short-paper

To Fear or Not to Fear That is the Question: Code Characteristics of a Vulnerable Functionwith an Existing Exploit

Authors:

Yashwant Malaiya,

Charles Anderson,

Indrajit RayAuthors Info & Claims

CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy

Pages 97 - 104

https://doi.org/10.1145/2857705.2857750

Published: 09 March 2016 Publication History

Abstract

Not all vulnerabilities are equal. Some recent studies have shown that only a small fraction of vulnerabilities that have been reported has actually been exploited. Since finding and addressing potential vulnerabilities in a program can take considerable time and effort, recently effort has been made to identify code that is more likely to be vulnerable. This paper tries to identify the attributes of the code containing a vulnerability that makes the code more likely to be exploited. We examine 183 vulnerabilities from the National Vulnerability Database for Linux Kernel and Apache HTTP server. These include eighty-two vulnerabilities that have been found to have an exploit according to the Exploit Database. We characterize the vulnerable functions that have no exploit and the ones that have an exploit using eight metrics. The results show that the difference between a vulnerability that has no exploit and the one that has an exploit can potentially be characterized using the chosen software metrics. However, predicting exploitation of vulnerabilities is more complex than predicting just the presence of vulnerabilities and further research is needed using metrics that consider security domain knowledge for enhancing the predictability of vulnerability exploits.

References

[1]

Shin, Y. and Williams, L. "Is complexity really the enemy of software security"? in Proc. ACM Workshop Quality Protection, 2008, pp. 47--50.

Digital Library

[2]

Shin, Y. and Williams, L. "An empirical model to predict security vulnerabilities using code complexity metrics," in Proc. ACM-IEEE Int. Symp. Empirical Softw. Eng. Meas., 2008, pp. 315--317.

Digital Library

[3]

I. Chowdhury and M. Zulkernine, "Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities," J. Syst. Archit., vol. 57, no. 3, pp. 294--313, 2011.

Digital Library

[4]

T. Zimmermann, N. Nagappan, and L. Williams, "Searching for a needle in a haystack: Predicting security vulnerabilities for windows vista," in Proc. Int. Conf. Softw. Testing, Verification Validation, 2010, pp. 421--428.

Digital Library

[5]

L. Allodi and F. Massacci, "My Software has a Vulnerability, should I worry?," arXiv preprint arXiv:1301.1275, 2013.

[6]

A. Younis and Y.K. Malaiya. "Comparing and Evaluating CVSS Base Metrics and Microsoft Rating System". The 2015 IEEE International Conference on Software Quality, Reliability and Security, 2015, pp. 252--261.

Digital Library

[7]

K. Nayak, D. Marino, P. Efstathopoulos, T. Dumitra¸ "Some vulnerabilities are different than others". In: Proceedings of the 17th International Symposium on Research in Attacks, Intrusions and Defenses, 2014, pp. 426--446.

[8]

"National Vulnerability Database Home.". Available: http://nvd.nist.gov/. {Accessed: 24-May-2015}.

[9]

EDB: Exploits Database by Offensive Security. Available: http://www.exploit-db.com/. {Accessed: 24-May-2015}.

[10]

M. Fagerland and L. Sandvik. "Performance of five two-sample location tests for skewed distributions with unequal variances." Contemporary clinical trials, vol. 30, pp.490--496, 2009.

[11]

A. Ozment, "Improving vulnerability discovery models," in Proceedings of the 2007 ACM workshop on Quality of protection, New York, NY, USA, 2007, pp. 6--11.

Digital Library

[12]

S. Frei, D. Schatzmann, B. Plattner, and B. Trammell, "Modeling the Security Ecosystem - The Dynamics of (In)Security," in Economics of Information Security and Privacy. Springer US, 2010, pp. 79--106.

[13]

N.E. Fenton, S.L. Pfleeger, Software Metrics: A Rigorous and Practical Approach, PWS Publishing Co., Boston, MA, USA, 1997.

Digital Library

[14]

T.J. McCabe, A complexity measure, IEEE Transactions on Software Engineering 2 (4) (1976) 308--320.

Digital Library

[15]

W.A. Harrison, K.I. Magel, A complexity measure based on nesting level, ACM Sigplan Notices 16 (3) (1981) 63--74.

Digital Library

[16]

S. Henry, D. Kafura, Software structure metrics based on information flow, IEEE Transactions on Software Engineering (1981) 510--518.

Digital Library

[17]

N. Nagappan, T. Ball, A. Zeller, Mining metrics to predict component failures, in Proceedings of the 28th International Conference on Software Engineering, Shanghai, China, May 2006, pp. 452--461.

Digital Library

[18]

A. Younis, Y.K. Malaiya and I. Ray, "Assessing Vulnerability Exploitability Risk Using Software Proprieties", Software Quality Journal: 1--44, Mar 2015.

Digital Library

[19]

G. Forman, "An extensive empirical study of feature selection metrics for text classification." The Journal of machine learning research, 3, p.1289--1305, 2003.

Digital Library

[20]

M. Hall and L. Smith. Practical feature subset selection for machine learning. In Proceedings 21st Australasian Computer Science Conference, University of Western Australia, Perth, Australia, February 1996.

[21]

R. Kohavi, G.H. John, "Wrappers for feature subset selection" Artificial Intelligence, 97(1--2), p. 273--324, 1997.

Digital Library

[22]

I. Jolliffe, Principal component analysis. John Wiley & Sons, Ltd, 2002.

[23]

B. Schneier, Beyond Fear: Thinking Sensibly about Security in an Uncertain World. Springer-Verlag, 2003.

Digital Library

[24]

E. Alata1, V. Nicomette1, M. Kaâniche1, M. Dacier, and M. Herrb, "Lessons Learned from the Deployment of a High-Interaction Honeypot", EDCC'06: in Proc. 6th European Dependable Computing Conf. Coimbra, Portugal, 2006, pp. 39--46.

Digital Library

[25]

P. Morrison, K. Herzig, B. Murphy, and L. Williams, "Challenges with Applying Vulnerability Prediction Models", Proceedings of the 2015 Symposium and Bootcamp on the Science of Security, 2015. Microsoft Research: http://research.microsoft.com/apps/pubs/default.aspx?id=240601. {Accessed: 24-March-2015}.

Digital Library

[26]

S. Sparks, S. Embleton, R. Cunningham, and C. Zou, "Automated vulnerability analysis: Leveraging control flow for evolutionary input crafting," in Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual, 2007, pp. 477--486.

[27]

M. Howard, J. Pincus, and J. Wing, "Measuring Relative Attack Surfaces," in Computer Security in the 21st Century, D. T. Lee, S. P. Shieh, and J. D. Tygar, Eds. Springer US, 2005, pp. 109--137.

[28]

P. K. Manadhata and J. M. Wing, "An Attack Surface Metric," Software Engineering, IEEE Transactions on, vol. 37, no. 3, pp. 371 --386, Jun. 2011.

Digital Library

[29]

IEEE, "IEEE Standard for a Software Quality Metrics Methodology," IEEE Std 1061--1998 (R2004), IEEE CS, 2005.

[30]

Apache-SVN. The apache software foundation. Available: http://www.svn.apache.org/viewvc/. {Accessed: 24-May-2015}.

[31]

Linux Kernel Archive. Available: https://www.kernel.org/ {Accessed: 24-May-2015}.

[32]

Scientific Toolworks Understand. Available: http://www.scitools.com/. {Accessed: 24-May-2015}.

[33]

LocMetrics. Available: http://www.locmetrics.com/index.html. {Accessed: 24-May-2015}.

[34]

WEKA Toolkit. Available: http://www.cs.waikato.ac.nz/ml/weka. {Accessed: 24-May-2015}.

[35]

I.H. Witten, E. Frank, Data Mining: Practical Machine Learning Tools and Techniques (2nd ed.), Morgan Kaufmann, San Francisco, 2005.

Digital Library

[36]

Usage Statistics and Market Share of Web Servers for Websites. Available: http://www.w3techs.com/technologies/overview/web_server/all. {Accessed: 24-May-2015}.

[37]

Usage Statistics and Market Share of Web Servers for Websites. Available: http://w3techs.com/technologies/details/os-unix/all/all. {Accessed: 24-May-2015}.

[38]

P. Mell, K. Scarfone, and S. Romanosky, "A complete guide to the common vulnerability scoring system version 2.0," in Published by FIRST-Forum of Incident Response and Security Teams, 2007, pp.1--23.

[39]

M. Gegick, L. Williams, J. Osborne, and M. Vouk. "Prioritizing software security fortification through code-level metrics." In Proceedings of the 4th ACM workshop on Quality of protection, 2008, pp. 31--38.

Digital Library

[40]

T. Zimmermann, R. Premraj, A. Zeller, "Predicting defects for eclipse". In Proceedings of the Third International Workshop on Predictor Models in Software Engineering, 2007, pp. 9--15.

Digital Library

[41]

M. Bozorgi, L. K. Saul, S. Savage, and G. M. Voelker, "Beyond heuristics: learning to classify vulnerabilities and predict exploits," in Proceedings of the 16th ACM SIGKDD international conference on Knowledge discovery and data mining, New York, NY, USA, 2010, pp. 105--114.

Digital Library

[42]

L. Allodi and F. Massacci, "A preliminary analysis of vulnerability scores for attacks in wild," ACM Proc. of CCS BADGERS, 2012, pp.17--24.

Digital Library

[43]

L. Allodi and F. Massacci, "My Software has a Vulnerability, should I worry?,", 2013, arXiv preprint arXiv:1301.1275.

[44]

P. Bhattacharya, M. Iliofotou, I. Neamtiu, and M. Faloutsos, "Graph-based analysis and prediction for software evolution," in Proc. Intl. Conf. on Softw. Eng. (ICSE). ACM, 2012, pp. 419--429.

Digital Library

[45]

R. Scandariato, J. Walden, A. Hovsepyan, W. Joosen. Predicting vulnerable software components via text mining. IEEE Trans Softw Eng, 40 (10) (2014), pp. 993--1006.

Cited By

Chen JYin YCai SWang WWang SChen J(2024)iGnnVD: A novel software vulnerability detection model based on integrated graph neural networksScience of Computer Programming10.1016/j.scico.2024.103156(103156)Online publication date: Jun-2024
https://doi.org/10.1016/j.scico.2024.103156
Yuan XLin GMei HTai YZhang J(2024)Software vulnerable functions discovery based on code composite featureJournal of Information Security and Applications10.1016/j.jisa.2024.10371881:COnline publication date: 1-Mar-2024
https://dl.acm.org/doi/10.1016/j.jisa.2024.103718
Tian ZTian BLv JChen YChen L(2024)Enhancing vulnerability detection via AST decomposition and neural sub-tree encodingExpert Systems with Applications: An International Journal10.1016/j.eswa.2023.121865238:PBOnline publication date: 27-Feb-2024
https://dl.acm.org/doi/10.1016/j.eswa.2023.121865
Show More Cited By

Index Terms

To Fear or Not to Fear That is the Question: Code Characteristics of a Vulnerable Functionwith an Existing Exploit
1. Security and privacy
  1. Systems security
    1. Vulnerability management
2. Software and its engineering
  1. Software creation and management
    1. Software development process management
      1. Risk management

Recommendations

A threat pattern for the "cross-site scripting (XSS)" attack
PLoP '15: Proceedings of the 22nd Conference on Pattern Languages of Programs

We present a threat pattern that describes cross-site scripting (XSS) attacks. In this attack attackers insert scripts in web applications that will lead to misuses in a target web application. Cross-Site Scripting is listed as number three risk on the ...
It's a TRaP: Table Randomization and Protection against Function-Reuse Attacks
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Code-reuse attacks continue to evolve and remain a severe threat to modern software. Recent research has proposed a variety of defenses with differing security, efficiency, and practicality characteristics. Whereas the majority of these solutions focus ...
Fear the EAR: discovering and mitigating execution after redirect vulnerabilities
CCS '11: Proceedings of the 18th ACM conference on Computer and communications security

The complexity of modern web applications makes it difficult for developers to fully understand the security implications of their code. Attackers exploit the resulting security vulnerabilities to gain unauthorized access to the web application ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy

March 2016

340 pages

ISBN:9781450339353

DOI:10.1145/2857705

General Chairs:
Elisa Bertino
Purdue University, USA
,
Ravi Sandhu
University of Texas at San Antonio, USA
,
Program Chair:
Alexander Pretschner
Technische Universität München, Germany

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 March 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper

Conference

CODASPY'16

Sponsor:

SIGSAC

CODASPY'16: Sixth ACM Conference on Data and Application Security and Privacy

March 9 - 11, 2016

Louisiana, New Orleans, USA

Acceptance Rates

CODASPY '16 Paper Acceptance Rate 22 of 115 submissions, 19%;

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

35
Total Citations
View Citations
457
Total Downloads

Downloads (Last 12 months)18
Downloads (Last 6 weeks)1

Reflects downloads up to 11 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Chen JYin YCai SWang WWang SChen J(2024)iGnnVD: A novel software vulnerability detection model based on integrated graph neural networksScience of Computer Programming10.1016/j.scico.2024.103156(103156)Online publication date: Jun-2024
https://doi.org/10.1016/j.scico.2024.103156
Yuan XLin GMei HTai YZhang J(2024)Software vulnerable functions discovery based on code composite featureJournal of Information Security and Applications10.1016/j.jisa.2024.10371881:COnline publication date: 1-Mar-2024
https://dl.acm.org/doi/10.1016/j.jisa.2024.103718
Tian ZTian BLv JChen YChen L(2024)Enhancing vulnerability detection via AST decomposition and neural sub-tree encodingExpert Systems with Applications: An International Journal10.1016/j.eswa.2023.121865238:PBOnline publication date: 27-Feb-2024
https://dl.acm.org/doi/10.1016/j.eswa.2023.121865
Liu HJiang SQi XQu YLi HLi TGuo CGuo S(2024)Detect software vulnerabilities with weight biases via graph neural networksExpert Systems with Applications10.1016/j.eswa.2023.121764238(121764)Online publication date: Mar-2024
https://doi.org/10.1016/j.eswa.2023.121764
Wang QLi ZLiang HPan XLi HLi TLi XLi CGuo S(2024)Graph Confident Learning for Software Vulnerability DetectionEngineering Applications of Artificial Intelligence10.1016/j.engappai.2024.108296133:PCOnline publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1016/j.engappai.2024.108296
Ding JFu WJia L(2023)Deep Forest and Pruned Syntax Tree-Based Classification Method for Java Code VulnerabilityMathematics10.3390/math1102046111:2(461)Online publication date: 15-Jan-2023
https://doi.org/10.3390/math11020461
Lei TXue JWang YLiu Z(2023)IRC-CLVul: Cross-Programming-Language Vulnerability Detection with Intermediate Representations and Combined FeaturesElectronics10.3390/electronics1214306712:14(3067)Online publication date: 13-Jul-2023
https://doi.org/10.3390/electronics12143067
Tian ZTian BLv JChen L(2023)Learning and Fusing Multi-View Code Representations for Function Vulnerability DetectionElectronics10.3390/electronics1211249512:11(2495)Online publication date: 1-Jun-2023
https://doi.org/10.3390/electronics12112495
Li XKhan LZamani MWickramasuriya SHamlen KThuraisingham B(2023)Con2Mix: A semi-supervised method for imbalanced tabular security data1Journal of Computer Security10.3233/JCS-22013031:6(705-726)Online publication date: 10-Nov-2023
https://doi.org/10.3233/JCS-220130
Yi XWu JLi GBashir ALi JAlZubi A(2023)Recurrent Semantic Learning-Driven Fast Binary Vulnerability Detection in Healthcare Cyber Physical SystemsIEEE Transactions on Network Science and Engineering10.1109/TNSE.2022.319999010:5(2537-2550)Online publication date: 1-Sep-2023
https://doi.org/10.1109/TNSE.2022.3199990
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents