Skip to main content
SpringerLink
Log in

A study of synergy between programming practices evolution and information disclosure-causing vulnerabilities

  • Research
  • Published:
Iran Journal of Computer Science Aims and scope Submit manuscript

Abstract

The Common Vulnerabilities and Exposures (CVE) is a formal dictionary of vulnerabilities and associated weaknesses reported by the community. As programming practices, platforms, hardware, and networking capabilities have evolved, the trends in reported vulnerabilities have also changed. This paper focuses on vulnerabilities that resulted in information disclosure and how their characteristics changed over two decades, from 1999 to 2020. The purpose of this analysis was to understand the development in conventional programming and its relationship with information disclosure-causing vulnerabilities. The focus period of this study was divided into two decades: 1999–2010 and 2010–2020. To understand the vulnerabilities that were reported in the first decade and remained popular in the second decade, the crawled CVEs were filtered based on their publication and update dates. The analysis revealed that the execution of arbitrary code remained a favorite among hackers over the two-decade focus period. As attackers' skills have improved, restrictions bypass and memory violations also increased. The study aimed to discover and represent factors that quantify the severity of a reported CVE. Additionally, it highlights the reciprocal relationship between conventional software development strategies and the minimization of a computing system’s exploit potential.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11

Similar content being viewed by others

Data availability

The datasets generated and analysed during the current study have been made available at [46].

References

  1. Manyika, J., Chui, M., Bisson, P., Woetzel, J., Dobbs, R., Bughin, J., Aharon, D.: The internet of things: mapping the value beyond the hype. McKinsey Global Institute, NY, USA (2015)

    Google Scholar 

  2. Reddy, V.Y., Krishna, B.H., Bhooshanam, E.N.: Automation of home and its management using IoT. Int. J. Comput. Syst. Eng. 5(2), 72 (2019). https://doi.org/10.1504/ijcsyse.2019.100027

    Article  Google Scholar 

  3. Gatha, Chauhan R, Singh D (2020) Ensuring Privacy-Aware Data Release: An Analysis of Applicability of Privacy Enhancing Techniques to Real-world Datasets. In: ICRITO 2020 - IEEE 8th International Conference on Reliability, Infocom Technologies and Optimization (Trends and Future Directions)

  4. Wei W (2018) Casino Gets Hacked Through Its Internet-Connected Fish Tank Thermometer. https://thehackernews.com/2018/04/iot-hacking-thermometer.html. Accessed 16 July 2023.

  5. Vlajic, N., Zhou, D.: IoT as a land of opportunity for DDoS hackers. Computer 51(7), 26–34 (2018). https://doi.org/10.1109/MC.2018.3011046

    Article  Google Scholar 

  6. Varma, G.: Local hashing and fake data for privacy-aware frequency estimation. Int. Conf. Ubiquitous Inf. Manag. Commun. (2023). https://doi.org/10.1109/IMCOM56909.2023.10035583

    Article  Google Scholar 

  7. Tanwar, G., Chauhan, R., Singh, D.: User privacy in smart systems: recent findings and countermeasures. SSRN Electron J. (2020). https://doi.org/10.2139/SSRN.3565901

    Article  Google Scholar 

  8. Varma, G., Chauhan, R., Singh, D.: Sarve synthetic data and local differential privacy for private frequency estimation. Cybersecurity 5(1), 1–20 (2022). https://doi.org/10.1186/S42400-022-00129-6

    Article  Google Scholar 

  9. Varma, G., Chauhan, R.: Cybercriminals strike where it hurts most: SARS-Cov-2 pandemic and its influence on critical infrastructure ransomware attacks. Int. Conf. Ubiquitous Inf. Manag. Commun. (2022). https://doi.org/10.1109/IMCOM53663.2022.9721721

    Article  Google Scholar 

  10. MITRE (2022) Common Vulnerabilities and Exposures https://cve.mitre.org/. Accessed 16 July 2023

  11. Mann DE, Christey SM (1999) Towards a Common Enumeration of Vulnerabilities. 2nd Workshop on Research with Security Vulnerability Databases, 1999.

  12. Martin RA (2007) Common Weakness Enumeration

  13. Lee, J., Yim, K., Lee, K.: Vulnerability analysis of software piracy and reverse engineering: based on software C, pp. 59–66. Springer, Cham (2022)

    Google Scholar 

  14. Chang YY, Zavarsky P, Ruhl R, Lindskog D (2011) Trend analysis of the CVE for software vulnerability management. In: Proceedings - 2011 IEEE International Conference on Privacy, Security, Risk and Trust and IEEE International Conference on Social Computing, PASSAT/SocialCom 2011. pp 1290–1293.

  15. Na, S., Kim, T., Kim, H.: A study on the classification of common vulnerabilities and exposures using naïve bayes. In: Barolli, L., Xhafa, F., Yim, K. (eds.) Lecture notes on data engineering and communications technologies, pp. 657–662. Springer International Publishing, Cham (2017)

    Google Scholar 

  16. Han Z, Li X, Xing Z, Liu H, Feng Z (2017) Learning to predict severity of software vulnerability using only vulnerability description. In: Proceedings - 2017 IEEE International Conference on Software Maintenance and Evolution, ICSME 2017. Institute of Electrical and Electronics Engineers Inc., pp 125–136.

  17. Li X, Chen J, Lin Z, Zhang L, Wang Z, Zhou M, Xie W (2017) A Mining Approach to Obtain the Software Vulnerability Characteristics. In: Proceedings - 5th International Conference on Advanced Cloud and Big Data, CBD 2017. Institute of Electrical and Electronics Engineers Inc., pp 296–301.

  18. Wang W, Gupta A, Niu N (2018) Mining security requirements from common vulnerabilities and exposures for agile projects. In: Proceedings - 2018 1st International Workshop on Quality Requirements in Agile Projects, QuaRAP 2018. Institute of Electrical and Electronics Engineers Inc., pp 6–9.

  19. Chen Q, Bao L, Li L, Xia X, Cai L (2018) Categorizing and Predicting Invalid Vulnerabilities on Common Vulnerabilities and Exposures. In: Proceedings - Asia-Pacific Software Engineering Conference, APSEC. IEEE Computer Society, pp 345–354.

  20. Pham V, Dang T (2019) CVExplorer: Multidimensional Visualization for Common Vulnerabilities and Exposures. In: Proceedings - 2018 IEEE International Conference on Big Data, Big Data 2018. Institute of Electrical and Electronics Engineers Inc., pp 1296–1301.

  21. Schiappa M, Chantry G, Garibay I (2019) Cyber Security in a Complex Community: A Social Media Analysis on Common Vulnerabilities and Exposures. In: 2019 6th International Conference on Social Networks Analysis, Management and Security, SNAMS 2019. Institute of Electrical and Electronics Engineers Inc., pp 13–20.

  22. Sharma, D., Chandra, P.: Towards recent developments in the methods, metrics and datasets of software fault prediction. Int. J. Comput. Syst. Eng. 6(1), 14 (2020). https://doi.org/10.1504/ijcsyse.2020.109110

    Article  Google Scholar 

  23. Varma, G., Chauhan, R., Singh, D.: A pill to find them all: IoT device behavior fingerprinting using capsule networks. Int. J. Sensors Wirel. Commun. Control 12(2), 122–131 (2021). https://doi.org/10.2174/2210327911666210203222153

    Article  Google Scholar 

  24. Bang, A.O., Rao, U.P., Visconti, A., Brighente, A., Conti, M.: An IoT inventory before deployment: a survey on IoT protocols, communication technologies, vulnerabilities, attacks, and future res directions. Comput. Secur. 123, 102914 (2022). https://doi.org/10.1016/J.COSE.2022.102914

    Article  Google Scholar 

  25. Pranathi K, Kranthi S, Srisaila A, Madhavilatha P (2018) Attacks on Web Application Caused by Cross Site Scripting. In: Proceedings of the 2nd International Conference on Electronics, Communication and Aerospace Technology, ICECA 2018. Institute of Electrical and Electronics Engineers Inc., pp 1754–1759.

  26. Mohammadi M, Chu B, Richter Lipford H (2019) Automated repair of cross-site scripting vulnerabilities through unit testing. In: Proceedings - 2019 IEEE 30th International Symposium on Software Reliability Engineering Workshops, ISSREW 2019. Institute of Electrical and Electronics Engineers Inc., pp 370–377 https://doi.org/10.1109/ISSREW.2019.00098.

  27. Shar, L.K., Tan, H.B.K.: Defending against cross-site scripting attacks. Computer 45, 55–62 (2012)

    Article  Google Scholar 

  28. Bai, Y., Chen, Z.: Analysis and exploit of directory traversal vulnerability on VMware. In: Niu, W., Li, G., Liu, J., Tan, J., Guo, L., Han, Z., Batten, L. (eds.) Communications in computer and information science, pp. 238–244. Springer Verlag, Berlin, Heidelberg (2015)

    Google Scholar 

  29. Shinde PS, Ardhapurkar SB (2016) Cyber security analysis using vulnerability assessment and penetration testing. IEEE WCTFTR 2016 - Proc 2016 World Conf Futur Trends Res Innov Soc Welf. https://doi.org/10.1109/STARTUP.2016.7583912.

  30. Mburano, B., Si, W.: Evaluation of web vulnerability scanners based on OWASP benchmark. Int. Conf. Syst. Eng. ICSEng. Proc. (2019). https://doi.org/10.1109/ICSENG.2018.8638176

    Article  Google Scholar 

  31. Aota, M., Kanehara, H., Kubo, M., Murata, N., Sun, B., Takahashi, T.: Automation of vulnerability classification from its description using machine learning. Proc. IEEE Symp. Comput. Commun. (2020). https://doi.org/10.1109/ISCC50000.2020.9219568

    Article  Google Scholar 

  32. Giannetsos, T., Dimitriou, T., Krontiris, I., Prasad, N.R.: Arbitrary code injection through self-propagating worms in von Neumann architecture devices. Comput. J. 53(10), 1576–1593 (2010). https://doi.org/10.1093/comjnl/bxq009

    Article  Google Scholar 

  33. Monshizadeh M, Naldurg P, Venkatakrishnan VN (2014) MACE: Detecting privilege escalation vulnerabilities in web applications. In: Proceedings of the ACM Conference on Computer and Communications Security. Association for Computing Machinery, pp 690–701.

  34. Qiang, W., Yang, J., Jin, H., Shi, X.: PrivGuard: protecting sensitive kernel data from privilege escalation attacks. IEEE Access 6, 46584–46594 (2018). https://doi.org/10.1109/ACCESS.2018.2866498

    Article  Google Scholar 

  35. Prandini, M., Ramilli, M., Cerroni, W., Callegati, F.: Splitting the HTTPS stream to attack secure web connections. IEEE Secur. Priv. 8(6), 80–84 (2010). https://doi.org/10.1109/MSP.2010.190

    Article  Google Scholar 

  36. Kshirsagar D, Kumar S, Purohit L (2016) Exploring usage of ontology for HTTP response splitting attack. In: Proceedings on 2015 1st International Conference on Next Generation Computing Technologies, NGCT 2015. Institute of Electrical and Electronics Engineers Inc., pp 437–440.

  37. Zhang B, Wu B, Feng C, Tang C (2015) Memory corruption vulnerabilities detection for Android binary software. In: 2015 IEEE International Conference on Signal Processing, Communications and Computing, ICSPCC 2015. Institute of Electrical and Electronics Engineers Inc.

  38. Jiang C, Wang Y (2019) Survey on memory corruption mitigation. In: Proceedings of 2019 IEEE 3rd Information Technology, Networking, Electronic and Automation Control Conference, ITNEC 2019. Institute of Electrical and Electronics Engineers Inc., pp 731–738.

  39. Gao Y, Chen L, Shi G, Zhang F (2018). A comprehensive detection of memory corruption vulnerabilities for C/C++ programs. In: 2018 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Ubiquitous Computing & Communications, Big Data & Cloud Computing, Social Computing & Networking, Sustainable Computing & Communications (ISPA/IUCC/BDCloud/SocialCom/SustainCom) (pp. 354–360).

  40. Sheikh, A.: Buffer Overflow. In: Sheikh, A. (ed.) Certified ethical hacker (CEH) preparation guide: lesson-based review of ethical hacking and penetration testing, pp. 165–173. Apress, CA (2021)

    Chapter  Google Scholar 

  41. Wang W, Lei Y, Liu D, Kung D, Csallner C, Zhang D, Kacker R, Kuhn R (2011) A combinatorial approach to detecting buffer overflow vulnerabilities. In: Proceedings of the International Conference on Dependable Systems and Networks. pp 269–278.

  42. González Robledo, H.F.: Types of hosts on a remote file inclusion(RFI) botnet. Proc. Electron Robot. Automot. Mech. Conf. CERMA 2008, 105–109 (2008). https://doi.org/10.1109/CERMA.2008.60

    Article  Google Scholar 

  43. Shahriar H, Talukder MAI, Rahman M, Chi H, Ahamed S, Wu F (2019) Hands-on file inclusion vulnerability and proactive control for secure software development. In: Proceedings - International Computer Software and Applications Conference. IEEE Computer Society, pp 604–609.

  44. Kareem, F.Q., Ameen, S.Y., Salih, A.A., Ahmed, D.M., Kak, S.F., Yasin, H.M., Ibrahim, I.M., Ahmed, A.M., Rashid, Z.N., Omar, N.: SQL Injection attacks prevention system technology: review. Asian J. Res. Comput. Sci. (2021). https://doi.org/10.9734/AJRCOS/2021/V10I330242

    Article  Google Scholar 

  45. Ma L, Zhao D, Gao Y, Zhao C (2019) Research on SQL Injection Attack and Prevention Technology Based on Web. In: Proceedings - 2nd International Conference on Computer Network, Electronic and Automation, ICCNEA 2019. Institute of Electrical and Electronics Engineers Inc., pp 176–179.

  46. Gatha Varma (2023) A study of synergy between programming practices evolution and information disclosure-causing vulnerabilities. https://doi.org/10.1007/s42044-023-00156-7

Download references

Funding

No funding was received to assist with the preparation of this manuscript.

Author information

Authors and Affiliations

  1. Censius Inc., Austin, TX, USA

    Gatha Varma

Authors
  1. Gatha Varma
    View author publications

    You can also search for this author in PubMed Google Scholar

Contributions

Conceptualization: GV; Methodology: GV; Formal analysis and investigation: GV; Writing—original draft preparation: GV; Writing—review and editing: JM; Funding acquisition: Not Applicable.

Corresponding author

Correspondence to Gatha Varma.

Ethics declarations

Conflict of interest

The author has no competing interests to declare that are relevant to the content of this article.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Varma, G. A study of synergy between programming practices evolution and information disclosure-causing vulnerabilities. Iran J Comput Sci 7, 25–40 (2024). https://doi.org/10.1007/s42044-023-00156-7

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s42044-023-00156-7

Keywords

Search

Navigation