Skip to Main content Skip to Navigation
Conference papers

CASFinder: Detecting Common Attack Surface

Abstract : Code reusing is a common practice in software development due to its various benefits. Such a practice, however, may also cause large scale security issues since one vulnerability may appear in many different software due to cloned code fragments. The well known concept of relying on software diversity for security may also be compromised since seemingly different software may in fact share vulnerable code fragments. Although there exist efforts on detecting cloned code fragments, there lack solutions for formally characterizing their specific impact on security. In this paper, we revisit the concept of software diversity from a security viewpoint. Specifically, we define the novel concept of common attack surface to model the relative degree to which a pair of software may be sharing potentially vulnerable code fragments. To implement the concept, we develop an automated tool, CASFinder, in order to efficiently identify common attack surface between any given pair of software with minimum human intervention. Finally, we conduct experiments by applying our tool to real world open source software applications. Our results demonstrate many seemingly unrelated software applications indeed share significant common attack surface.
Document type :
Conference papers
Complete list of metadatas

Cited literature [44 references]  Display  Hide  Download

https://hal.inria.fr/hal-02384581
Contributor : Hal Ifip <>
Submitted on : Thursday, November 28, 2019 - 2:24:55 PM
Last modification on : Thursday, November 28, 2019 - 2:29:17 PM
Long-term archiving on: : Saturday, February 29, 2020 - 4:30:19 PM

File

 Restricted access
To satisfy the distribution rights of the publisher, the document is embargoed until : 2022-01-01

Please log in to resquest access to the document

Licence


Distributed under a Creative Commons Attribution 4.0 International License

Identifiers

Citation

Mengyuan Zhang, Yue Xin, Lingyu Wang, Sushil Jajodia, Anoop Singhal. CASFinder: Detecting Common Attack Surface. 33th IFIP Annual Conference on Data and Applications Security and Privacy (DBSec), Jul 2019, Charleston, SC, United States. pp.338-358, ⟨10.1007/978-3-030-22479-0_18⟩. ⟨hal-02384581⟩

Share

Metrics

Record views

45