Measuring, analyzing and predicting security vulnerabilities in software systems

In this work we examine the feasibility of quantitatively characterizing some aspects of security. In particular, we investigate if it is possible to predict the number of vulnerabilities that can potentially be present in a software system but may not have been found yet. We use several major operating systems as representatives of complex software systems. The data on vulnerabilities discovered in these systems are analyzed. We examine the results to determine if the density of vulnerabilities in a program is a useful measure. We also address the question about what fraction of software defects are security related, i.e., are vulnerabilities. We examine the dynamics of vulnerability discovery hypothesizing that it may lead us to an estimate of the magnitude of the undiscovered vulnerabilities still present in the system. We consider the vulnerability discovery rate to see if models can be developed to project future trends. Finally, we use the data for both commercial and open-source systems to determine whether the key observations are generally applicable. Our results indicate that the values of vulnerability densities fall within a range of values, just like the commonly used measure of defect density for general defects. Our examination also reveals that it is possible to model the vulnerability discovery using a logistic model that can sometimes be approximated by a linear model.

[1]  Omar H. Alhazmi,et al.  Quantitative vulnerability assessment of systems software , 2005, Annual Reliability and Maintainability Symposium, 2005. Proceedings..

[2]  David Wright,et al.  Towards Operational Measures of Computer Security , 1993, J. Comput. Secur..

[3]  John D. Musa,et al.  Software reliability - measurement, prediction, application , 1987, McGraw-Hill series in software engineering and technology.

[4]  J. Herbsleb,et al.  Two case studies of open source software development: Apache and Mozilla , 2002, TSEM.

[5]  Gary McGraw,et al.  From the Ground Up: The DIMACS Software Security Workshop , 2003, IEEE Secur. Priv..

[6]  Jim Alves-Foss,et al.  Assessing computer security vulnerability , 1995, OPSR.

[7]  Tom Longstaff,et al.  CERT Experience with Security Problems in Software , 2003 .

[8]  Charles P. Pfleeger,et al.  Security in computing , 1988 .

[9]  Eric Rescorla,et al.  Is finding security holes a good idea? , 2005, IEEE Security & Privacy.

[10]  Indrajit Ray,et al.  Security Vulnerabilities in Software Systems: A Quantitative Perspective , 2005, DBSec.

[11]  T. Olovsson,et al.  On measurement of operational security , 1994, IEEE Aerospace and Electronic Systems Magazine.

[12]  William A. Arbaugh,et al.  A trend analysis of exploitations , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[13]  D HerbslebJames,et al.  Two case studies of open source software development , 2002 .

[14]  Michael R. Lyu,et al.  Handbook of software reliability engineering , 1996 .

[15]  Yashwant K. Malaiya,et al.  Module size distribution and defect density , 2000, Proceedings 11th International Symposium on Software Reliability Engineering. ISSRE 2000.

[16]  Bharat B. Madan,et al.  Modeling and quantification of security attributes of software systems , 2002, Proceedings International Conference on Dependable Systems and Networks.

[17]  Robert A. Small,et al.  Reducing Internet-Based Intrusions: Effective Security Patch Management , 2003, IEEE Softw..

[18]  Littlewood,et al.  [IEEE COMPASS\'94 - 1994 IEEE 9th Annual Conference on Computer Assurance - Gaithersburg, MD, USA (27 June-1 July 1994)] Proceedings of COMPASS\'94 - 1994 IEEE 9th Annual Conference on Computer Assurance - On measurement of operational security [software reliability] , 1994 .

[19]  Reidar Conradi,et al.  An empirical study of software reuse vs. defect-density and stability , 2004, Proceedings. 26th International Conference on Software Engineering.

[20]  Yashwant K. Malaiya,et al.  What do the software reliability growth model parameters represent? , 1997, Proceedings The Eighth International Symposium on Software Reliability Engineering.

[21]  William A. Arbaugh,et al.  IEEE 52 Computer , 1985 .

[22]  Yashwant K. Malaiya,et al.  Modeling the vulnerability discovery process , 2005, 16th IEEE International Symposium on Software Reliability Engineering (ISSRE'05).

[23]  Steve W. Manzuik,et al.  Windows of Vulnerability , 2006 .

[24]  Tomas Olovsson,et al.  A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior , 1997, IEEE Trans. Software Eng..