dissertation assessing vulnerabilities malaiya/pub/omar_dissertation.pdfdissertation assessing...

Download DISSERTATION ASSESSING VULNERABILITIES malaiya/pub/omar_dissertation.pdfDISSERTATION ASSESSING VULNERABILITIES…

Post on 21-Jul-2019

212 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • DISSERTATION

    ASSESSING VULNERABILITIES IN SOFTWARE SYSTEMS:

    A QUANTITATIVE APPROACH

    Submitted by

    Omar Alhazmi

    Department of Computer Science

    In partial fulfillment of the requirements For the Degree of Doctor of Philosophy

    Colorado State University Fort Collins, Colorado

    Spring 2006

  • ii

    COLORADO STATE UNIVERSITY

    November, 6th 2006

    WE HEREBY RECOMMEND THAT THE DISSERTATION PREPARED

    UNDER OUR SUPERVISION BY OMAR ALHAZMI ENTITLED ASSESSING

    VULNERABILITIES IN SOFTWARE SYSTEMS: A QUANTITATIVE APPROACH

    BE ACCEPTED AS FULFILLING IN PART THE REQUIREMENTS FOR THE

    DEGREE OF DOCTOR OF PHILOSOPHY.

    Committee on Graduate Work

    _______________________________________________

    _______________________________________________

    _______________________________________________

    _______________________________________________

    _______________________________________________

    Adviser Dr. Yashwant K. Malaiya

    Department Head Dr. Darrell Whitley

    Co- Adviser Dr. Indrajit Ray

    Dr. Anura Jayasumana

    Dr. Indrakshi Ray

  • iii

    ABSTRACT OF DISSERTATION

    ASSESSING VULNERABILITIES IN SOFTWARE SYSTEMS: A QUANTITATIVE APPROACH

    Security and reliability are two of the most important attributes of complex software

    systems. It is now common to use quantitative methods for evaluating and managing

    reliability. Software assurance requires similar quantitative assessment of software

    security, however only limited work has been done on quantitative aspects of security.

    The analogy with software reliability can help developing similar measures for software

    security. However, there are significant differences that need to be identified and

    appropriately acknowledged. This work examines the feasibility of quantitatively

    characterizing major attributes of security using its analogy with reliability. In particular,

    we investigate whether it is possible to predict the number of vulnerabilities that can

    potentially be identified in a current or future release of a software system using

    analytical modeling techniques.

    Datasets from several major complex software systems have been collected and

    analyzed, they represent both open-source and proprietary software systems. They

    include most of the major operating systems, web servers, and web browsers currently in

    use. The data about vulnerabilities discovered in these software systems are analyzed to

    identify trends and the goodness of fit with the proposed models is statistically examined.

    Vulnerability datasets are examined to determine if the vulnerability density in a

    program is a practical and useful measure. We attempt to identify the quantitative

    relationship between software defects and vulnerabilities. The results indicate that

  • iv

    vulnerability density is relatively stable for specific classes of systems and therefore, is a

    meaningful metric.

    The dynamics of vulnerability discovery is thoroughly examined in detail with the

    hope that it may lead us to an estimate of the magnitude of the undiscovered

    vulnerabilities still present in the system. We examine the vulnerability discovery process

    to determine whether models can be developed to project future trends. The prediction

    capabilities of the proposed quantitative methods have been investigated. The results

    show good prediction accuracy when applied to several of the operating systems and

    web-servers. Finally, vulnerabilities taxonomies were considered and the quantitative

    approaches were also applied to categorized vulnerability datasets as well.

    Categorized vulnerabilities analysis suggests that some vulnerabilities categories are

    generally more severe. We also note that in some products, some categories include a

    larger number of high severity vulnerabilities. This fact can be used as a guideline to

    design better test cases that assigns a higher priority to selected categories in order to

    optimize test effectiveness and reduce the cost of testing.

    Omar H. O. Alhazmi Department of Computer Science Colorado State University Fort Collins, CO 80523 Spring 2006

  • v

    ACKNOWLEDGEMENT

    First of all, I would like to thank God for everything. I also would like to thank all the

    people who helped me during this work. I am especially thankful to my adviser, Dr.

    Yashwant Malaiya, for his encouragement, guidance, and support during my graduate

    study. Also, I would like to thank my co-adviser Dr. Indrajit Ray for his supervision and

    vital advices, Dr. Indrakshi Ray and Dr. Anura Jayasumana for agreeing to be on my

    thesis committee and reviewing my thesis.

    I would like also to thank my research colleagues Sung-Whan Woo and Jin-Yoo Kim

    for their feedbacks and suggestions.

  • vi

    DEDICATION

    I would like to dedicate this dissertation to my parents, brothers, and sisters for their

    love, encouragement and support while I was far away from home during my Ph.D.

    program.

    I would also like dedicate it to my wife, Fahamiah Jeliadan, my daughter, Haneen,

    and my son, Hussien, for all their patient, love, and support over the years, which helped

    me completing this dissertation.

  • vii

    TABLE OF CONTENTS

    ABSTRACT OF DISSERTATION ...................................................................................... iii

    ACKNOWLEDGEMENT .....................................................................................................v

    DEDICATION.................................................................................................................... vi

    TABLE OF CONTENTS.................................................................................................... vii

    LIST OF FIGURES........................................................................................................... x

    LIST OF TABLES............................................................................................................. xiii

    CHAPTER 1 ........................................................................................................................ 1

    INTRODUCTION ............................................................................................................... 1 1.1 INTRODUCTION .......................................................................................................... 1

    1.2 MOTIVATION............................................................................................................... 5

    1.3 CONTRIBUTIONS ........................................................................................................ 7

    1.4 RELATED WORK AND LITERATURE REVIEW ..................................................... 7 1.4.1 BACKGROUND ..........................................................................................................................7 1.4.2 DEFINITION OF SOFTWARE VULNERABILITY ............................................................................9 1.4.3 QUANTITATIVE ASSESSMENT OF SOFTWARE SECURITY .........................................................10 1.4.4 MODELING VULNERABILITIES AND INCIDENTS ......................................................................12

    1.5 ORGANIZATION OF THE DISSERTATION ........................................................... 13

    CHAPTER 2 ...................................................................................................................... 15

    VULNERABILITY DENSITY ........................................................................................ 15 2.1 APPLICATIONS OF VULNERABILITY DENSITY ................................................ 17

    2.2 MEASURING VULNERABILITY DENSITY OF SOME SOFTWARE SYSTEMS18

    2.3 CONCLUSION ............................................................................................................ 21

    CHAPTER 3 ...................................................................................................................... 22

    VULNERABILITY DISCOVERY TRENDS AND VULNERABILITY DISCOVERY MODELS.......................................................................................................................... 22

    3.1 INTRODUCTION ........................................................................................................ 22

    3.2 VULNERABILITY TRENDS ..................................................................................... 22 3.2.1 DATA SOURCES ......................................................................................................................23 3.2.2 VULNERABILITY DISCOVERY TRENDS IN OPERATING SYSTEMS.............................................23 3.2.3 VULNERABILITY DISCOVERY TRENDS IN WEB SERVERS........................................................26 3.2.4 VULNERABILITY DISCOVERY TRENDS IN WEB BROWSERS...................................................27 3.2.5 OBSERVATIONS ......................................................................................................................28

    3.3 VULNERABILITY DISCOVERY MODELS............................................................. 29 3.3.1 THE LOGISTIC VULNERABILITY DISCOVERY MODEL .............................................................29 3.3.2 THE LINEAR VULNERABILITY DISCOVERY MODEL .............................................................

Recommended

View more >