CASFinder: Detecting Common Attack Surface

Code reusing is a common practice in software development due to its various benefits. Such a practice, however, may also cause large scale security issues since one vulnerability may appear in many different software due to cloned code fragments. The well known concept of relying on software diversity for security may also be compromised since seemingly different software may in fact share vulnerable code fragments. Although there exist efforts on detecting cloned code fragments, there lack solutions for formally characterizing their specific impact on security. In this paper, we revisit the concept of software diversity from a security viewpoint. Specifically, we define the novel concept of common attack surface to model the relative degree to which a pair of software may be sharing potentially vulnerable code fragments. To implement the concept, we develop an automated tool, CASFinder, in order to efficiently identify common attack surface between any given pair of software with minimum human intervention. Finally, we conduct experiments by applying our tool to real world open source software applications. Our results demonstrate many seemingly unrelated software applications indeed share significant common attack surface.

[1]  Richard M. Karp,et al.  Combinatorics, complexity, and randomness , 1986, CACM.

[2]  Richard M. Karp,et al.  Efficient Randomized Pattern-Matching Algorithms , 1987, IBM J. Res. Dev..

[3]  Brenda S. Baker,et al.  A Program for Identifying Duplicated Code , 1992 .

[4]  J. Howard Johnson,et al.  Substring matching for clone detection and change tracking , 1994, Proceedings 1994 International Conference on Software Maintenance.

[5]  Brenda S. Baker,et al.  On finding duplication and near-duplication in large software systems , 1995, Proceedings of 2nd Working Conference on Reverse Engineering.

[6]  Kostas Kontogiannis,et al.  Detecting Code Similarity Using Patterns , 1995 .

[7]  Ettore Merlo,et al.  Experiment on the automatic detection of function clones in a software system using metrics , 1996, 1996 Proceedings of International Conference on Software Maintenance.

[8]  L. D. Moura,et al.  Clone detection using abstract syntax trees , 1998, Proceedings. International Conference on Software Maintenance (Cat. No. 98CB36272).

[9]  Stéphane Ducasse,et al.  A language independent approach for detecting duplicated code , 1999, Proceedings IEEE International Conference on Software Maintenance - 1999 (ICSM'99). 'Software Maintenance for Business Change' (Cat. No.99CB36360).

[10]  David Gitchell,et al.  Sim: a utility for detecting similarity in computer programs , 1999, SIGCSE '99.

[11]  Nicholas Tran,et al.  Sim: a utility for detecting similarity in computer programs , 1999, SIGCSE '99.

[12]  Apostolos Syropoulos,et al.  Mathematics of Multisets , 2000, WMP.

[13]  Susan Horwitz,et al.  Using Slicing to Identify Duplication in Source Code , 2001, SAS.

[14]  Shinji Kusumoto,et al.  CCFinder: A Multilinguistic Token-Based Code Clone Detection System for Large Scale Source Code , 2002, IEEE Trans. Software Eng..

[15]  Renato De Mori,et al.  Pattern matching for clone and concept detection , 2004, Automated Software Engineering.

[16]  Jeannette M. Wing,et al.  Measuring a System's Attack Surface , 2004 .

[17]  Michael Howard,et al.  Measuring Relative Attack Surfaces , 2005 .

[18]  Erhard Plödereder,et al.  Bauhaus - A Tool Suite for Program Analysis and Reverse Engineering , 2006, Ada-Europe.

[19]  Yuanyuan Zhou,et al.  CP-Miner: finding copy-paste and related bugs in large-scale software code , 2006, IEEE Transactions on Software Engineering.

[20]  Rainer Koschke,et al.  Clone Detection Using Abstract Syntax Suffix Trees , 2006, 2006 13th Working Conference on Reverse Engineering.

[21]  William F. Smyth,et al.  Efficient token based clone detection with flexible tokenization , 2007, ESEC-FSE companion '07.

[22]  Chanchal K. Roy,et al.  A Survey on Software Clone Detection Research , 2007 .

[23]  Rainer Koschke,et al.  Incremental Clone Detection , 2009, 2009 13th European Conference on Software Maintenance and Reengineering.

[24]  Chanchal Kumar Roy,et al.  Comparison and evaluation of code clone detection techniques and tools: A qualitative approach , 2009, Sci. Comput. Program..

[25]  Jeannette M. Wing,et al.  An Attack Surface Metric , 2011, IEEE Transactions on Software Engineering.

[26]  Sushil Jajodia,et al.  Moving Target Defense - Creating Asymmetric Uncertainty for Cyber Threats , 2011, Moving Target Defense.

[27]  David A. Wagner,et al.  Reducing attack surfaces for intra-application communication in android , 2012, SPSM '12.

[28]  Yves Le Traon,et al.  Automatically securing permission-based software by reducing the attack surface: an application to Android , 2012, 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering.

[29]  Sushil Jajodia,et al.  Moving Target Defense II: Application of Game Theory and Adversarial Modeling , 2012 .

[30]  Yashwant K. Malaiya,et al.  Relationship between Attack Surface and Vulnerability Density : A Case Study on Apache HTTP Server , 2013 .

[31]  Wolfgang Schröder-Preikschat,et al.  Attack Surface Metrics and Automated Compile-Time OS Kernel Tailoring , 2013, NDSS.

[32]  Sushil Jajodia,et al.  Moving Target Defense II , 2013, Advances in Information Security.

[33]  Richard Ford,et al.  Heartbleed 101 , 2014, IEEE Security & Privacy.

[34]  Indrajit Ray,et al.  Using Attack Surface Entry Points and Reachability Analysis to Assess the Risk of Software Vulnerability Exploitability , 2014, 2014 IEEE 15th International Symposium on High-Assurance Systems Engineering.

[35]  Vern Paxson,et al.  The Matter of Heartbleed , 2014, Internet Measurement Conference.

[36]  Laurie A. Williams,et al.  Approximating Attack Surfaces with Stack Traces , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[37]  Sushil Jajodia,et al.  Network Diversity: A Security Metric for Evaluating the Resilience of Networks Against Zero-Day Attacks , 2016, IEEE Transactions on Information Forensics and Security.

[38]  Hamid Reza Shahriari,et al.  Software Vulnerability Analysis and Discovery Using Machine-Learning and Data-Mining Techniques , 2017, ACM Comput. Surv..