Security Vulnerabilities in Software Systems: A Quantitative Perspective

Security and reliability are important attributes of complex software systems. It is now common to use quantitative methods for evaluating and managing reliability. In this work we examine the feasibility of quantitatively characterizing some aspects of security.In particular, we investigate if it is possible to predict the number of vulnerabilities that can potentially be identified in a future release of a software system. We use several major operating systems as representatives of complex software systems. The data on vulnerabilities discovered in some of the popular operating systems is analyzed. We examine this data to determine if the density of vulnerabilities in a program is a useful measure. We try to identify what fraction of software defects are security related, i.e., are vulnerabilities. We examine the dynamics of vulnerability discovery hypothesizing that it may lead us to an estimate of the magnitude of the undiscovered vulnerabilities still present in the system. We consider the vulnerability-discovery rate to see if models can be developed to project future trends. Finally, we use the data for both commercial and open-source systems to determine whether the key observations are generally applicable. Our results indicate that the values of vulnerability densities fall within a range of values, just like the commonly used measure of defect density for general defects. Our examination also reveals that vulnerability discovery may be influenced by several factors including sharing of codes between successive versions of a software system.

[1]  Michael R. Lyu,et al.  Handbook of software reliability engineering , 1996 .

[2]  Ross J. Anderson,et al.  Security in open versus closed systems - the dance of Boltzmann , 2002 .

[3]  Yashwant K. Malaiya,et al.  Module size distribution and defect density , 2000, Proceedings 11th International Symposium on Software Reliability Engineering. ISSRE 2000.

[4]  William A. Arbaugh,et al.  IEEE 52 Computer , 1985 .

[5]  J. Herbsleb,et al.  Two case studies of open source software development: Apache and Mozilla , 2002, TSEM.

[6]  Reidar Conradi,et al.  An empirical study of software reuse vs. defect-density and stability , 2004, Proceedings. 26th International Conference on Software Engineering.

[7]  Yashwant K. Malaiya,et al.  What do the software reliability growth model parameters represent? , 1997, Proceedings The Eighth International Symposium on Software Reliability Engineering.

[8]  Steve W. Manzuik,et al.  Windows of Vulnerability , 2006 .

[9]  Littlewood,et al.  [IEEE COMPASS\'94 - 1994 IEEE 9th Annual Conference on Computer Assurance - Gaithersburg, MD, USA (27 June-1 July 1994)] Proceedings of COMPASS\'94 - 1994 IEEE 9th Annual Conference on Computer Assurance - On measurement of operational security [software reliability] , 1994 .

[10]  Eric Rescorla,et al.  Is finding security holes a good idea? , 2005, IEEE Security & Privacy.

[11]  Tomas Olovsson,et al.  A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior , 1997, IEEE Trans. Software Eng..

[12]  Omar H. Alhazmi,et al.  Quantitative vulnerability assessment of systems software , 2005, Annual Reliability and Maintainability Symposium, 2005. Proceedings..

[13]  Tomas Olovsson,et al.  On measurement of operational security [software reliability] , 1994, Proceedings of COMPASS'94 - 1994 IEEE 9th Annual Conference on Computer Assurance.

[14]  David Wright,et al.  Towards Operational Measures of Computer Security , 1993, J. Comput. Secur..

[15]  John D. Musa,et al.  Software reliability - measurement, prediction, application , 1987, McGraw-Hill series in software engineering and technology.

[16]  Laureano Fernando Escudero Bueno Windows XP beta 2 , 2001 .

[17]  Bharat B. Madan,et al.  Modeling and quantification of security attributes of software systems , 2002, Proceedings International Conference on Dependable Systems and Networks.

[18]  N. Johnson The MITRE corporation , 1961, ACM National Meeting.

[19]  T. Olovsson,et al.  On measurement of operational security , 1994, IEEE Aerospace and Electronic Systems Magazine.

[20]  Gary McGraw,et al.  From the Ground Up: The DIMACS Software Security Workshop , 2003, IEEE Secur. Priv..

[21]  D HerbslebJames,et al.  Two case studies of open source software development , 2002 .

[22]  William A. Arbaugh,et al.  A trend analysis of exploitations , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.