research-article

An analysis of how many undiscovered vulnerabilities remain in information systems

Author:

Jonathan M. SpringAuthors Info & Claims

Volume 131, Issue C

https://doi.org/10.1016/j.cose.2023.103191

Published: 01 August 2023 Publication History

Abstract

Vulnerability management strategy, from both organizational and public policy perspectives, hinges on an understanding of the supply of undiscovered vulnerabilities. If the number of undiscovered vulnerabilities is small enough, then a reasonable investment strategy would be to focus on finding and removing the remaining undiscovered vulnerabilities. If the number of undiscovered vulnerabilities is and will continue to be large, then a better investment strategy would be to focus on quick patch dissemination and engineering resilient systems. This paper examines a paradigm, namely that the number of undiscovered vulnerabilities is manageably small, through the lens of mathematical concepts from the theory of computing. From this perspective, we find little support for the paradigm of limited undiscovered vulnerabilities. We then briefly support the notion that these theory-based conclusions are relevant to practical computers in use today. We find no reason to believe undiscovered vulnerabilities are not essentially unlimited in practice and we examine the possible economic impacts should this be the case. Based on our analysis, we recommend vulnerability management strategy adopts an approach favoring quick patch dissemination and engineering resilient systems, while continuing good software engineering practices to reduce (but never eliminate) vulnerabilities in information systems.

References

[1]

S. Ali, P. Anantharaman, Z. Lucas, S.W. Smith, What we have here is failure to validate: summer of langsec, IEEE Secur. Privacy 19 (3) (2021) 17–23.

[2]

P. Anantharaman, Protecting systems from exploits using language-theoretic security, Dartmouth College, 2022, PhD thesis.

[3]

R.J. Anderson, Why information security is hard: an economic perspective, Computer Security Applications Conference, IEEE, New Orleans, LA, 2001, pp. 358–365.

[4]

K.R. Apt, Ten years of Hoare’s logic: a survey—Part I, ACM Trans. Program. Lang.Syst. (TOPLAS) 3 (4) (1981) 431–483.

[5]

E. Barker, Recommendation for key Management: Part 1 – General, Tech. Rep. SP 800-57r5, US Dept of Commerce, National Institute of Standards and Technology, Gaithersburg, MD, 2020.

[6]

E.T. Barr, D.W. Binkley, M. Harman, M.N. Seghir, Sub-turing islands in the wild, CoRR (2019) abs/1905.12734.

[7]

V. Benetis, O. Caleff, C. Hoepers, A. Horneman, A. Householder, K.P. Kossakowski, A. Manion, A. Mullens, S. Perl, D. Roethlisberger, S. Rokas, M. Rossell, R.M. Ruefle, D. Sacher, K.T. Tzvetanov, M. Zajicek, Computer Security Incident Response Team (CSIRT) Services Framework, Tech. Rep. ver. 2, FIRST, Cary, NC, USA, 2019.

[8]

K. Bhargavan, B. Blanchet, N. Kobeissi, Verified models and reference implementations for the TLS 1.3 standard candidate, Symposium on Security and Privacy, IEEE, 2017, pp. 483–502.

[9]

M. Böhme, S. Paul, A probabilistic analysis of the efficiency of automated software testing, Trans. Softw. Eng. 42 (4) (2015) 345–360.

[10]

G.S. Boolos, J.P. Burgess, R.C. Jeffrey, Computability and Logic, 4th ed., Cambridge University Press, Cambridge, 2002.

[11]

C. Calcagno, D. Distefano, J. Dubreil, D. Gabi, P. Hooimeijer, M. Luca, P. O’Hearn, I. Papakonstantinou, J. Purbrick, D. Rodriguez, Moving fast with software verification, NASA Formal Methods, LNCS, Vol. 9058, Springer, 2015, pp. 3–11.

[12]

C. Calcagno, P.W. O’Hearn, H. Yang, Local action and abstract separation logic, Logic in Computer Science, IEEE, 2007, pp. 366–378.

[13]

J.L. Cebula, L.R. Young, A Taxonomy of Operational Cyber Security Risks, Tech. Rep. CMU/SEI-2010-TN-028, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, 2010.

[14]

CISA, OpenSSL “Heartbleed” Vulnerability (CVE-2014-0160), Tech. Rep. TA14-098A, US Cybersecurity and Infrastructure Security Agency, 2014.

[15]

S. Cowger, Y. Lee, N. Schimanski, M. Tullsen, W. Woods, R. Jones, E. Davis, W. Harris, T. Brunson, C. Harmon, et al., ICARUS: understanding de facto formats by way of feathers and wax, Security and Privacy Workshops, IEEE, 2020, pp. 327–334.

[16]

M. Dellago, D.W. Woods, A.C. Simpson, Characterising 0-day exploit brokers, Workshop on the Economics of Information Security, 2022.

[17]

T. Dullien, Weird machines, exploitability, and provable unexploitability, Trans. Emerg. Top. Comput. 8 (2) (2017) 391–403.

[18]

J.H. Fetzer, Program verification: the very idea, Commun. ACM 31 (9) (1988) 1048–1063.

[19]

K. Fisher, J. Launchbury, R. Richards, The HACMS program: using formal methods to eliminate exploitable bugs, Philos. Trans. R. Soc. A Math. Phys. Eng. Sci. 375 (2104) (2017) 20150401.

[20]

W. Frakes, C. Terry, Software reuse: metrics and models, ACM Comput. Surv. (CSUR) 28 (2) (1996) 415–435.

[21]

D. Geer, Cybersecurity as realpolitik, Black Hat USA 2014 (Las Vegas, Nevada), UBM, 2014.

[22]

A.D. Householder, J. Spring, Are we skillful or just lucky? Interpreting the possible histories of vulnerability disclosures, Digital Threats (2021).

[23]

A.D. Householder, G. Wassermann, A. Manion, C. King, The CERT® Guide to Coordinated Vulnerability Disclosure, Tech. Rep. CMU/SEI-2017-TR-022, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, 2020.

[24]

L. Lamport, What good is temporal logic?, in: Mason R. (Ed.), IFIP Congress, Elsevier, 1983, pp. 657–668.

[25]

L. Lamport, Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers, Addison-Wesley, Boston, MA, USA, 2002.

Digital Library

[26]

A.P. Layton, T. Robinson, I.B. Tucker, Economics for today, Cengage Learning Australia, 2016.

[27]

J. Lee, K. Lee, et al., Spillover effect of ransomware: economic analysis of web vulnerability market, Res. Briefs Inf. Commun.Technol. Evol. 3 (2017) 193–203.

[28]

V.J.M. Manès, H. Han, C. Han, S.K. Cha, M. Egele, E.J. Schwartz, M. Woo, The art, science, and engineering of fuzzing: asurvey, IEEE Trans. Softw. Eng. (2019).

[29]

P. Mundkur, L. Briesemeister, N. Shankar, P. Anantharaman, S. Ali, Z. Lucas, S. Smith, The parsley data format definition language, Security and Privacy Workshops, IEEE, 2020, pp. 300–307.

[30]

Office of the DoD Chief Information Officer, DoD Vulnerability Management, Tech. Rep. 8531.01, US Department of Defense, Washington, DC, 2020.

[31]

P.W. O’Hearn, From categorical logic to facebook engineering, Logic in Computer Science (LICS), IEEE, 2015, pp. 17–20.

[32]

A. Ozment, S.E. Schechter, Milk or wine: does software security improve with age?, USENIX Security Symposium, Vol. 15, 2006, pp. 93–104.

[33]

Peterson D. Medical cybersecurity & dense vulnerabilities. 2018.

[34]

K.H. Pollock, Review papers: modeling capture, recapture, and removal statistics for estimation of demographic parameters for fish and wildlife populations: past, present, and future, J Am Stat Assoc 86 (413) (1991) 225–238.

[35]

G. Primiero, F.J. Solheim, J.M. Spring, On malfunction, mechanisms, and malware classification, Philos. Technol. 32 (2) (2018) 339–362.

[36]

D. Pym, J.M. Spring, P. O’Hearn, Why separation logic works, Philos. Technol. 32 (2018) 483–516.

[37]

P. Raatikainen, Gödel’s incompleteness theorems, in: Zalta E.N. (Ed.), The Stanford Encyclopedia of Philosophy, Springer, 2015.

[38]

K. Reilly, J. Torrey, J. Frank, T. Brunson, Crema, Tech. Rep. AFRL-RI-RS-TR-2015-188, Assured Information Security, Inc., Rome, NY, 2015.

[39]

H.G. Rice, Classes of recursively enumerable sets and their decision problems, Trans. Am. Math. Soc. 74 (2) (1953) 358–366.

[40]

L. Sassaman, M.L. Patterson, S. Bratus, M.E. Locasto, Security applications of formal language theory, IEEE Syst. J. 7 (3) (2013) 489–500.

[41]

F.B. Schneider, Enforceable security policies, Trans. Inf. Syst. Secur.(TISSEC) 3 (1) (2000) 30–50.

[42]

B. Schneier, Should u.s. hackers fix cybersecurity holes or exploit them?, The Atlantic, 2014.

[43]

Shirey R. Internet security glossary, version 2. 2007. RFC 4949 (Informational).

[44]

M. Spencer, Creative malfunction: finding fault with rowhammer, Comput. Cult. 8 (2021).

[45]

J.M. Spring, A. Galyardt, A.D. Householder, N. VanHoudnous, On managing vulnerabilities in ML/AI systems, New Security Paradigms Workshop, ACM, 2020.

[46]

J.M. Spring, E. Hatleback, A.D. Householder, A. Manion, D. Shick, Prioritizing vulnerability response: astakeholder-specific vulnerability categorization, Workshop on the Economics of Information Security, 2020.

[47]

J.P. Sterbenz, D. Hutchison, E.K. Çetinkaya, A. Jabbar, J.P. Rohrer, M. Schöller, P. Smith, Resilience and survivability in communication networks: strategies, principles, and survey of disciplines, Comput. Netw. 54 (8) (2010) 1245–1265.

Digital Library

[48]

N. Swamy, T. Ramananandro, A. Rastogi, I. Spiridonova, H. Ni, D. Malloy, J. Vazquez, M. Tang, O. Cardona, A. Gupta, Hardening attack surfaces with formally proven binary format parsers, Intl Conf on Programming Language Design and Implementation, ACM, 2022, pp. 31–45.

[49]

F. Szidarovszky, S. Yakowitz, A new proof of the existence and uniqueness of the cournot equilibrium, Int. Econ. Rev. (Philadelphia) (1977) 787–789.

[50]

A.M. Turing, On computable numbers, with an application to the entscheidungsproblem, Proc. London Math. Soc. 2 (1) (1936) 230–265.

Cited By

Massacci F(2024)The Holy Grail of Vulnerability PredictionsIEEE Security and Privacy10.1109/MSEC.2023.333393622:1(4-6)Online publication date: 1-Jan-2024
https://dl.acm.org/doi/10.1109/MSEC.2023.3333936

Recommendations

Measuring and ranking attacks based on vulnerability analysis

As the number of software vulnerabilities increases, the research on software vulnerabilities becomes a focusing point in information security. A vulnerability could be exploited to attack the information asset with the weakness related to the ...
Read More
A Survey of Microarchitectural Side-channel Vulnerabilities, Attacks, and Defenses in Cryptography
Invited Tutorial

Side-channel attacks have become a severe threat to the confidentiality of computer applications and systems. One popular type of such attacks is the microarchitectural attack, where the adversary exploits the hardware features to break the protection ...
Read More
Empirical analysis of attack graphs for mitigating critical paths and vulnerabilities
Abstract
The proliferated complexity of network size together with the expeditious development of software applications and their numerous vulnerabilities, security hardening is becoming a considerable challenge for security experts. Although ...
Read More

Comments

Information & Contributors

Information

Published In

cover image Computers and Security

Computers and Security Volume 131, Issue C

Aug 2023

298 pages

ISSN:0167-4048

Issue’s Table of Contents

Copyright © 2023.

Publisher

Elsevier Advanced Technology Publications

United Kingdom

Publication History

Published: 01 August 2023

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Other Metrics

View Author Metrics

Citations

Cited By

Massacci F(2024)The Holy Grail of Vulnerability PredictionsIEEE Security and Privacy10.1109/MSEC.2023.333393622:1(4-6)Online publication date: 1-Jan-2024
https://dl.acm.org/doi/10.1109/MSEC.2023.3333936

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents