Abstract
Attacks on computer systems are now attracting increased attention. While the current trends in software vulnerability discovery indicate that the number of newly discovered vulnerabilities continues to be significant, the time between the public disclosure of vulnerabilities and the release of an automated exploit is shrinking. Thus, assessing the vulnerability exploitability risk is critical because this allows decision-makers to prioritize among vulnerabilities, allocate resources to patch and protect systems from these vulnerabilities, and choose between alternatives. Common vulnerability scoring system (CVSS) metrics have become the de facto standard for assessing the severity of vulnerabilities. However, the CVSS exploitability measures assign subjective values based on the views of experts. Two of the factors in CVSS, Access Vector and Authentication, are the same for almost all vulnerabilities. CVSS does not specify how the third factor, Access Complexity, is measured, and hence it is unknown whether it considers software properties as a factor. In this work, we introduce a novel measure, Structural Severity, which is based on software properties, namely attack entry points, vulnerability location, the presence of the dangerous system calls, and reachability analysis. These properties represent metrics that can be objectively derived from attack surface analysis, vulnerability analysis, and exploitation analysis. To illustrate the proposed approach, 25 reported vulnerabilities of Apache HTTP server and 86 reported vulnerabilities of Linux Kernel have been examined at the source code level. The results show that the proposed approach, which uses more detailed information, can objectively measure the risk of vulnerability exploitability and results can be different from the CVSS base scores.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Alhazmi, O. H., & Malaiya,Y. K. (2005). Modeling the vulnerability discovery process. In: Proceedings of the 16th IEEE international symposium on software reliability engineering (ISSRE’05) (pp. 1–10). doi:10.1109/ISSRE.2005.30.
Alhazmi, O. H., Malaiya, Y. K., & Ray, I. (2007). Measuring, analyzing and predicting security vulnerabilities in software systems. Computers & Security, 26(3), 219–228. doi:10.1016/j.cose.2006.10.002.
Allodi, L., & Massacci, F. (2012). A preliminary analysis of vulnerability scores for attacks in wild. In: Proceedings of the 2012 ACM workshop on Building analysis datasets and gathering experience returns for security (BADGERS 12) (pp. 17–24). ISBN: 978-1-4503-1661-3. doi:10.1145/2382416.2382427
Allodi, L., & Massacci, F. (2013). My Software has a vulnerability, should I worry? Corrnel Univsity Library (pp. 12). arXiv:1301.1275. http://www.arxiv.org/pdf/1301.1275v3.pdf. Accessed 2 Aug 2013.
Allodi, L., Shim, W., & Massacci, F. (2013). Quantitative Assessment of risk reduction with cybercrime black market monitoring. IEEE Security and Privacy Workshops (SPW) (pp. 165–172). doi: 10.1109/SPW.2013.16
Apache-SVN. (2014). the apache software foundation. http://www.svn.apache.org/viewvc/. Accessed 27 Mar 2014.
Arbaugh, W. A., Fithen, W. L., & John, M. (2000). Windows of vulnerability: A case study analysis. Computer, 33(12), 52–59. doi:10.1109/2.889093.
Archive.apache.org. (2014). The apache software foundation. http://www.archive.apache.org/dist/httpd/. Accessed 2 Aug 2014.
Avgerinos, T., Cha, S. K., Rebert, A., Schwartz, E. J., Woo, M., & Brumley, D. (2014). Automatic exploit generation. Communications of the ACM, 26(3), 74–84. doi:10.1145/2560217.2560219.
Bhattacharya, P., Iliofotou, M., Neamtiu, I., & Faloutsos, M. (2012). Graph-based analysis and prediction for software evolution. In: Proceedings of the 34th international conference on software engineering (ICSE ‘12) (pp. 419–429). ISBN: 978-1-4673-1067-3.
Bozorgi, M., Saul, L. K., Savage, S., & Voelker, G. M. (2010). Beyond heuristics: Learning to classify vulnerabilities and predict exploits. In: Proceedings of the 16th ACM SIGKDD international conference on knowledge discovery and data mining (KDD ‘10) (pp. 105–114). doi:10.1145/1835804.1835821
Brenneman, D. (2012). Improving software security by identifying and securing paths linking attack surface to attack target. McCabe Software Inc. White Paper. http://www.mccabe.com/. Accessed 4 Aug 2014.
Evans, D., & Larochelle, D. (2002). Improving security using extensible lightweight static analysis. IEEE Software, 19(1), 42–51. doi:10.1109/52.976940.
Ferrante, J., Ottenstein, K. J., & Warren, J. D. (1987). The program dependence graph and its use in optimization. ACM Transactions on Programming Languages and Systems (TOPLAS), 9(3), 319–349. doi:10.1145/24039.24041.
Frei, S., Tellenbach, B., & Plattner, B. (2008). 0-day Patch: Exposing vendors (in) security performance. Black Hat Europe. http://www.techzoom.net/papers/blackhat 0 day Patch 2008.pdf. Accessed 10 Aug 2013.
GNU Cflow (2013) http://www.gnu.org/software/cflow/manual/cflow.html. Accessed 2 Aug 2013.
Horwitz, S., Reps, T., & Binkley, D. (1990). Interprocedural slicing using dependence graphs. ACM Transactions on Programming Languages and Systems (TOPLAS), 12(1), 26–60. doi:10.1145/77606.77608.
Howard, M., Pincus, J., & Wing, J. (2005). Measuring relative attack surfaces. Computer Security in the 21st Century (pp. 109–137). Springer. ISBN 0-387-24005-5, 0-387-24006-3. http://www.link.springer.com/chapter/10.1007/0-387-24006-3_8.
Imperva, a provider of cyber and data security products (2012). http://www.imperva.com/docs/HII_Web_Application_Attack_Report_Ed3.pdf. Accesses 19 Apr 2014.
Jansen, W. (2009). Directions in Security Metrics Research. NIST. http://www.csrc.nist.gov/publications/nistir/ir7564/nistir-7564_metrics-research.pdf. Accessed 15 March 2013.
Joh, H., & Malaiya, Y. K. (2011). Defining and assessing quantitative security risk measures using vulnerability lifecycle and CVSS metrics. In: The 2011 international conference on security and management (SAM’11) (pp. 10–16).
Kuck, D. J., Muraoka, Y., & Chen, S. (1972). On the number of operations simultaneously executable in fortran-like programs and their resulting speedup. The IEEE Transactions on Computers, 100(12), 1293–1310. doi:10.1109/T-C.1972.223501.
Manadhata, P. K., & Wing, J. M. (2011). An attack surface metric. The IEEE Transactions on Software Engineering, 37(3), 371–386. doi:10.1109/TSE.2010.60.
Manadhata, P. K, Wing, J., Flynn M., & McQueen, M. (2006). Measuring the attack surfaces of two FTP daemons. In: Proceedings of the 2nd ACM workshop on quality of protection (QoP’06) (pp. 3–10). doi:10.1145/1179494.1179497.
Massimo, B., Gabrielli, E., & Mancini, L. (2002). Remus: A security-enhanced operating system. ACM Transactions on Information and System Security (TISSEC), 5(1), 36–61. doi:10.1145/504909.504911.
Mell, P., Scarfone, K., & Romanosky, S. (2007). A complete guide to the common vulnerability scoring system version 2.0. Published by FIRST-Forum of Incident Response and Security Teams (pp. 1–23). http://www.first.org/cvss/cvss-guide.pdf. Accessed 15 Mar 2013.
Metasploit Database. (2014). http://www.metasploit.com/. Accessed 27 March 2014.
National Vulnerability Database. (2013). http://www.nvd.nist.gov/. Accessed 2 Aug 2013.
OSVDB: Open Sourced Vulnerability Database. (2014). http://www.osvdb.org/. Accessed 19 Feb 2014.
Pfleeger, C. P., & Pfleeger, S. L. (2006). Security in computing. New Jersey: Prentice Hall PTR.
Ponemon Institute. (2013). 2013 Cost of data breach study: Global analysis. Benchmark research sponsored by Symantec, Independently Conducted by Ponemon Institute. https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf. Accessed 10 Mar 2013.
Red Hat Bugzilla Main Page. (2014). https://bugzilla.redhat.com/. Accessed 2 Mar 2014.
Scientific Toolworks Understand. (2014). http://www.scitools.com/. Accessed 22 Mar 2014.
SecurityFocus. (2015). http://www.securityfocus.com/archive/1. Accessed 2 Mar 2015.
Silberschatz, A., Galvin, P. B., & Gagne, G. (2009). Operating system concepts. Wiley.
Skape. (2007). Improving software security analysis using exploitation properties. Uninformed. http://www.uninformed.org/?o=about. Accessed 29 Mar 2014.
Sparks, S., Embleton, S., Cunningham, R., & Zou, C. (2007). Automated vulnerability analysis: Leveraging control flow for evolutionary input crafting. In: Computer Security Applications Conference (ACSAC 2007) (pp. 477–486). doi:10.1109/ACSAC.2007.27.
Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk management guide for information technology systems. NIST. http://www.security-science.com/pdf/risk-management-guide-for-information-technology-systems.pdf. Accessed 23 Mar 2013.
The Exploits Database. (2013). http://www.exploit-db.com/. Accessed 7 Aug 2013.
Usage Statistics and Market Share of Web Servers for Websites. (2013). http://www.w3techs.com/technologies/overview/web_server/all. Accessed 2 Aug 2013.
Younis, A. A., & Malaiya,Y. K. (2012). Relationship between attack surface and vulnerability density: A case study on apache HTTP server. In: The 2012 international conference on internet computing (ICOMP’12) (pp. 197–203).
Author information
Authors and Affiliations
Corresponding author
Appendix
Appendix
See Table 11.
Rights and permissions
About this article
Cite this article
Younis, A., Malaiya, Y.K. & Ray, I. Assessing vulnerability exploitability risk using software properties. Software Qual J 24, 159–202 (2016). https://doi.org/10.1007/s11219-015-9274-6
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11219-015-9274-6