Emulating representative software vulnerabilities using field data
- 77 Downloads
Security vulnerabilities are a concern in systems and software exposed via networked interfaces. Previous research has shown that only a minority of vulnerabilities can be emulated through software fault injection techniques. This paper aims to accurately emulate software security vulnerabilities. To this end, the paper provides a field-data study on the operators needed to emulate vulnerabilities in software written in the C programming language. A practical implementation is constructed and the feasibility of emulating software vulnerabilities is evaluated. The emulation operators were obtained by analyzing publicly available vulnerability databases for the Linux kernel, the Xen hypervisor, and the OpenSSH tool. The results show that a typical security vulnerability involves a single function and consists of combinations of up to three fault operator instances. The expected impact of this study is to allow practical emulation of security defects in large software projects, to support software quality and security assessment.
KeywordsSecurity Dependability Security vulnerabilities Software faults
Mathematics Subject Classification68N01 68M15
This work was supported by project BASE - Biofeedback Augmented Software Engineering, project no. 31581, IC&DT AAC no. 02/SAICT/2017, and the second author was supported by the Portuguese Foundation for Science and Technology (FCT) through doctoral grant SFRH/BD/130601/2017.
- 3.Cerveira F, Barbosa R, Mercier M, Madeira H (2017) On the emulation of vulnerabilities through software fault injection. In: 2017 13th European dependable computing conference (EDCC)Google Scholar
- 4.Chillarege R (1996) Orthogonal defect classification. In: Lyu MR (ed) Handbook of software reliability engineering. IEEE CS Press, McGraw-Hill, Washington, New York, pp 359–400Google Scholar
- 6.Christmansson J, Chillarege R (1996) Generation of an error set that emulates software faults based on field data. In: Proceedings of the twenty-sixth international symposium on fault-tolerant computing, IEEE, Washington, pp 304–313Google Scholar
- 11.Fonseca J, Vieira M (2008) Mapping software faults with web security vulnerabilities. In: 2008 IEEE international conference on dependable systems and networks With FTCS and DCC (DSN), pp 257–266. https://doi.org/10.1109/DSN.2008.4630094
- 12.Fonseca J, Vieira M, Madeira H (2007) Testing and comparing web vulnerability scanning tools for SQL injection and XSS attacks. In: 13th Pacific Rim international symposium on dependable computing (PRDC 2007), pp 365–372. https://doi.org/10.1109/PRDC.2007.55
- 13.Fonseca J, Vieira M, Madeira H (2009) Vulnerability & attack injection for web applications. In: 2009 IEEE/IFIP international conference on dependable systems networks, pp 93–102. https://doi.org/10.1109/DSN.2009.5270349
- 15.Love R (2005) Linux kernel development, 2nd edn. Novell Press, ProvoGoogle Scholar
- 16.Lucas MW (2012) SSH Mastery: OpenSSH, PuTTY,tunnels and keys. Tilted Windmill Press, MichiganGoogle Scholar
- 20.Pereira G, Barbosa R, Madeira H (2016) Practical emulation of software defects in source code. In: 2016 12th European dependable computing conference (EDCC), pp 130–140. https://doi.org/10.1109/EDCC.2016.19
- 21.Stallings W, Brown L (2011) Computer security: principles and practice, 2nd edn. Prentice-Hall, Inc, Upper Saddle RiverGoogle Scholar