Improving vulnerability discovery models

Security researchers are applying software reliability models to vulnerability data, in an attempt to model the vulnerability discovery process. I show that most current work on these vulnerability discovery models (VDMs) is theoretically unsound. I propose a standard set of definitions relevant to measuring characteristics of vulnerabilities and their discovery process. I then describe the theoretical requirements of VDMs and highlight the shortcomings of existing work, particularly the assumption that vulnerability discovery is an independent process.

[1]  Andy Ozment,et al.  The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting , 2005, WEIS.

[2]  Yashwant K. Malaiya,et al.  Measuring and Enhancing Prediction Capabilities of Vulnerability Discovery Models for Apache and IIS HTTP Servers , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[3]  T. Olovsson,et al.  On measurement of operational security , 1994, IEEE Aerospace and Electronic Systems Magazine.

[4]  Omar H. Alhazmi,et al.  Quantitative vulnerability assessment of systems software , 2005, Annual Reliability and Maintainability Symposium, 2005. Proceedings..

[5]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[6]  John D. Musa,et al.  Software reliability - measurement, prediction, application , 1987, McGraw-Hill series in software engineering and technology.

[7]  Yashwant K. Malaiya,et al.  AN ANALYSIS OF THE VULNERABILITY DISCOVERY PROCESS IN WEB BROWSERS , 2006 .

[8]  James Andrew Ozment,et al.  Vulnerability discovery & software security , 2007 .

[9]  Stuart E. Schechter,et al.  Milk or Wine: Does Software Security Improve with Age? , 2006, USENIX Security Symposium.

[10]  Y.K. Malaiya,et al.  Prediction capabilities of vulnerability discovery models , 2006, RAMS '06. Annual Reliability and Maintainability Symposium, 2006..

[11]  Andy Ozment,et al.  Software Security Growth Modeling: Examining Vulnerabilities with Reliability Growth Models , 2006, Quality of Protection.

[12]  William A. Arbaugh,et al.  IEEE 52 Computer , 1985 .

[13]  Standard Glossary of Software Engineering Terminology , 1990 .

[14]  Yashwant K. Malaiya,et al.  Modeling the vulnerability discovery process , 2005, 16th IEEE International Symposium on Software Reliability Engineering (ISSRE'05).

[15]  Eugene H. Spafford,et al.  A Trend Analysis of Vulnerabilities , 2005 .

[16]  Katerina Goseva-Popstojanova,et al.  Failure correlation in software reliability models , 2000, IEEE Trans. Reliab..

[17]  Steve W. Manzuik,et al.  Windows of Vulnerability , 2006 .

[18]  Michael R. Lyu,et al.  Handbook of software reliability engineering , 1996 .

[19]  Barbara A. Kitchenham,et al.  Validation, Verification, and Testing: Diversity Rules , 1998, IEEE Softw..

[20]  Jan Vitek,et al.  Vulnerability likelihood: a probabilistic approach to software assurance , 2005 .

[21]  Eric Rescorla,et al.  Is finding security holes a good idea? , 2005, IEEE Security & Privacy.

[22]  Yashwant K. Malaiya,et al.  Assessing Vulnerabilities in Apache and IIS HTTP Servers , 2006, 2006 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing.

[23]  Eugene H. Spafford,et al.  Software vulnerability analysis , 1998 .

[24]  Telecommunications Board Computers at Risk: Safe Computing in the Information Age , 1990 .

[25]  David Clark,et al.  Computers at risk: safe computing in the information age , 1991 .