Quantitative vulnerability assessment of systems software

This paper addresses feasibility of vulnerabilities present in the software. Vulnerabilities present in such software represent significant security risks. For Windows 98 and Windows NT 4.0, we present plots for cumulative numbers of vulnerabilities found. A time-based model for the total vulnerabilities discovered is proposed and is fitted to the data for two operating systems. We introduce a measure termed equivalent effort and propose an alternative model which is analogous to the software reliability growth models. We present the data on known defect densities for the two operating systems and discuss the relation between densities of vulnerabilities and the general defects. This relationship could lead us to potential ways of estimating the number of vulnerabilities in future.

[1]  David Wright,et al.  Towards Operational Measures of Computer Security , 1993, J. Comput. Secur..

[2]  William A. Arbaugh,et al.  A trend analysis of exploitations , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[3]  D. S. Brown,et al.  Responding to computer security incidents: Guidelines for incident handling , 1990 .

[4]  Tom Longstaff,et al.  CERT Experience with Security Problems in Software , 2003 .

[5]  John D. Musa,et al.  Software reliability - measurement, prediction, application , 1987, McGraw-Hill series in software engineering and technology.

[6]  Indrajit Ray,et al.  Measuring, analyzing and predicting security vulnerabilities in software systems , 2007, Comput. Secur..

[7]  William A. Arbaugh,et al.  IEEE 52 Computer , 1985 .

[8]  Gary Mcgraw Cigital From the Ground Up: The DIMACS Software Security Workshop , 2003 .

[9]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[10]  Michael R. Lyu,et al.  Handbook of software reliability engineering , 1996 .

[11]  T. Olovsson,et al.  On measurement of operational security , 1994, IEEE Aerospace and Electronic Systems Magazine.

[12]  Eugene H. Spafford,et al.  Computer Vulnerability Analysis , 1998 .

[13]  Indrajit Ray,et al.  Vulnerabilities in Major Operating Systems , 2004 .

[14]  David Wright,et al.  Towards Operational Measures of Computer Security: Concepts , 1995 .

[15]  Yashwant K. Malaiya,et al.  What do the software reliability growth model parameters represent? , 1997, Proceedings The Eighth International Symposium on Software Reliability Engineering.

[16]  Pradip K. Srimani,et al.  Software reliability models : theoretical developments, evaluation, and applications , 1990 .

[17]  Marc Dacier,et al.  Quantitative Assessment of Operational Security: Models and Tools * , 1996 .