article

Assessing vulnerability exploitability risk using software properties

Authors:

Yashwant K. Malaiya, and

Indrajit RayAuthors Info & Claims

Software Quality Journal, Volume 24, Issue 1

Pages 159 - 202

https://doi.org/10.1007/s11219-015-9274-6

Published: 01 March 2016 Publication History

Abstract

Attacks on computer systems are now attracting increased attention. While the current trends in software vulnerability discovery indicate that the number of newly discovered vulnerabilities continues to be significant, the time between the public disclosure of vulnerabilities and the release of an automated exploit is shrinking. Thus, assessing the vulnerability exploitability risk is critical because this allows decision-makers to prioritize among vulnerabilities, allocate resources to patch and protect systems from these vulnerabilities, and choose between alternatives. Common vulnerability scoring system (CVSS) metrics have become the de facto standard for assessing the severity of vulnerabilities. However, the CVSS exploitability measures assign subjective values based on the views of experts. Two of the factors in CVSS, Access Vector and Authentication, are the same for almost all vulnerabilities. CVSS does not specify how the third factor, Access Complexity, is measured, and hence it is unknown whether it considers software properties as a factor. In this work, we introduce a novel measure, Structural Severity, which is based on software properties, namely attack entry points, vulnerability location, the presence of the dangerous system calls, and reachability analysis. These properties represent metrics that can be objectively derived from attack surface analysis, vulnerability analysis, and exploitation analysis. To illustrate the proposed approach, 25 reported vulnerabilities of Apache HTTP server and 86 reported vulnerabilities of Linux Kernel have been examined at the source code level. The results show that the proposed approach, which uses more detailed information, can objectively measure the risk of vulnerability exploitability and results can be different from the CVSS base scores.

References

[1]

Alhazmi, O. H., & Malaiya, Y. K. (2005). Modeling the vulnerability discovery process. In: Proceedings of the 16th IEEE international symposium on software reliability engineering (ISSRE'05) (pp. 1-10).

[2]

Alhazmi, O. H., Malaiya, Y. K., & Ray, I. (2007). Measuring, analyzing and predicting security vulnerabilities in software systems. Computers & Security, 26(3), 219-228.

Digital Library

[3]

Allodi, L., & Massacci, F. (2012). A preliminary analysis of vulnerability scores for attacks in wild. In: Proceedings of the 2012 ACM workshop on Building analysis datasets and gathering experience returns for security (BADGERS 12) (pp. 17-24). ISBN: 978-1-4503-1661-3.

[4]

Allodi, L., & Massacci, F. (2013). My Software has a vulnerability, should I worry? Corrnel University Library (pp. 12). arXiv:1301.1275. http://www.arxiv.org/pdf/1301.1275v3.pdf. Accessed 2 Aug 2013.

[5]

Allodi, L., Shim, W., & Massacci, F. (2013). Quantitative Assessment of risk reduction with cybercrime black market monitoring. IEEE Security and Privacy Workshops (SPW) (pp. 165-172).

[6]

Apache-SVN. (2014). the apache software foundation. http://www.svn.apache.org/viewvc/. Accessed 27 Mar 2014.

[7]

Arbaugh, W. A., Fithen, W. L., & John, M. (2000). Windows of vulnerability: A case study analysis. Computer, 33(12), 52-59.

Digital Library

[8]

Archive.apache.org. (2014). The apache software foundation. http://www.archive.apache.org/dist/httpd/. Accessed 2 Aug 2014.

[9]

Avgerinos, T., Cha, S. K., Rebert, A., Schwartz, E. J., Woo, M., & Brumley, D. (2014). Automatic exploit generation. Communications of the ACM, 26(3), 74-84.

[10]

Bhattacharya, P., Iliofotou, M., Neamtiu, I., & Faloutsos, M. (2012). Graph-based analysis and prediction for software evolution. In: Proceedings of the 34th international conference on software engineering (ICSE '12) (pp. 419-429). ISBN: 978-1-4673-1067-3.

[11]

Bozorgi, M., Saul, L. K., Savage, S., & Voelker, G. M. (2010). Beyond heuristics: Learning to classify vulnerabilities and predict exploits. In: Proceedings of the 16th ACM SIGKDD international conference on knowledge discovery and data mining (KDD '10) (pp. 105-114).

[12]

Brenneman, D. (2012). Improving software security by identifying and securing paths linking attack surface to attack target. McCabe Software Inc. White Paper. http://www.mccabe.com/. Accessed 4 Aug 2014.

[13]

Evans, D., & Larochelle, D. (2002). Improving security using extensible lightweight static analysis. IEEE Software, 19(1), 42-51.

Digital Library

[14]

Ferrante, J., Ottenstein, K. J., & Warren, J. D. (1987). The program dependence graph and its use in optimization. ACM Transactions on Programming Languages and Systems (TOPLAS), 9(3), 319-349.

Digital Library

[15]

Frei, S., Tellenbach, B., & Plattner, B. (2008). 0-day Patch: Exposing vendors (in) security performance. Black Hat Europe. http://www.techzoom.net/papers/blackhat_0_day_Patch_2008.pdf. Accessed 10 Aug 2013.

[16]

GNU Cflow (2013) http://www.gnu.org/software/cflow/manual/cflow.html. Accessed 2 Aug 2013.

[17]

Horwitz, S., Reps, T., & Binkley, D. (1990). Interprocedural slicing using dependence graphs. ACM Transactions on Programming Languages and Systems (TOPLAS), 12(1), 26-60.

Digital Library

[18]

Howard, M., Pincus, J., & Wing, J. (2005). Measuring relative attack surfaces. Computer Security in the 21st Century (pp. 109-137). Springer. ISBN 0-387-24005-5, 0-387-24006-3. http://www.link.springer.com/chapter/10.1007/0-387-24006-3_8.

[19]

Imperva, a provider of cyber and data security products (2012). http://www.imperva.com/docs/HII_Web_Application_Attack_Report_Ed3.pdf. Accesses 19 Apr 2014.

[20]

Jansen, W. (2009). Directions in Security Metrics Research. NIST. http://www.csrc.nist.gov/publications/nistir/ir7564/nistir-7564_metrics-research.pdf. Accessed 15 March 2013.

[21]

Joh, H., & Malaiya, Y. K. (2011). Defining and assessing quantitative security risk measures using vulnerability lifecycle and CVSS metrics. In: The 2011 international conference on security and management (SAM'11) (pp. 10-16).

[22]

Kuck, D. J., Muraoka, Y., & Chen, S. (1972). On the number of operations simultaneously executable in fortran-like programs and their resulting speedup. The IEEE Transactions on Computers, 100(12), 1293-1310.

[23]

Manadhata, P. K., & Wing, J. M. (2011). An attack surface metric. The IEEE Transactions on Software Engineering, 37(3), 371-386.

Digital Library

[24]

Manadhata, P. K, Wing, J., Flynn M., & McQueen, M. (2006). Measuring the attack surfaces of two FTP daemons. In: Proceedings of the 2nd ACM workshop on quality of protection (QoP'06) (pp. 3-10).

[25]

Massimo, B., Gabrielli, E., & Mancini, L. (2002). Remus: A security-enhanced operating system. ACM Transactions on Information and System Security (TISSEC), 5(1), 36-61.

Digital Library

[26]

Mell, P., Scarfone, K., & Romanosky, S. (2007). A complete guide to the common vulnerability scoring system version 2.0. Published by FIRST-Forum of Incident Response and Security Teams (pp. 1-23). http://www.first.org/cvss/cvss-guide.pdf. Accessed 15 Mar 2013.

[27]

Metasploit Database. (2014). http://www.metasploit.com/. Accessed 27 March 2014.

[28]

National Vulnerability Database. (2013). http://www.nvd.nist.gov/. Accessed 2 Aug 2013.

[29]

OSVDB: Open Sourced Vulnerability Database. (2014). http://www.osvdb.org/. Accessed 19 Feb 2014.

[30]

Pfleeger, C. P., & Pfleeger, S. L. (2006). Security in computing. New Jersey: Prentice Hall PTR.

[31]

Ponemon Institute. (2013). 2013 Cost of data breach study: Global analysis. Benchmark research sponsored by Symantec, Independently Conducted by Ponemon Institute. https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf. Accessed 10 Mar 2013.

[32]

Red Hat Bugzilla Main Page. (2014). https://bugzilla.redhat.com/. Accessed 2 Mar 2014.

[33]

Scientific Toolworks Understand. (2014). http://www.scitools.com/. Accessed 22 Mar 2014.

[34]

SecurityFocus. (2015). http://www.securityfocus.com/archive/1. Accessed 2 Mar 2015.

[35]

Silberschatz, A., Galvin, P. B., & Gagne, G. (2009). Operating system concepts. Wiley.

[36]

Skape. (2007). Improving software security analysis using exploitation properties. Uninformed. http://www.uninformed.org/+o=about. Accessed 29 Mar 2014.

[37]

Sparks, S., Embleton, S., Cunningham, R., & Zou, C. (2007). Automated vulnerability analysis: Leveraging control flow for evolutionary input crafting. In: Computer Security Applications Conference (ACSAC 2007) (pp. 477-486).

[38]

Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk management guide for information technology systems. NIST. http://www.security-science.com/pdf/risk-management-guide-for-information-technology-systems.pdf. Accessed 23 Mar 2013.

[39]

The Exploits Database. (2013). http://www.exploit-db.com/. Accessed 7 Aug 2013.

[40]

Usage Statistics and Market Share of Web Servers for Websites. (2013). http://www.w3techs.com/technologies/overview/web_server/all. Accessed 2 Aug 2013.

[41]

Younis, A. A., & Malaiya,Y. K. (2012). Relationship between attack surface and vulnerability density: A case study on apache HTTP server. In: The 2012 international conference on internet computing (ICOMP'12) (pp. 197-203).

Cited By

Elder SRahman MFringer GKapoor KWilliams L(2024)A Survey on Software Vulnerability Exploitability AssessmentACM Computing Surveys10.1145/364861056:8(1-41)Online publication date: 26-Apr-2024
https://dl.acm.org/doi/10.1145/3648610
Na YWoo SLee JLee HRoychoudhury APaiva AAbreu RStorey M(2024)CNEPS: A Precise Approach for Examining Dependencies among Third-Party C/C++ Open-Source ComponentsProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639209(1-12)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639209
Zeng ZYang ZHuang DChung C(2022)LICALITY—Likelihood and Criticality: Vulnerability Risk Prioritization Through Logical Reasoning and Deep LearningIEEE Transactions on Network and Service Management10.1109/TNSM.2021.313381119:2(1746-1760)Online publication date: 1-Jun-2022
https://dl.acm.org/doi/10.1109/TNSM.2021.3133811
Show More Cited By

Index Terms

Assessing vulnerability exploitability risk using software properties
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Index terms have been assigned to the content through auto-classification.

Recommendations

Comparing Vulnerability Severity and Exploits Using Case-Control Studies

(U.S.) Rule-based policies for mitigating software risk suggest using the CVSS score to measure the risk of an individual vulnerability and act accordingly. A key issue is whether the ‘danger’ score does actually match the risk of exploitation in the ...
Read More
Using Software Structure to Predict Vulnerability Exploitation Potential
SERE-C '14: Proceedings of the 2014 IEEE Eighth International Conference on Software Security and Reliability-Companion

Most of the attacks on computer systems are due to the presence of vulnerabilities in software. Recent trends show that number of newly discovered vulnerabilities still continue to be significant. Studies have also shown that the time gap between the ...
Read More
Using Attack Surface Entry Points and Reachability Analysis to Assess the Risk of Software Vulnerability Exploitability
HASE '14: Proceedings of the 2014 IEEE 15th International Symposium on High-Assurance Systems Engineering

An unpatched vulnerability can lead to security breaches. When a new vulnerability is discovered, it needs to be assessed so that it can be prioritized. A major challenge in software security is the assessment of the potential risk due to vulnerability ...
Read More

Comments

Information & Contributors

Information

Published In

cover image Software Quality Journal

Software Quality Journal Volume 24, Issue 1

March 2016

195 pages

ISSN:0963-9314

Issue’s Table of Contents

Copyright © Copyright © 2016 Springer Science+Business Media New York.

Publisher

Kluwer Academic Publishers

United States

Publication History

Published: 01 March 2016

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Other Metrics

View Author Metrics

Citations

Cited By

Elder SRahman MFringer GKapoor KWilliams L(2024)A Survey on Software Vulnerability Exploitability AssessmentACM Computing Surveys10.1145/364861056:8(1-41)Online publication date: 26-Apr-2024
https://dl.acm.org/doi/10.1145/3648610
Na YWoo SLee JLee HRoychoudhury APaiva AAbreu RStorey M(2024)CNEPS: A Precise Approach for Examining Dependencies among Third-Party C/C++ Open-Source ComponentsProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639209(1-12)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639209
Zeng ZYang ZHuang DChung C(2022)LICALITY—Likelihood and Criticality: Vulnerability Risk Prioritization Through Logical Reasoning and Deep LearningIEEE Transactions on Network and Service Management10.1109/TNSM.2021.313381119:2(1746-1760)Online publication date: 1-Jun-2022
https://dl.acm.org/doi/10.1109/TNSM.2021.3133811
Zheng J(2021)Research on Programming Technology of Computer Software Engineering Database Based on Multi-platform2021 International Conference on Aviation Safety and Information Technology10.1145/3510858.3511339(616-620)Online publication date: 18-Dec-2021
https://dl.acm.org/doi/10.1145/3510858.3511339
Yilmaz FSridhar MChoi W(2020)Guide Me to Exploit: Assisted ROP Exploit Generation for ActionScript Virtual MachineProceedings of the 36th Annual Computer Security Applications Conference10.1145/3427228.3427568(386-400)Online publication date: 7-Dec-2020
https://dl.acm.org/doi/10.1145/3427228.3427568
Amankwah RChen JKudjo PAgyemang BAmponsah A(2020)An automated framework for evaluating open-source web scanner vulnerability severityService Oriented Computing and Applications10.1007/s11761-020-00296-914:4(297-307)Online publication date: 1-Dec-2020
https://dl.acm.org/doi/10.1007/s11761-020-00296-9
Kudjo PChen JMensah SAmankwah RKudjo C(2020)The effect of Bellwether analysis on software vulnerability severity prediction modelsSoftware Quality Journal10.1007/s11219-019-09490-128:4(1413-1446)Online publication date: 1-Dec-2020
https://dl.acm.org/doi/10.1007/s11219-019-09490-1
Movahedi YCukier MAndongabo AGashi I(2019)Cluster-based vulnerability assessment of operating systems and web browsersComputing10.1007/s00607-018-0663-0101:2(139-160)Online publication date: 1-Feb-2019
https://dl.acm.org/doi/10.1007/s00607-018-0663-0
Zou DYang JLi ZJin HMa X(2019)AutoCVSS: An Approach for Automatic Assessment of Vulnerability Severity Based on Attack ProcessGreen, Pervasive, and Cloud Computing10.1007/978-3-030-19223-5_17(238-253)Online publication date: 26-May-2019
https://dl.acm.org/doi/10.1007/978-3-030-19223-5_17
Chakraborty TJajodia SPark NPugliese ASerra ESubrahmanian V(2018)Hybrid adversarial defenseJournal of Computer Security10.3233/JCS-17109426:5(615-645)Online publication date: 1-Jan-2018
https://dl.acm.org/doi/10.3233/JCS-171094
Show More Cited By

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents