Advertisement

Security Vulnerabilities in Software Systems: A Quantitative Perspective

  • Omar Alhazmi
  • Yashwant Malaiya
  • Indrajit Ray
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3654)

Abstract

Security and reliability are important attributes of complex software systems. It is now common to use quantitative methods for evaluating and managing reliability. In this work we examine the feasibility of quantitatively characterizing some aspects of security.In particular, we investigate if it is possible to predict the number of vulnerabilities that can potentially be identified in a future release of a software system. We use several major operating systems as representatives of complex software systems. The data on vulnerabilities discovered in some of the popular operating systems is analyzed. We examine this data to determine if the density of vulnerabilities in a program is a useful measure. We try to identify what fraction of software defects are security related, i.e., are vulnerabilities. We examine the dynamics of vulnerability discovery hypothesizing that it may lead us to an estimate of the magnitude of the undiscovered vulnerabilities still present in the system. We consider the vulnerability-discovery rate to see if models can be developed to project future trends. Finally, we use the data for both commercial and open-source systems to determine whether the key observations are generally applicable. Our results indicate that the values of vulnerability densities fall within a range of values, just like the commonly used measure of defect density for general defects. Our examination also reveals that vulnerability discovery may be influenced by several factors including sharing of codes between successive versions of a software system.

Keywords

Defect Density Software Reliability Security Vulnerability Quantitative Perspective Software Reliability Growth Model 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    Schultz Jr., E.E., Brown, D.S., Longstaff, T.A.: Responding to Computer Security Incidents. In: Lawrence Livermore National Laboratory, July 23 (1990), ftp://ftp.cert.dfn.de/pub/docs/csir/ihg.ps.gz
  2. 2.
    Lyu, M.R. (ed.): Handbook of Software Reliability Engineering. McGraw-Hill, New York (1995)Google Scholar
  3. 3.
    Musa, J.D., Ianino, A., Okumuto, K.: Software Reliability Measurement Prediction Application. McGraw-Hill, New York (1987)Google Scholar
  4. 4.
    Malaiya, Y.K., Denton, J.: What Do the Software Reliability Growth Model Parameters Represent? In: Proceedings IEEE International Symposium on Software Reliability Engineering, pp. 124–135 (1997)Google Scholar
  5. 5.
    Malaiya, Y.K., Denton, J.: Module Size Distribution and Defect Density. In: Proceedings IEEE International Symposium on Software Reliability Engineering, October 2000, pp. 62–71 (2000)Google Scholar
  6. 6.
    Mohagheghi, P., Conradi, R., Killi, O.M., Schwarz, H.: An Empirical Study of Software Reuse vs. Defect-Density. In: Proceedings 26th International Conference on Software Engineering 2004, May 2004, pp. 282–291 (2004)Google Scholar
  7. 7.
    Mockus, A., Fielding, R.T., Herbsleb, J.: Two Case Studies of Open Source Software Development: Apache and Mozilla. ACM Transactions Software Engineering and Methodology 11(3), 309–346 (2002)CrossRefGoogle Scholar
  8. 8.
    Littlewood, B., Brocklehurst, S., Fenton, N., Mellor, P., Page, S., Wright, D.: Towards Operational Measures of Computer Security. Journal of Computer Security 2(2/3), 211–230 (1993)CrossRefGoogle Scholar
  9. 9.
    Brocklehurst, S., Littlewood, B., Olovsson, T., Jonsson, E.: On Measurement of Operational Security. In: Proceedings of 9th Annual IEEE Conference on Computer Assurance, Gaithersburg, pp. 257–266. IEEE Computer Society, Los Alamitos (1994)Google Scholar
  10. 10.
    Arbaugh, W.A., Fithen, W.L., McHugh, J.: Windows of Vulnerability: A Case Study Analysis. IEEE Computer 33(12), 52–59 (2000)CrossRefGoogle Scholar
  11. 11.
    Browne, H.K., Arbaugh, W.A., McHugh, J., Fithen, W.L.: A Trend Analysis of Exploitation. Proceedings of IEEE Symposium on Security and Privacy 2001, 214–229 (2001)Google Scholar
  12. 12.
    Jonsson, E., Olovsson, T.: A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior. IEEE Transactions on Software Engineering, 235–245 (1997)Google Scholar
  13. 13.
    Madan, B.B., Goseva-Popstojanova, K., Vaidyanathan, K., Trivedi, K.S.: Modeling and Quantification of Security Attributes of Software Systems. In: Proceedings of IEEE International Performance and Dependability Symposium (IPDS 2002) (June 2002)Google Scholar
  14. 14.
    Rescorla, E.: Is Finding Security Holes a Good Idea? In: Proceedings Third Annual Workshop on Economics and Information Security (WEIS 2004), May 2004, pp. 1–18 (2004), http://www.dtc.umn.edu/weis2004/rescorla.pdf
  15. 15.
    Anderson, R.: Security in Open versus Closed Systems – The Dance of Boltzmann, Coase and Moore. In: Conf. on Open Source Software: Economics, Law and Policy, Toulouse, France, June 2002, pp. 1–15 (2002), http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/toulouse.pdf
  16. 16.
    Alhazmi, O.H., Malaiya, Y.K.: Quantitative Vulnerability Assessment of Systems Software. In: Proceedings of International Symposium on Product Quality and Integrity (RAMS 2005), January 2005, pp.14D3.1-6 (2005)Google Scholar
  17. 17.
    Labs, O.: Security by the Numbers: The Need for Metrics in Application Security (2004), http://www.ouncelabs.com/library.asp
  18. 18.
    ICAT Metabase (February 2004), http://icat.nist.gov/icat.cfm
  19. 19.
    McGraw, G.: From the Ground Up: The DIMACS Software Security Workshop. IEEE Security and Privacy 1(2), 59–66 (2003)MathSciNetCrossRefGoogle Scholar
  20. 20.
    Rodrigues, P.: Windows XP Beta 02. Only 106,500 Bugs (August 2001), http://www.lowendmac.com/tf/010401pf.html
  21. 21.
    O.S. Data, Windows 98 (March 2004), http://www.osdata.com/oses/win98.htm, .
  22. 22.
    The MITRE Corporation (February 2005), http://www.mitre.org
  23. 23.
    Bugzilla, R.H.: (January 2005), https://bugzilla.redhat.com/bugzilla

Copyright information

© IFIP International Federation for Information Processing 2005

Authors and Affiliations

  • Omar Alhazmi
    • 1
  • Yashwant Malaiya
    • 1
  • Indrajit Ray
    • 1
  1. 1.Department of Computer ScienceColorado State UniversityFort CollinsUSA

Personalised recommendations