An Information Flow-Based Taxonomy to Understand the Nature of Software Vulnerabilities

Abstract : Despite the emphasis on building secure software, the number of vulnerabilities found in our systems is increasing every year, and well-understood vulnerabilities continue to be exploited. A common response to vulnerabilities is patch-based mitigation, which does not completely address the flaw and is often circumvented by an adversary. The problem actually lies in a lack of understanding of the nature of vulnerabilities. Vulnerability taxonomies have been proposed, but their usability is limited because of their ambiguity and complexity. This paper presents a taxonomy that views vulnerabilities as fractures in the interpretation of information as it flows in the system. It also presents a machine learning study validating the taxonomy’s unambiguity. A manually labeled set of 641 vulnerabilities trained a classifier that automatically categorized more than 70000 vulnerabilities from three distinct databases with an average success rate of 80 %. Important lessons learned are discussed such as (i) approximately 12 % of the studied reports provide insufficient information about vulnerabilities, and (ii) the roles of the reporter and developer are not leveraged, especially regarding information about tools used to find vulnerabilities and approaches to address them.
Type de document :
Communication dans un congrès
Jaap-Henk Hoepman; Stefan Katzenbeisser. 31st IFIP International Information Security and Privacy Conference (SEC), May 2016, Ghent, Belgium. IFIP Advances in Information and Communication Technology, AICT-471, pp.227-242, 2016, ICT Systems Security and Privacy Protection. 〈10.1007/978-3-319-33630-5_16〉
Liste complète des métadonnées

Littérature citée [27 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01369556
Contributeur : Hal Ifip <>
Soumis le : mercredi 21 septembre 2016 - 10:56:29
Dernière modification le : lundi 20 novembre 2017 - 14:04:03
Document(s) archivé(s) le : jeudi 22 décembre 2016 - 12:51:48

Fichier

 Accès restreint
Fichier visible le : 2019-01-01

Connectez-vous pour demander l'accès au fichier

Licence


Distributed under a Creative Commons Paternité 4.0 International License

Identifiants

Citation

Daniela Oliveira, Jedidiah Crandall, Harry Kalodner, Nicole Morin, Megan Maher, et al.. An Information Flow-Based Taxonomy to Understand the Nature of Software Vulnerabilities. Jaap-Henk Hoepman; Stefan Katzenbeisser. 31st IFIP International Information Security and Privacy Conference (SEC), May 2016, Ghent, Belgium. IFIP Advances in Information and Communication Technology, AICT-471, pp.227-242, 2016, ICT Systems Security and Privacy Protection. 〈10.1007/978-3-319-33630-5_16〉. 〈hal-01369556〉

Partager

Métriques

Consultations de la notice

34