Abstract
The Common Vulnerabilities and Exposures (CVE) is a formal dictionary of vulnerabilities and associated weaknesses reported by the community. As programming practices, platforms, hardware, and networking capabilities have evolved, the trends in reported vulnerabilities have also changed. This paper focuses on vulnerabilities that resulted in information disclosure and how their characteristics changed over two decades, from 1999 to 2020. The purpose of this analysis was to understand the development in conventional programming and its relationship with information disclosure-causing vulnerabilities. The focus period of this study was divided into two decades: 1999–2010 and 2010–2020. To understand the vulnerabilities that were reported in the first decade and remained popular in the second decade, the crawled CVEs were filtered based on their publication and update dates. The analysis revealed that the execution of arbitrary code remained a favorite among hackers over the two-decade focus period. As attackers' skills have improved, restrictions bypass and memory violations also increased. The study aimed to discover and represent factors that quantify the severity of a reported CVE. Additionally, it highlights the reciprocal relationship between conventional software development strategies and the minimization of a computing system’s exploit potential.
Similar content being viewed by others
Data availability
The datasets generated and analysed during the current study have been made available at [46].
References
Manyika, J., Chui, M., Bisson, P., Woetzel, J., Dobbs, R., Bughin, J., Aharon, D.: The internet of things: mapping the value beyond the hype. McKinsey Global Institute, NY, USA (2015)
Reddy, V.Y., Krishna, B.H., Bhooshanam, E.N.: Automation of home and its management using IoT. Int. J. Comput. Syst. Eng. 5(2), 72 (2019). https://doi.org/10.1504/ijcsyse.2019.100027
Gatha, Chauhan R, Singh D (2020) Ensuring Privacy-Aware Data Release: An Analysis of Applicability of Privacy Enhancing Techniques to Real-world Datasets. In: ICRITO 2020 - IEEE 8th International Conference on Reliability, Infocom Technologies and Optimization (Trends and Future Directions)
Wei W (2018) Casino Gets Hacked Through Its Internet-Connected Fish Tank Thermometer. https://thehackernews.com/2018/04/iot-hacking-thermometer.html. Accessed 16 July 2023.
Vlajic, N., Zhou, D.: IoT as a land of opportunity for DDoS hackers. Computer 51(7), 26–34 (2018). https://doi.org/10.1109/MC.2018.3011046
Varma, G.: Local hashing and fake data for privacy-aware frequency estimation. Int. Conf. Ubiquitous Inf. Manag. Commun. (2023). https://doi.org/10.1109/IMCOM56909.2023.10035583
Tanwar, G., Chauhan, R., Singh, D.: User privacy in smart systems: recent findings and countermeasures. SSRN Electron J. (2020). https://doi.org/10.2139/SSRN.3565901
Varma, G., Chauhan, R., Singh, D.: Sarve synthetic data and local differential privacy for private frequency estimation. Cybersecurity 5(1), 1–20 (2022). https://doi.org/10.1186/S42400-022-00129-6
Varma, G., Chauhan, R.: Cybercriminals strike where it hurts most: SARS-Cov-2 pandemic and its influence on critical infrastructure ransomware attacks. Int. Conf. Ubiquitous Inf. Manag. Commun. (2022). https://doi.org/10.1109/IMCOM53663.2022.9721721
MITRE (2022) Common Vulnerabilities and Exposures https://cve.mitre.org/. Accessed 16 July 2023
Mann DE, Christey SM (1999) Towards a Common Enumeration of Vulnerabilities. 2nd Workshop on Research with Security Vulnerability Databases, 1999.
Martin RA (2007) Common Weakness Enumeration
Lee, J., Yim, K., Lee, K.: Vulnerability analysis of software piracy and reverse engineering: based on software C, pp. 59–66. Springer, Cham (2022)
Chang YY, Zavarsky P, Ruhl R, Lindskog D (2011) Trend analysis of the CVE for software vulnerability management. In: Proceedings - 2011 IEEE International Conference on Privacy, Security, Risk and Trust and IEEE International Conference on Social Computing, PASSAT/SocialCom 2011. pp 1290–1293.
Na, S., Kim, T., Kim, H.: A study on the classification of common vulnerabilities and exposures using naïve bayes. In: Barolli, L., Xhafa, F., Yim, K. (eds.) Lecture notes on data engineering and communications technologies, pp. 657–662. Springer International Publishing, Cham (2017)
Han Z, Li X, Xing Z, Liu H, Feng Z (2017) Learning to predict severity of software vulnerability using only vulnerability description. In: Proceedings - 2017 IEEE International Conference on Software Maintenance and Evolution, ICSME 2017. Institute of Electrical and Electronics Engineers Inc., pp 125–136.
Li X, Chen J, Lin Z, Zhang L, Wang Z, Zhou M, Xie W (2017) A Mining Approach to Obtain the Software Vulnerability Characteristics. In: Proceedings - 5th International Conference on Advanced Cloud and Big Data, CBD 2017. Institute of Electrical and Electronics Engineers Inc., pp 296–301.
Wang W, Gupta A, Niu N (2018) Mining security requirements from common vulnerabilities and exposures for agile projects. In: Proceedings - 2018 1st International Workshop on Quality Requirements in Agile Projects, QuaRAP 2018. Institute of Electrical and Electronics Engineers Inc., pp 6–9.
Chen Q, Bao L, Li L, Xia X, Cai L (2018) Categorizing and Predicting Invalid Vulnerabilities on Common Vulnerabilities and Exposures. In: Proceedings - Asia-Pacific Software Engineering Conference, APSEC. IEEE Computer Society, pp 345–354.
Pham V, Dang T (2019) CVExplorer: Multidimensional Visualization for Common Vulnerabilities and Exposures. In: Proceedings - 2018 IEEE International Conference on Big Data, Big Data 2018. Institute of Electrical and Electronics Engineers Inc., pp 1296–1301.
Schiappa M, Chantry G, Garibay I (2019) Cyber Security in a Complex Community: A Social Media Analysis on Common Vulnerabilities and Exposures. In: 2019 6th International Conference on Social Networks Analysis, Management and Security, SNAMS 2019. Institute of Electrical and Electronics Engineers Inc., pp 13–20.
Sharma, D., Chandra, P.: Towards recent developments in the methods, metrics and datasets of software fault prediction. Int. J. Comput. Syst. Eng. 6(1), 14 (2020). https://doi.org/10.1504/ijcsyse.2020.109110
Varma, G., Chauhan, R., Singh, D.: A pill to find them all: IoT device behavior fingerprinting using capsule networks. Int. J. Sensors Wirel. Commun. Control 12(2), 122–131 (2021). https://doi.org/10.2174/2210327911666210203222153
Bang, A.O., Rao, U.P., Visconti, A., Brighente, A., Conti, M.: An IoT inventory before deployment: a survey on IoT protocols, communication technologies, vulnerabilities, attacks, and future res directions. Comput. Secur. 123, 102914 (2022). https://doi.org/10.1016/J.COSE.2022.102914
Pranathi K, Kranthi S, Srisaila A, Madhavilatha P (2018) Attacks on Web Application Caused by Cross Site Scripting. In: Proceedings of the 2nd International Conference on Electronics, Communication and Aerospace Technology, ICECA 2018. Institute of Electrical and Electronics Engineers Inc., pp 1754–1759.
Mohammadi M, Chu B, Richter Lipford H (2019) Automated repair of cross-site scripting vulnerabilities through unit testing. In: Proceedings - 2019 IEEE 30th International Symposium on Software Reliability Engineering Workshops, ISSREW 2019. Institute of Electrical and Electronics Engineers Inc., pp 370–377 https://doi.org/10.1109/ISSREW.2019.00098.
Shar, L.K., Tan, H.B.K.: Defending against cross-site scripting attacks. Computer 45, 55–62 (2012)
Bai, Y., Chen, Z.: Analysis and exploit of directory traversal vulnerability on VMware. In: Niu, W., Li, G., Liu, J., Tan, J., Guo, L., Han, Z., Batten, L. (eds.) Communications in computer and information science, pp. 238–244. Springer Verlag, Berlin, Heidelberg (2015)
Shinde PS, Ardhapurkar SB (2016) Cyber security analysis using vulnerability assessment and penetration testing. IEEE WCTFTR 2016 - Proc 2016 World Conf Futur Trends Res Innov Soc Welf. https://doi.org/10.1109/STARTUP.2016.7583912.
Mburano, B., Si, W.: Evaluation of web vulnerability scanners based on OWASP benchmark. Int. Conf. Syst. Eng. ICSEng. Proc. (2019). https://doi.org/10.1109/ICSENG.2018.8638176
Aota, M., Kanehara, H., Kubo, M., Murata, N., Sun, B., Takahashi, T.: Automation of vulnerability classification from its description using machine learning. Proc. IEEE Symp. Comput. Commun. (2020). https://doi.org/10.1109/ISCC50000.2020.9219568
Giannetsos, T., Dimitriou, T., Krontiris, I., Prasad, N.R.: Arbitrary code injection through self-propagating worms in von Neumann architecture devices. Comput. J. 53(10), 1576–1593 (2010). https://doi.org/10.1093/comjnl/bxq009
Monshizadeh M, Naldurg P, Venkatakrishnan VN (2014) MACE: Detecting privilege escalation vulnerabilities in web applications. In: Proceedings of the ACM Conference on Computer and Communications Security. Association for Computing Machinery, pp 690–701.
Qiang, W., Yang, J., Jin, H., Shi, X.: PrivGuard: protecting sensitive kernel data from privilege escalation attacks. IEEE Access 6, 46584–46594 (2018). https://doi.org/10.1109/ACCESS.2018.2866498
Prandini, M., Ramilli, M., Cerroni, W., Callegati, F.: Splitting the HTTPS stream to attack secure web connections. IEEE Secur. Priv. 8(6), 80–84 (2010). https://doi.org/10.1109/MSP.2010.190
Kshirsagar D, Kumar S, Purohit L (2016) Exploring usage of ontology for HTTP response splitting attack. In: Proceedings on 2015 1st International Conference on Next Generation Computing Technologies, NGCT 2015. Institute of Electrical and Electronics Engineers Inc., pp 437–440.
Zhang B, Wu B, Feng C, Tang C (2015) Memory corruption vulnerabilities detection for Android binary software. In: 2015 IEEE International Conference on Signal Processing, Communications and Computing, ICSPCC 2015. Institute of Electrical and Electronics Engineers Inc.
Jiang C, Wang Y (2019) Survey on memory corruption mitigation. In: Proceedings of 2019 IEEE 3rd Information Technology, Networking, Electronic and Automation Control Conference, ITNEC 2019. Institute of Electrical and Electronics Engineers Inc., pp 731–738.
Gao Y, Chen L, Shi G, Zhang F (2018). A comprehensive detection of memory corruption vulnerabilities for C/C++ programs. In: 2018 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Ubiquitous Computing & Communications, Big Data & Cloud Computing, Social Computing & Networking, Sustainable Computing & Communications (ISPA/IUCC/BDCloud/SocialCom/SustainCom) (pp. 354–360).
Sheikh, A.: Buffer Overflow. In: Sheikh, A. (ed.) Certified ethical hacker (CEH) preparation guide: lesson-based review of ethical hacking and penetration testing, pp. 165–173. Apress, CA (2021)
Wang W, Lei Y, Liu D, Kung D, Csallner C, Zhang D, Kacker R, Kuhn R (2011) A combinatorial approach to detecting buffer overflow vulnerabilities. In: Proceedings of the International Conference on Dependable Systems and Networks. pp 269–278.
González Robledo, H.F.: Types of hosts on a remote file inclusion(RFI) botnet. Proc. Electron Robot. Automot. Mech. Conf. CERMA 2008, 105–109 (2008). https://doi.org/10.1109/CERMA.2008.60
Shahriar H, Talukder MAI, Rahman M, Chi H, Ahamed S, Wu F (2019) Hands-on file inclusion vulnerability and proactive control for secure software development. In: Proceedings - International Computer Software and Applications Conference. IEEE Computer Society, pp 604–609.
Kareem, F.Q., Ameen, S.Y., Salih, A.A., Ahmed, D.M., Kak, S.F., Yasin, H.M., Ibrahim, I.M., Ahmed, A.M., Rashid, Z.N., Omar, N.: SQL Injection attacks prevention system technology: review. Asian J. Res. Comput. Sci. (2021). https://doi.org/10.9734/AJRCOS/2021/V10I330242
Ma L, Zhao D, Gao Y, Zhao C (2019) Research on SQL Injection Attack and Prevention Technology Based on Web. In: Proceedings - 2nd International Conference on Computer Network, Electronic and Automation, ICCNEA 2019. Institute of Electrical and Electronics Engineers Inc., pp 176–179.
Gatha Varma (2023) A study of synergy between programming practices evolution and information disclosure-causing vulnerabilities. https://doi.org/10.1007/s42044-023-00156-7
Funding
No funding was received to assist with the preparation of this manuscript.
Author information
Authors and Affiliations
Contributions
Conceptualization: GV; Methodology: GV; Formal analysis and investigation: GV; Writing—original draft preparation: GV; Writing—review and editing: JM; Funding acquisition: Not Applicable.
Corresponding author
Ethics declarations
Conflict of interest
The author has no competing interests to declare that are relevant to the content of this article.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Varma, G. A study of synergy between programming practices evolution and information disclosure-causing vulnerabilities. Iran J Comput Sci 7, 25–40 (2024). https://doi.org/10.1007/s42044-023-00156-7
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s42044-023-00156-7