ABSTRACT
Not all vulnerabilities are equal. Some recent studies have shown that only a small fraction of vulnerabilities that have been reported has actually been exploited. Since finding and addressing potential vulnerabilities in a program can take considerable time and effort, recently effort has been made to identify code that is more likely to be vulnerable. This paper tries to identify the attributes of the code containing a vulnerability that makes the code more likely to be exploited. We examine 183 vulnerabilities from the National Vulnerability Database for Linux Kernel and Apache HTTP server. These include eighty-two vulnerabilities that have been found to have an exploit according to the Exploit Database. We characterize the vulnerable functions that have no exploit and the ones that have an exploit using eight metrics. The results show that the difference between a vulnerability that has no exploit and the one that has an exploit can potentially be characterized using the chosen software metrics. However, predicting exploitation of vulnerabilities is more complex than predicting just the presence of vulnerabilities and further research is needed using metrics that consider security domain knowledge for enhancing the predictability of vulnerability exploits.
- Shin, Y. and Williams, L. "Is complexity really the enemy of software security"? in Proc. ACM Workshop Quality Protection, 2008, pp. 47--50. Google ScholarDigital Library
- Shin, Y. and Williams, L. "An empirical model to predict security vulnerabilities using code complexity metrics," in Proc. ACM-IEEE Int. Symp. Empirical Softw. Eng. Meas., 2008, pp. 315--317. Google ScholarDigital Library
- I. Chowdhury and M. Zulkernine, "Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities," J. Syst. Archit., vol. 57, no. 3, pp. 294--313, 2011. Google ScholarDigital Library
- T. Zimmermann, N. Nagappan, and L. Williams, "Searching for a needle in a haystack: Predicting security vulnerabilities for windows vista," in Proc. Int. Conf. Softw. Testing, Verification Validation, 2010, pp. 421--428. Google ScholarDigital Library
- L. Allodi and F. Massacci, "My Software has a Vulnerability, should I worry?," arXiv preprint arXiv:1301.1275, 2013.Google Scholar
- A. Younis and Y.K. Malaiya. "Comparing and Evaluating CVSS Base Metrics and Microsoft Rating System". The 2015 IEEE International Conference on Software Quality, Reliability and Security, 2015, pp. 252--261. Google ScholarDigital Library
- K. Nayak, D. Marino, P. Efstathopoulos, T. Dumitra¸ "Some vulnerabilities are different than others". In: Proceedings of the 17th International Symposium on Research in Attacks, Intrusions and Defenses, 2014, pp. 426--446.Google ScholarCross Ref
- "National Vulnerability Database Home.". Available: http://nvd.nist.gov/. {Accessed: 24-May-2015}.Google Scholar
- EDB: Exploits Database by Offensive Security. Available: http://www.exploit-db.com/. {Accessed: 24-May-2015}.Google Scholar
- M. Fagerland and L. Sandvik. "Performance of five two-sample location tests for skewed distributions with unequal variances." Contemporary clinical trials, vol. 30, pp.490--496, 2009.Google ScholarCross Ref
- A. Ozment, "Improving vulnerability discovery models," in Proceedings of the 2007 ACM workshop on Quality of protection, New York, NY, USA, 2007, pp. 6--11. Google ScholarDigital Library
- S. Frei, D. Schatzmann, B. Plattner, and B. Trammell, "Modeling the Security Ecosystem - The Dynamics of (In)Security," in Economics of Information Security and Privacy. Springer US, 2010, pp. 79--106.Google ScholarCross Ref
- N.E. Fenton, S.L. Pfleeger, Software Metrics: A Rigorous and Practical Approach, PWS Publishing Co., Boston, MA, USA, 1997. Google ScholarDigital Library
- T.J. McCabe, A complexity measure, IEEE Transactions on Software Engineering 2 (4) (1976) 308--320. Google ScholarDigital Library
- W.A. Harrison, K.I. Magel, A complexity measure based on nesting level, ACM Sigplan Notices 16 (3) (1981) 63--74. Google ScholarDigital Library
- S. Henry, D. Kafura, Software structure metrics based on information flow, IEEE Transactions on Software Engineering (1981) 510--518. Google ScholarDigital Library
- N. Nagappan, T. Ball, A. Zeller, Mining metrics to predict component failures, in Proceedings of the 28th International Conference on Software Engineering, Shanghai, China, May 2006, pp. 452--461. Google ScholarDigital Library
- A. Younis, Y.K. Malaiya and I. Ray, "Assessing Vulnerability Exploitability Risk Using Software Proprieties", Software Quality Journal: 1--44, Mar 2015. Google ScholarDigital Library
- G. Forman, "An extensive empirical study of feature selection metrics for text classification." The Journal of machine learning research, 3, p.1289--1305, 2003. Google ScholarDigital Library
- M. Hall and L. Smith. Practical feature subset selection for machine learning. In Proceedings 21st Australasian Computer Science Conference, University of Western Australia, Perth, Australia, February 1996.Google Scholar
- R. Kohavi, G.H. John, "Wrappers for feature subset selection" Artificial Intelligence, 97(1--2), p. 273--324, 1997. Google ScholarDigital Library
- I. Jolliffe, Principal component analysis. John Wiley & Sons, Ltd, 2002.Google Scholar
- B. Schneier, Beyond Fear: Thinking Sensibly about Security in an Uncertain World. Springer-Verlag, 2003. Google ScholarDigital Library
- E. Alata1, V. Nicomette1, M. Kaâniche1, M. Dacier, and M. Herrb, "Lessons Learned from the Deployment of a High-Interaction Honeypot", EDCC'06: in Proc. 6th European Dependable Computing Conf. Coimbra, Portugal, 2006, pp. 39--46. Google ScholarDigital Library
- P. Morrison, K. Herzig, B. Murphy, and L. Williams, "Challenges with Applying Vulnerability Prediction Models", Proceedings of the 2015 Symposium and Bootcamp on the Science of Security, 2015. Microsoft Research: http://research.microsoft.com/apps/pubs/default.aspx?id=240601. {Accessed: 24-March-2015}. Google ScholarDigital Library
- S. Sparks, S. Embleton, R. Cunningham, and C. Zou, "Automated vulnerability analysis: Leveraging control flow for evolutionary input crafting," in Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual, 2007, pp. 477--486.Google Scholar
- M. Howard, J. Pincus, and J. Wing, "Measuring Relative Attack Surfaces," in Computer Security in the 21st Century, D. T. Lee, S. P. Shieh, and J. D. Tygar, Eds. Springer US, 2005, pp. 109--137.Google Scholar
- P. K. Manadhata and J. M. Wing, "An Attack Surface Metric," Software Engineering, IEEE Transactions on, vol. 37, no. 3, pp. 371 --386, Jun. 2011. Google ScholarDigital Library
- IEEE, "IEEE Standard for a Software Quality Metrics Methodology," IEEE Std 1061--1998 (R2004), IEEE CS, 2005.Google Scholar
- Apache-SVN. The apache software foundation. Available: http://www.svn.apache.org/viewvc/. {Accessed: 24-May-2015}.Google Scholar
- Linux Kernel Archive. Available: https://www.kernel.org/ {Accessed: 24-May-2015}.Google Scholar
- Scientific Toolworks Understand. Available: http://www.scitools.com/. {Accessed: 24-May-2015}.Google Scholar
- LocMetrics. Available: http://www.locmetrics.com/index.html. {Accessed: 24-May-2015}.Google Scholar
- WEKA Toolkit. Available: http://www.cs.waikato.ac.nz/ml/weka. {Accessed: 24-May-2015}.Google Scholar
- I.H. Witten, E. Frank, Data Mining: Practical Machine Learning Tools and Techniques (2nd ed.), Morgan Kaufmann, San Francisco, 2005. Google ScholarDigital Library
- Usage Statistics and Market Share of Web Servers for Websites. Available: http://www.w3techs.com/technologies/overview/web_server/all. {Accessed: 24-May-2015}.Google Scholar
- Usage Statistics and Market Share of Web Servers for Websites. Available: http://w3techs.com/technologies/details/os-unix/all/all. {Accessed: 24-May-2015}.Google Scholar
- P. Mell, K. Scarfone, and S. Romanosky, "A complete guide to the common vulnerability scoring system version 2.0," in Published by FIRST-Forum of Incident Response and Security Teams, 2007, pp.1--23.Google Scholar
- M. Gegick, L. Williams, J. Osborne, and M. Vouk. "Prioritizing software security fortification through code-level metrics." In Proceedings of the 4th ACM workshop on Quality of protection, 2008, pp. 31--38. Google ScholarDigital Library
- T. Zimmermann, R. Premraj, A. Zeller, "Predicting defects for eclipse". In Proceedings of the Third International Workshop on Predictor Models in Software Engineering, 2007, pp. 9--15. Google ScholarDigital Library
- M. Bozorgi, L. K. Saul, S. Savage, and G. M. Voelker, "Beyond heuristics: learning to classify vulnerabilities and predict exploits," in Proceedings of the 16th ACM SIGKDD international conference on Knowledge discovery and data mining, New York, NY, USA, 2010, pp. 105--114. Google ScholarDigital Library
- L. Allodi and F. Massacci, "A preliminary analysis of vulnerability scores for attacks in wild," ACM Proc. of CCS BADGERS, 2012, pp.17--24. Google ScholarDigital Library
- L. Allodi and F. Massacci, "My Software has a Vulnerability, should I worry?,", 2013 , arXiv preprint arXiv:1301.1275.Google Scholar
- P. Bhattacharya, M. Iliofotou, I. Neamtiu, and M. Faloutsos, "Graph-based analysis and prediction for software evolution," in Proc. Intl. Conf. on Softw. Eng. (ICSE). ACM, 2012, pp. 419--429. Google ScholarDigital Library
- R. Scandariato, J. Walden, A. Hovsepyan, W. Joosen. Predicting vulnerable software components via text mining. IEEE Trans Softw Eng, 40 (10) (2014), pp. 993--1006.Google ScholarCross Ref
Index Terms
- To Fear or Not to Fear That is the Question: Code Characteristics of a Vulnerable Functionwith an Existing Exploit
Recommendations
A threat pattern for the "cross-site scripting (XSS)" attack
PLoP '15: Proceedings of the 22nd Conference on Pattern Languages of ProgramsWe present a threat pattern that describes cross-site scripting (XSS) attacks. In this attack attackers insert scripts in web applications that will lead to misuses in a target web application. Cross-Site Scripting is listed as number three risk on the ...
It's a TRaP: Table Randomization and Protection against Function-Reuse Attacks
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications SecurityCode-reuse attacks continue to evolve and remain a severe threat to modern software. Recent research has proposed a variety of defenses with differing security, efficiency, and practicality characteristics. Whereas the majority of these solutions focus ...
Fear the EAR: discovering and mitigating execution after redirect vulnerabilities
CCS '11: Proceedings of the 18th ACM conference on Computer and communications securityThe complexity of modern web applications makes it difficult for developers to fully understand the security implications of their code. Attackers exploit the resulting security vulnerabilities to gain unauthorized access to the web application ...
Comments