Visible to the public Automation Framework for Software Vulnerability Exploitability Assessment

TitleAutomation Framework for Software Vulnerability Exploitability Assessment
Publication TypeConference Paper
Year of Publication2019
AuthorsBagri, Bagri, Gupta, Gupta
Conference Name2019 Global Conference for Advancement in Technology (GCAT)
Keywordsaccess vector, automated exploit attack, Automated Secure Software Engineering, common vector scoring system, composability, CVSS exploitability measures, de facto metrics system, Entry points, pubcrawl, reachability, reachability analysis, Resiliency, secure software, security flaws, security of data, security risks, software development sector, software engineering, software structural properties, software vulnerabilities, software vulnerability exploitability assessment, Structural Severity, third-factor access complexity, vulnerabilities
AbstractSoftware has become an integral part of every industry and organization. Due to improvement in technology and lack of expertise in coding techniques, software vulnerabilities are increasing day-by-day in the software development sector. The time gap between the identification of the vulnerabilities and their automated exploit attack is decreasing. This gives rise to the need for detection and prevention of security risks and development of secure software. Earlier the security risk is identified and corrected the better it is. Developers needs a framework which can report the security flaws in their system and reduce the chances of exploitation of these flaws by some malicious user. Common Vector Scoring System (CVSS) is a De facto metrics system used to assess the exploitability of vulnerabilities. CVSS exploitability measures use subjective values based on the views of experts. It considers mainly two factors, Access Vector (AV) and Authentication (AU). CVSS does not specify on what basis the third-factor Access Complexity (AC) is measured, whether or not it considers software properties. Our objective is to come up with a framework that automates the process of identifying vulnerabilities using software structural properties. These properties could be attack entry points, vulnerability locations, presence of dangerous system calls, and reachability analysis. This framework has been tested on two open source softwares - Apache HTTP server and Mozilla Firefox.
DOI10.1109/GCAT47503.2019.8978344
Citation Keybagri_automation_2019