nach oben

Software Quality Journal

Erschienen in:

01.03.2016

Assessing vulnerability exploitability risk using software properties

verfasst von: Awad Younis, Yashwant K. Malaiya, Indrajit Ray

Erschienen in: Software Quality Journal | Ausgabe 1/2016

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Attacks on computer systems are now attracting increased attention. While the current trends in software vulnerability discovery indicate that the number of newly discovered vulnerabilities continues to be significant, the time between the public disclosure of vulnerabilities and the release of an automated exploit is shrinking. Thus, assessing the vulnerability exploitability risk is critical because this allows decision-makers to prioritize among vulnerabilities, allocate resources to patch and protect systems from these vulnerabilities, and choose between alternatives. Common vulnerability scoring system (CVSS) metrics have become the de facto standard for assessing the severity of vulnerabilities. However, the CVSS exploitability measures assign subjective values based on the views of experts. Two of the factors in CVSS, Access Vector and Authentication, are the same for almost all vulnerabilities. CVSS does not specify how the third factor, Access Complexity, is measured, and hence it is unknown whether it considers software properties as a factor. In this work, we introduce a novel measure, Structural Severity, which is based on software properties, namely attack entry points, vulnerability location, the presence of the dangerous system calls, and reachability analysis. These properties represent metrics that can be objectively derived from attack surface analysis, vulnerability analysis, and exploitation analysis. To illustrate the proposed approach, 25 reported vulnerabilities of Apache HTTP server and 86 reported vulnerabilities of Linux Kernel have been examined at the source code level. The results show that the proposed approach, which uses more detailed information, can objectively measure the risk of vulnerability exploitability and results can be different from the CVSS base scores.

Vorheriger Artikel Normalizing variations in feature vector structure in keystroke dynamics authentication systems

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Nur mit Berechtigung zugänglich

Alhazmi, O. H., & Malaiya,Y. K. (2005). Modeling the vulnerability discovery process. In: Proceedings of the 16th IEEE international symposium on software reliability engineering (ISSRE’05) (pp. 1–10). doi:10.1109/ISSRE.2005.30.

Alhazmi, O. H., Malaiya, Y. K., & Ray, I. (2007). Measuring, analyzing and predicting security vulnerabilities in software systems. Computers & Security, 26(3), 219–228. doi:10.1016/j.cose.2006.10.002.CrossRef

Allodi, L., & Massacci, F. (2012). A preliminary analysis of vulnerability scores for attacks in wild. In: Proceedings of the 2012 ACM workshop on Building analysis datasets and gathering experience returns for security (BADGERS 12) (pp. 17–24). ISBN: 978-1-4503-1661-3. doi:10.1145/2382416.2382427

Allodi, L., & Massacci, F. (2013). My Software has a vulnerability, should I worry? Corrnel Univsity Library (pp. 12). arXiv:1301.1275. http://www.arxiv.org/pdf/1301.1275v3.pdf. Accessed 2 Aug 2013.

Allodi, L., Shim, W., & Massacci, F. (2013). Quantitative Assessment of risk reduction with cybercrime black market monitoring. IEEE Security and Privacy Workshops (SPW) (pp. 165–172). doi: 10.1109/SPW.2013.16

Apache-SVN. (2014). the apache software foundation. http://www.svn.apache.org/viewvc/. Accessed 27 Mar 2014.

Arbaugh, W. A., Fithen, W. L., & John, M. (2000). Windows of vulnerability: A case study analysis. Computer, 33(12), 52–59. doi:10.1109/2.889093.CrossRef

Archive.apache.org. (2014). The apache software foundation. http://www.archive.apache.org/dist/httpd/. Accessed 2 Aug 2014.

Avgerinos, T., Cha, S. K., Rebert, A., Schwartz, E. J., Woo, M., & Brumley, D. (2014). Automatic exploit generation. Communications of the ACM, 26(3), 74–84. doi:10.1145/2560217.2560219.CrossRef

Bhattacharya, P., Iliofotou, M., Neamtiu, I., & Faloutsos, M. (2012). Graph-based analysis and prediction for software evolution. In: Proceedings of the 34th international conference on software engineering (ICSE ‘12) (pp. 419–429). ISBN: 978-1-4673-1067-3.

Bozorgi, M., Saul, L. K., Savage, S., & Voelker, G. M. (2010). Beyond heuristics: Learning to classify vulnerabilities and predict exploits. In: Proceedings of the 16th ACM SIGKDD international conference on knowledge discovery and data mining (KDD ‘10) (pp. 105–114). doi:10.1145/1835804.1835821

Brenneman, D. (2012). Improving software security by identifying and securing paths linking attack surface to attack target. McCabe Software Inc. White Paper. http://www.mccabe.com/. Accessed 4 Aug 2014.

Evans, D., & Larochelle, D. (2002). Improving security using extensible lightweight static analysis. IEEE Software, 19(1), 42–51. doi:10.1109/52.976940.CrossRef

Ferrante, J., Ottenstein, K. J., & Warren, J. D. (1987). The program dependence graph and its use in optimization. ACM Transactions on Programming Languages and Systems (TOPLAS), 9(3), 319–349. doi:10.1145/24039.24041.MATHCrossRef

Frei, S., Tellenbach, B., & Plattner, B. (2008). 0-day Patch: Exposing vendors (in) security performance. Black Hat Europe. http://www.techzoom.net/papers/blackhat 0 day Patch 2008.pdf. Accessed 10 Aug 2013.

GNU Cflow (2013) http://www.gnu.org/software/cflow/manual/cflow.html. Accessed 2 Aug 2013.

Horwitz, S., Reps, T., & Binkley, D. (1990). Interprocedural slicing using dependence graphs. ACM Transactions on Programming Languages and Systems (TOPLAS), 12(1), 26–60. doi:10.1145/77606.77608.CrossRef

Howard, M., Pincus, J., & Wing, J. (2005). Measuring relative attack surfaces. Computer Security in the 21st Century (pp. 109–137). Springer. ISBN 0-387-24005-5, 0-387-24006-3. http://www.link.springer.com/chapter/10.1007/0-387-24006-3_8.

Imperva, a provider of cyber and data security products (2012). http://www.imperva.com/docs/HII_Web_Application_Attack_Report_Ed3.pdf. Accesses 19 Apr 2014.

Jansen, W. (2009). Directions in Security Metrics Research. NIST. http://www.csrc.nist.gov/publications/nistir/ir7564/nistir-7564_metrics-research.pdf. Accessed 15 March 2013.

Joh, H., & Malaiya, Y. K. (2011). Defining and assessing quantitative security risk measures using vulnerability lifecycle and CVSS metrics. In: The 2011 international conference on security and management (SAM’11) (pp. 10–16).

Kuck, D. J., Muraoka, Y., & Chen, S. (1972). On the number of operations simultaneously executable in fortran-like programs and their resulting speedup. The IEEE Transactions on Computers, 100(12), 1293–1310. doi:10.1109/T-C.1972.223501.MathSciNetCrossRef

Manadhata, P. K., & Wing, J. M. (2011). An attack surface metric. The IEEE Transactions on Software Engineering, 37(3), 371–386. doi:10.1109/TSE.2010.60.CrossRef

Manadhata, P. K, Wing, J., Flynn M., & McQueen, M. (2006). Measuring the attack surfaces of two FTP daemons. In: Proceedings of the 2nd ACM workshop on quality of protection (QoP’06) (pp. 3–10). doi:10.1145/1179494.1179497.

Massimo, B., Gabrielli, E., & Mancini, L. (2002). Remus: A security-enhanced operating system. ACM Transactions on Information and System Security (TISSEC), 5(1), 36–61. doi:10.1145/504909.504911.CrossRef

Mell, P., Scarfone, K., & Romanosky, S. (2007). A complete guide to the common vulnerability scoring system version 2.0. Published by FIRST-Forum of Incident Response and Security Teams (pp. 1–23). http://www.first.org/cvss/cvss-guide.pdf. Accessed 15 Mar 2013.

Metasploit Database. (2014). http://www.metasploit.com/. Accessed 27 March 2014.

National Vulnerability Database. (2013). http://www.nvd.nist.gov/. Accessed 2 Aug 2013.

OSVDB: Open Sourced Vulnerability Database. (2014). http://www.osvdb.org/. Accessed 19 Feb 2014.

Pfleeger, C. P., & Pfleeger, S. L. (2006). Security in computing. New Jersey: Prentice Hall PTR.

Ponemon Institute. (2013). 2013 Cost of data breach study: Global analysis. Benchmark research sponsored by Symantec, Independently Conducted by Ponemon Institute. https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf. Accessed 10 Mar 2013.

Red Hat Bugzilla Main Page. (2014). https://bugzilla.redhat.com/. Accessed 2 Mar 2014.

Scientific Toolworks Understand. (2014). http://www.scitools.com/. Accessed 22 Mar 2014.

SecurityFocus. (2015). http://www.securityfocus.com/archive/1. Accessed 2 Mar 2015.

Silberschatz, A., Galvin, P. B., & Gagne, G. (2009). Operating system concepts. Wiley.

Skape. (2007). Improving software security analysis using exploitation properties. Uninformed. http://www.uninformed.org/?o=about. Accessed 29 Mar 2014.

Sparks, S., Embleton, S., Cunningham, R., & Zou, C. (2007). Automated vulnerability analysis: Leveraging control flow for evolutionary input crafting. In: Computer Security Applications Conference (ACSAC 2007) (pp. 477–486). doi:10.1109/ACSAC.2007.27.

Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk management guide for information technology systems. NIST. http://www.security-science.com/pdf/risk-management-guide-for-information-technology-systems.pdf. Accessed 23 Mar 2013.

The Exploits Database. (2013). http://www.exploit-db.com/. Accessed 7 Aug 2013.

Usage Statistics and Market Share of Web Servers for Websites. (2013). http://www.w3techs.com/technologies/overview/web_server/all. Accessed 2 Aug 2013.

Younis, A. A., & Malaiya,Y. K. (2012). Relationship between attack surface and vulnerability density: A case study on apache HTTP server. In: The 2012 international conference on internet computing (ICOMP’12) (pp. 197–203).

Titel: Assessing vulnerability exploitability risk using software properties
verfasst von: Awad Younis
Yashwant K. Malaiya
Indrajit Ray
Publikationsdatum: 01.03.2016
Verlag: Springer US
Erschienen in: Software Quality Journal / Ausgabe 1/2016
Print ISSN: 0963-9314
Elektronische ISSN: 1573-1367
DOI: https://doi.org/10.1007/s11219-015-9274-6

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Weitere Artikel der Ausgabe 1/2016

Special issue on High Assurance Systems Engineering

Experiences with software-based soft-error mitigation using AN codes

Normalizing variations in feature vector structure in keystroke dynamics authentication systems

Finding fault with fault injection: an empirical exploration of distortion in fault injection experiments

In this issue

Certifying a java type resolution function using program transformation, annotation, and reflection

Premium Partner