). A procedure to detect problems of processes in software development projects using Bayesian networks. Expert Systems with Applications, 42(1), 437–450. doi:10.1016/j.eswa.2014.08.015.CrossRef

Shahrokni, A., & Feldt, R. (2013). A systematic review of software robustness. Information and Software Technology, 55, 1–17.CrossRef

Smithline, N. (2013). OWASP Top 10 2013. https://www.owasp.org/index.php/Top_10_2013-Top_10. Accessed 5 June 2015.

Wagner, S. (2010). A Bayesian network approach to assess and predict software quality using activity-based quality models. Information and Software Technology, 52, 1230–1241.CrossRef

Weber, P., Medina-Oliva, G., Simon, C., & Iung, B. (2012). Overview on Bayesian networks applications for dependability, risk analysis and maintenance areas. Engineering Applications of Artificial Intelligence, 25(4), 671–682. doi:10.1016/j.engappai.2010.06.002.CrossRef

Titel: Estimating software robustness in relation to input validation vulnerabilities using Bayesian networks
verfasst von: Ekincan Ufuktepe
Tugkan Tuglular
Publikationsdatum: 28.03.2017
Verlag: Springer US
Erschienen in: Software Quality Journal / Ausgabe 2/2018
Print ISSN: 0963-9314
Elektronische ISSN: 1573-1367
DOI: https://doi.org/10.1007/s11219-017-9359-5

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Weitere Artikel der Ausgabe 2/2018

Special issue on “software quality in software-intensive systems”

Coherence of comments and method implementations: a dataset and an empirical investigation

Multi-device coverage testing of mobile applications

Recognising object-oriented software design quality: a practitioner-based questionnaire survey

Considerations about quality in model-driven engineering

Software defect prediction: do different classifiers find the same defects?

Premium Partner