Using Attack Surface Entry Points and Reachability Analysis to Assess the Risk of Software Vulnerability Exploitability
作者: Awad A. Younis , Yashwant K. Malaiya , Indrajit Ray
DOI: 10.1109/HASE.2014.10
关键词:
摘要: An unpatched vulnerability can lead to security breaches. When a new is discovered, it needs be assessed so that prioritized. A major challenge in software the assessment of potential risk due exploitability. CVSS metrics have become de facto standard commonly used assess severity vulnerability. The Base Score measures based on exploitability and impact measures. measured three metrics: Access Vector, Authentication, Complexity. However, assign subjective numbers views experts. Two its factors, Vector are same for almost all vulnerabilities. does not specify how third factor, Complexity, measured, hence we do know if considers properties as factor. In this paper, propose an approach assesses two - attack surface entry points reach ability analysis. reachable located one or function called either directly indirectly by points. likelihood point being using damage potential-effort ratio metric presence system calls deemed dangerous. To illustrate proposed method, five reported vulnerabilities Apache HTTP server 1.3.0 been examined at source code level. results show approach, which uses more detailed information, yield different from Score.
colostate.edu 参考文章(19)
Karen M. Goertzel, Theodore Winograd, Holly L. McKinley, Lyndon J. Oh, Michael Colon, Thomas McGibbon, Elaine Fedchak, Robert Vienneau, Software Security Assurance: A State-of-Art Report (SAR) Defense Technical Information Center. ,(2007) , 10.21236/ADA472363
Michael Howard, Jon Pincus, Jeannette M. Wing, Measuring Relative Attack Surfaces Springer, Boston, MA. pp. 109- 137 ,(2005) , 10.1007/0-387-24006-3_8
Charles P. Pfleeger, Security in Computing ,(1988)
Mehran Bozorgi, Lawrence K. Saul, Stefan Savage, Geoffrey M. Voelker, Beyond heuristics: learning to classify vulnerabilities and predict exploits knowledge discovery and data mining. pp. 105- 114 ,(2010) , 10.1145/1835804.1835821
S. Farrell, Why didn't we spot that? [Practical Security] IEEE Internet Computing. ,vol. 14, pp. 84- 87 ,(2010) , 10.1109/MIC.2010.21
Pratyusa Manadhata, Jeannette Wing, Mark Flynn, Miles McQueen, Measuring the attack surfaces of two FTP daemons Proceedings of the 2nd ACM workshop on Quality of protection - QoP '06. pp. 3- 10 ,(2006) , 10.1145/1179494.1179497
Luca Allodi, Fabio Massacci, A preliminary analysis of vulnerability scores for attacks in wild Proceedings of the 2012 ACM Workshop on Building analysis datasets and gathering experience returns for security - BADGERS '12. pp. 17- 24 ,(2012) , 10.1145/2382416.2382427
Luca Allodi, Woohyun Shim, Fabio Massacci, Quantitative Assessment of Risk Reduction with Cybercrime Black Market Monitoring ieee symposium on security and privacy. pp. 165- 172 ,(2013) , 10.1109/SPW.2013.16
Massimo Bernaschi, Emanuele Gabrielli, Luigi V. Mancini, Remus ACM Transactions on Information and System Security. ,vol. 5, pp. 36- 61 ,(2002) , 10.1145/504909.504911
Sherri Sparks, Shawn Embleton, Ryan Cunningham, Cliff Zou, Automated Vulnerability Analysis: Leveraging Control Flow for Evolutionary Input Crafting annual computer security applications conference. pp. 477- 486 ,(2007) , 10.1109/ACSAC.2007.27