Software Security, 2014 (IEEE), Part 1

	Software Security, 2014 (IEEE), Part 1

This set of bibliographical references about software security research papers is from conference publications posted in the IEEE Digital Library. More than 1100 conference papers were presented on this topic in 2014. The set presented here represents those likely to be of most interest to the Science of Security community. They address issues related to measurement, scalability, reliability, and other hard problem issues.  ACM papers are presented in a separate series.

Axelrod, C.W., "Reducing Software Assurance Risks for Security-Critical and Safety-Critical Systems," Systems, Applications and Technology Conference (LISAT), 2014 IEEE Long Island, pp.1,6, 2-2 May 2014. doi: 10.1109/LISAT.2014.6845212 Abstract: According to the Office of the Assistant Secretary of Defense for Research and Engineering (ASD(R&E)), the US Department of Defense (DoD) recognizes that there is a “persistent lack of a consistent approach ... for the certification of software assurance tools, testing and methodologies” [1]. As a result, the ASD(R&E) is seeking “to address vulnerabilities and weaknesses to cyber threats of the software that operates ... routine applications and critical kinetic systems ...” The mitigation of these risks has been recognized as a significant issue to be addressed in both the public and private sectors. In this paper we examine deficiencies in various software-assurance approaches and suggest ways in which they can be improved. We take a broad look at current approaches, identify their inherent weaknesses and propose approaches that serve to reduce risks. Some technical, economic and governance issues are: (1) Development of software-assurance technical standards (2) Management of software-assurance standards (3) Evaluation of tools, techniques, and metrics (4) Determination of update frequency for tools, techniques (5) Focus on most pressing threats to software systems (6) Suggestions as to risk-reducing research areas (7) Establishment of models of the economics of software-assurance solutions, and testing and certifying software We show that, in order to improve current software assurance policy and practices, particularly with respect to security, there has to be a major overhaul in how software is developed, especially with respect to the requirements and testing phases of the SDLC (Software Development Lifecycle). We also suggest that the current preventative approaches are inadequate and that greater reliance should be placed upon avoidance and deterrence. We also recommend that those developing and operating security-critical and safety-critical systems exchange best-of-breed software assurance methods to prevent the vulnerability of components leading to compromise of entire systems of systems. The recent catastrophic loss of a Malaysia Airlines airplane is then presented as an example of possible compromises of physical and logical security of on-board communications and management and control systems.
Keywords: program testing; safety-critical software; software development management; software metrics; ASD(R&E); Assistant Secretary of Defense for Research and Engineering; Malaysia Airlines airplane; SDLC; US Department of Defense; US DoD; component vulnerability prevention; control systems; critical kinetic systems; cyber threats; economic issues; governance issues; logical security; management systems; on-board communications; physical security; private sectors; public sectors; risk mitigation; safety-critical systems; security-critical systems; software assurance risk reduction; software assurance tool certification; software development; software development lifecycle ;software methodologies; software metric evaluation; software requirements; software system threats; software technique evaluation; software testing; software tool evaluation; software-assurance standard management; software-assurance technical standard development; technical issues; update frequency determination; Measurement; Organizations; Security; Software systems; Standards; Testing; cyber threats; cyber-physical systems; governance ;risk; safety-critical systems; security-critical systems; software assurance; technical standards; vulnerabilities; weaknesses (ID#: 15-4546)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6845212&isnumber=6845183

AlBreiki, Hamda Hasan; Mahmoud, Qusay H., "Evaluation of Static Analysis Tools for Software Security," Innovations in Information Technology (INNOVATIONS), 2014 10th International Conference on, pp.93, 98, 9-11 Nov. 2014. doi: 10.1109/INNOVATIONS.2014.6987569 Abstract: Security has been always treated as an add-on feature in the software development lifecycle, and addressed by security professionals using firewalls, proxies, intrusion prevention systems, antivirus and platform security. Software is at the root of all common computer security problems, and hence hackers don't create security holes, but rather exploit them. Security holes in software applications are the result of bad design and implementation of software systems and applications. To address this problem, several initiatives for integrating security in the software development lifecycle have been proposed, along with tools to support a security-centric software development lifecycle. This paper introduces a framework for evaluating security static analysis tools such as source code analyzers, and offers evaluation of non-commercial static analysis tools such as Yasca, CAT.NET, and FindBugs. In order to evaluate the effectiveness of such tools, common software weaknesses are defined based on CWE/SANS Top 25, OWASP Top Ten and NIST source code weaknesses. The evaluation methodology is based on the NIST Software Assurance Metrics And Tool Evaluation (SAMATE). Results show that security static analysis tools are, to some extent, effective in detecting security holes in source code; source code analyzers are able to detect more weaknesses than bytecode and binary code scanners; and while tools can assist the development team in security code review activities, they are not enough to uncover all common weaknesses in software. The new test cases developed for this research have been contributed to the NIST Software Assurance Reference Dataset (samate.nist.gov/SARD).
Keywords: Binary codes; Computer architecture; Industries; Java; NIST; Security; Software; OWASP; SAMATE; security metrics; software security; static analysis (ID#: 15-4547)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6987569&isnumber=6985764

Razian, Mohammad Reza; Sangchi, Hasan Mokhtari, "A Threatened-Based Software Security Evaluation Method," Information Security and Cryptology (ISCISC), 2014 11th International ISC Conference on, pp.120,125, 3-4 Sept. 2014. doi: 10.1109/ISCISC.2014.6994034 Abstract: Nowadays, security evaluation of software is a substantial matter in software world. Security level of software will be determined by wealth of data and operation which it provides for us. The security level is usually evaluated by a third party, named Software Security Certification Issuance Centers. It is important for software security evaluators to perform a sound and complete evaluation, which is a complicated process considering the increasing number of emerging threats. In this paper we propose a Threatened-based Software Security Evaluation method to improve the security evaluation process of software. In this method, we focus on existing threatened entities of software which in turn result in software threats and their corresponding controls and countermeasures. We also demonstrate a Security Evaluation Assistant (SEA) tool to practically show the effectiveness of our evaluation method.
Keywords: Certification; Feature extraction; Organizations; Security; Software; Standards; Vectors; Assessment; Control; Evaluation; Security; Security Certification; Software; Software Security; Threat; Threatened (ID#: 15-4548)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6994034&isnumber=6994006

Zhuobing Han; Xiaohong Li; Ruitao Feng; Jing Hu; Guangquan Xu; Zhiyong Feng, "A Three-Dimensional Model for Software Security Evaluation," Theoretical Aspects of Software Engineering Conference (TASE), 2014, pp.34,41, 1-3 Sept. 2014. doi: 10.1109/TASE.2014.31 Abstract: Software security evaluation is considered as a significant and indispensable activity in all phases of software development lifecycle, and there are also many factors that should be taken into account such as the environment, risks, and development documents. Despite the achievements of the past several decades, there is still a lack of methodology in evaluating software security systematically. In this paper, we propose a comprehensive model for evaluating the software security from three different but complementary points of view: technology, management and engineering. The technological dimension is 7 security levels based on Evaluation Assurance Levels (EALs) from ISO/IEC15408, the management dimension mainly concerns the management of software infrastructures, development documents and risks, and the engineering dimension focuses on 5 stages of software development lifecycle. Experts evaluate software security through the evidence items which are collected from these three dimensions and provide their assessments. Relying on Analytic Hierarchy Process (AHP) and Dempster-Shafer Evidence Theory, assessments obtained from the experts can be combined and merged to get a score which presents the security degree of software. A case study illustrates how the evaluators may use the proposed approach to evaluate security of their system.
Keywords: analytic hierarchy process; inference mechanisms; security of data; software engineering; uncertainty handling; AHP; Dempster-Shafer evidence theory; analytic hierarchy process; software development lifecycle; software infrastructure management; software security evaluation; Analytical models; Capability maturity model; Security; Software; Solid modeling; Testing; Uncertainty; Common Criteria; Evidence; Software Life Cycle; Software Security Evaluation; Three-Dimensional Model (ID#: 15-4549)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6976565&isnumber=6976553

Daughtrey, T., "Prospects for Software Security Growth Modeling," Reliability and Maintainability Symposium (RAMS), 2014 Annual, pp.1,5, 27-30 Jan. 2014. doi: 10.1109/RAMS.2014.6798453 Abstract: Modern society depends on the continuing correct operation of software-based systems. Critical infrastructures -- including energy, communication, transportation, and finance -- all function within powerful and complex computing environments. The dependability of these systems is increasingly threatened by a wide range of adversaries, and increasing investments are being made to provide and assess sufficient security for these systems. Engineering and business decisions have to be made in response to questions such as: “How secure does this system have to be?” “What kinds and amounts of development and appraisal activities should be funded?” “Is the system ready to be placed into operation?” Software quality engineering has addressed similar issues for other product attributes. In particular, there is a considerable body of experience with techniques and tools for specifying and measuring software reliability. Much effort has gone into modeling the improvement in software reliability during development and testing. An analogous approach to security growth modeling would quantify how the projected security of a system increases with additional detection and removal of software vulnerabilities. Such insights could guide allocation of resources during development and ultimately assist in making the decision to release the product. This paper will first summarize software reliability engineering and its use of software reliability growth modeling before considering potential analogies in software security engineering and software security growth modeling. After describing several limitations in either type of modeling, the role of risk management will be considered.
Keywords: risk management; security of data; software reliability; business decision; communication infrastructure; computing environments; energy infrastructure; engineering decision; finance infrastructure; resource allocation; risk management; software quality engineering; software reliability engineering; software reliability growth modeling; software security engineering; software security growth modeling; software vulnerabilities; software-based systems; transportation infrastructure; Computational modeling; Data models; Security; Software; Software reliability; Testing; reliability growth; security; software quality; software reliability (ID#: 15-4550)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6798453&isnumber=6798433

Zhioua, Z.; Short, S.; Roudier, Y., "Static Code Analysis for Software Security Verification: Problems and Approaches," Computer Software and Applications Conference Workshops (COMPSACW), 2014 IEEE 38th International, pp.102, 109, 21-25 July 2014. doi: 10.1109/COMPSACW.2014.22 Abstract: Developing and deploying secure software is a difficult task, one that is even harder when the developer has to be conscious of adhering to specific company security requirements. In order to facilitate this, different approaches have been elaborated over the years to varying degrees of success. To better understand the underlying issues, this paper describes and evaluates a number of static code analysis techniques and tools based on an example that illustrates prevalent software security challenges. The latter can be addressed by considering an approach that allows for the detection of security properties and their transformation into security policies that can be validated against security requirements. This would help the developer throughout the software development lifecycle and to insure the compliance with security specifications.
Keywords: formal specification; formal verification; program diagnostics; security of data; security policies; security properties detection; security requirements; security specifications; software development lifecycle; software security verification; static code analysis techniques; Abstracts; Analytical models; Model checking; Programming; Security; Software; code analysis tools; program modeling; security properties; static analysis (ID#: 15-4551)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6903113&isnumber=6903069

Balachandran, V.; Ng Wee Keong; Emmanuel, S., "Function Level Control Flow Obfuscation for Software Security," Complex, Intelligent and Software Intensive Systems (CISIS), 2014 Eighth International Conference on, pp.133,140, 2-4 July 2014. doi: 10.1109/CISIS.2014.20 Abstract: Software released to the user has the risk of reverse engineering attacks. Software control flow obfuscation is one of the techniques used to make the reverse engineering of software programs harder. Control flow obfuscation, obscures the control flow of the program so that it is hard for an analyzer to decode the logic of the program. In this paper, we propose an obfuscation algorithm which obscures the control flow across functions. In our method code fragments from each function is stripped from the original function and is stored in another function. Each function will be having code fragments from different functions, thereby creating a function level shuffled version of the original program. Control flow is obscured between and within the function by this method. Experimental results indicate that the algorithm performs well against automated attacks.
Keywords: program control structures; reverse engineering; security of data; function level control flow obfuscation; function level shuffled version; reverse engineering attacks; software control flow obfuscation; software security; Algorithm design and analysis; Assembly; Heuristic algorithms; Reverse engineering; Security; Software; Software algorithms; code obfuscation; computer security; software security (ID#: 15-4552)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6915508&isnumber=6915447

Hui Guan; Xuan Wang; Hongji Yang, "A Framework for Security Driven Software Evolution," Automation and Computing (ICAC), 2014 20th International Conference on, pp.194, 199, 12-13 Sept. 2014. doi: 10.1109/IConAC.2014.6935485 Abstract: Security has become a key non-functional requirement in the modern software system. The need to improve the security level for legacy systems is equally important as that for new designed systems. However, how to integrate security engineering into legacy system is sometimes very difficult. After examining the current literature on security improvement, this paper proposes a framework for enhancing security for legacy system from software evolution perspective using a model driven approach. It starts from understanding and extracting models from legacy source code. Security requirements are elicited through analysing security risks and satisfied by integrating security patterns with the support of the proposed security ontology. The proposed framework in this paper provides a comprehensive approach allowing the designer to be guided through the process of security oriented evolution.
Keywords: ontologies (artificial intelligence); risk management; security of data; software maintenance; source code (software);comprehensive approach; legacy source code; legacy systems; model driven approach; nonfunctional requirement; security driven software evolution framework; security engineering integration; security level improvement; security ontology; security pattern integration; security requirements; security risk analysis; software system; Aging; Context; Object oriented modeling; Ontologies; Security; Software; Unified modeling language; model driven; ontology; security pattern; security requirement; software evolution (ID#: 15-4553)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6935485&isnumber=6935445

Gartner, S.; Ruhroth, T.; Burger, J.; Schneider, K.; Jurjens, J., "Maintaining Requirements for Long-Living Software Systems by Incorporating Security Knowledge," Requirements Engineering Conference (RE), 2014 IEEE 22nd International, pp.103, 112, 25-29 Aug. 2014. doi: 10.1109/RE.2014.6912252 Abstract: Security is an increasingly important quality facet in modern information systems and needs to be retained. Due to a constantly changing environment, long-living software systems “age” not by wearing out, but by failing to keep up-to-date with their environment. The problem is that requirements engineers usually do not have a complete overview of the security-related knowledge necessary to retain security of long-living software systems. This includes security standards, principles and guidelines as well as reported security incidents. In this paper, we focus on the identification of known vulnerabilities (and their variations) in natural-language requirements by leveraging security knowledge. For this purpose, we present an integrative security knowledge model and a heuristic method to detect vulnerabilities in requirements based on reported security incidents. To support knowledge evolution, we further propose a method based on natural language analysis to refine and to adapt security knowledge. Our evaluation indicates that the proposed assessment approach detects vulnerable requirements more reliable than other methods (Bayes, SVM, k-NN). Thus, requirements engineers can react faster and more effectively to a changing environment that has an impact on the desired security level of the information system.
Keywords: information systems; natural language processing; security of data; software maintenance; software quality; heuristic method; information needs; information systems; integrative security knowledge model; knowledge evolution; long-living software systems; natural-language requirements; quality facet; requirement engineering; requirement maintenance; security incidents; security standards; vulnerability identification; Analytical models; Information systems; Natural languages; Ontologies; Security; Taxonomy; Heuristics; Knowledge carrying software; Requirements analysis; Security requirements; Software evolution (ID#: 15-4554)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6912252&isnumber=6912234

Tlili, S.; Fernandez, J.M.; Belghith, A.; Dridi, B.; Hidouri, S., "Scalable Security Verification of Software at Compile Time," Source Code Analysis and Manipulation (SCAM), 2014 IEEE 14th International Working Conference on, pp.115,124, 28-29 Sept. 2014. doi: 10.1109/SCAM.2014.20 Abstract: Automated verification tools are required to detect coding errors that may lead to severe software vulnerabilities. However, the usage of these tools is still not well integrated into software development life cycle. In this paper, we present our approach that brings the software compilation process and security verification to a meeting point where both can be applied simultaneously in a user-friendly manner. Our security verification engine is implemented as a new GCC pass that can be enabled via flag-fsecurity-check=checks.xml where the input XML file contains a set of user-defined security checks. The verification operates on the GIMPLE intermediate representation of source code that is language and platform independent. The conducted experiments demonstrate the scalability, efficiency and performance of our engine used to verify large scale software, especially the entire Linux kernel source code.
Keywords: Linux; XML; formal verification; security of data; GCC pass; Linux kernel source code; automated verification tools; scalable security verification engine; software compilation process; software development life cycle; software vulnerabilities; Automata; Engines; Monitoring; Scalability; Security; Software; XML; Finite State Automata; GCC; Security Verification; Static Analysis (ID#: 15-4555)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6975645&isnumber=6975619

Khan, M.U.; Zulkernine, M., "A Hybrid Monitoring of Software Design-Level Security Specifications," Quality Software (QSIC), 2014 14th International Conference on, pp. 111, 116, 2-3 Oct. 2014. doi: 10.1109/QSIC.2014.14 Abstract: The behavior of the deployed software should be monitored against its security specifications to identify vulnerabilities introduced due to incorrect implementation of secure design decisions. Security specifications, including design-level ones, impose constraints on the behavior of the software. These constraints can be broadly categorized as non-time-critical and time-critical and have to be monitored in a manner that minimizes the monitoring overhead. In this paper, we suggest using a hybrid of event and time monitoring techniques to observe these constraints. The viability of the hybrid technique is assessed by comparing its effectiveness and performance with event and time monitoring techniques. The results indicate that the hybrid monitoring technique is more effective and efficient when compared separately with event or time monitoring.
Keywords: computerised monitoring; security of data; event monitoring techniques; hybrid monitoring technique; hybrid software design-level security specifications monitoring; monitoring overhead; secure design decisions; software behavior; time monitoring techniques; Authentication; Instruments; Monitoring; Software; Software algorithms; Time factors; design-level; monitoring; security specifications (ID#: 15-4556)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6958394&isnumber=6958368

Pedraza-Garcia, G.; Astudillo, H.; Correal, D., "A Methodological Approach to Apply Security Tactics in Software Architecture Design," Communications and Computing (COLCOM), 2014 IEEE Colombian Conference on, pp.1,8, 4-6 June 2014. doi: 10.1109/ColComCon.2014.6860432 Abstract: Architectural tactics are decisions to efficiently solve quality attributes in software architecture. Security is a complex quality property due to its strong dependence on the application domain. However, the selection of security tactics in the definition of software architecture is guided informally and depends on the experience of the architect. This study presents a methodological approach to address and specify the quality attribute of security in architecture design applying security tactics. The approach is illustrated with a case study about a Tsunami Early Warning System.
Keywords: security of data; software architecture; security quality attribute; security tactics; software architecture design; tsunami early warning system; Computer architecture; Decision making; Security; Software architecture; Software systems; Tsunami; Architectural tactics; secure architectures; secure software development; security tactics application; software architecture design (ID#: 15-4557)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6860432&isnumber=6860394

Tu, Hao; Li, Weiming; Li, Dong; Yu, Junqing, "A Scalable Flow Rule Translation Implementation for Software Defined Security," Network Operations and Management Symposium (APNOMS), 2014 16th Asia-Pacific, pp.1,5, 17-19 Sept. 2014. doi: 10.1109/APNOMS.2014.6996571 Abstract: Software defined networking brings many possibilities to network security, one of the most important security challenge it can help with is the possibility to make network traffic pass through specific security devices, in other words, determine where to deploy these devices logically. However, most researches focus on high level policy and interaction framework but ignored how to translate them to low-level OpenFlow rules with scalability. We analyze different actions used in common security scenarios and resource constraints of physical switch. Based on them, we propose a rule translation implementation which can optimize the resource consumption according to different actions by selecting forward path dynamically.
Keywords: Bandwidth; Communication networks; Mirrors; Monitoring; Ports (Computers); Security; Switches; network security; software defined networking (ID#: 15-4558)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6996571&isnumber=6996102

Skopik, F.; Settanni, G.; Fiedler, R.; Friedberg, I., "Semi-Synthetic Data Set Generation for Security Software Evaluation," Privacy, Security and Trust (PST), 2014 Twelfth Annual International Conference on, pp.156,163, 23-24 July 2014. doi: 10.1109/PST.2014.6890935 Abstract: Threats to modern ICT systems are rapidly changing these days. Organizations are not mainly concerned about virus infestation, but increasingly need to deal with targeted attacks. These kinds of attacks are specifically designed to stay below the radar of standard ICT security systems. As a consequence, vendors have begun to ship self-learning intrusion detection systems with sophisticated heuristic detection engines. While these approaches are promising to relax the serious security situation, one of the main challenges is the proper evaluation of such systems under realistic conditions during development and before roll-out. Especially the wide variety of configuration settings makes it hard to find the optimal setup for a specific infrastructure. However, extensive testing in a live environment is not only cumbersome but usually also impacts daily business. In this paper, we therefore introduce an approach of an evaluation setup that consists of virtual components, which imitate real systems and human user interactions as close as possible to produce system events, network flows and logging data of complex ICT service environments. This data is a key prerequisite for the evaluation of modern intrusion detection and prevention systems. With these generated data sets, a system's detection performance can be accurately rated and tuned for very specific settings.
Keywords: data handling; security of data; ICT security systems; ICT systems; heuristic detection engines; information and communication technology systems; intrusion detection and prevention systems; security software evaluation; self-learning intrusion detection systems; semisynthetic data set generation; virus infestation; Complexity theory; Data models; Databases; Intrusion detection; Testing; Virtual machining; anomaly detection evaluation; scalable system behavior model; synthetic data set generation (ID#: 15-4559)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6890935&isnumber=6890911

Younis, A.A.; Malaiya, Y.K.; Ray, I., "Using Attack Surface Entry Points and Reachability Analysis to Assess the Risk of Software Vulnerability Exploitability," High-Assurance Systems Engineering (HASE), 2014 IEEE 15th International Symposium on, pp. 1, 8, 9-11 Jan. 2014. doi: 10.1109/HASE.2014.10 Abstract: An unpatched vulnerability can lead to security breaches. When a new vulnerability is discovered, it needs to be assessed so that it can be prioritized. A major challenge in software security is the assessment of the potential risk due to vulnerability exploitability. CVSS metrics have become a de facto standard that is commonly used to assess the severity of a vulnerability. The CVSS Base Score measures severity based on exploitability and impact measures. CVSS exploitability is measured based on three metrics: Access Vector, Authentication, and Access Complexity. However, CVSS exploitability measures assign subjective numbers based on the views of experts. Two of its factors, Access Vector and Authentication, are the same for almost all vulnerabilities. CVSS does not specify how the third factor, Access Complexity, is measured, and hence we do not know if it considers software properties as a factor. In this paper, we propose an approach that assesses the risk of vulnerability exploitability based on two software properties - attack surface entry points and reach ability analysis. A vulnerability is reachable if it is located in one of the entry points or is located in a function that is called either directly or indirectly by the entry points. The likelihood of an entry point being used in an attack can be assessed by using damage potential-effort ratio in the attack surface metric and the presence of system calls deemed dangerous. To illustrate the proposed method, five reported vulnerabilities of Apache HTTP server 1.3.0 have been examined at the source code level. The results show that the proposed approach, which uses more detailed information, can yield a risk assessment that can be different from the CVSS Base Score.
Keywords: reachability analysis; risk management; security of data; software metrics; Apache HTTP server 1.3.0;CVSS base score; CVSS exploitability; CVSS metrics; access complexity; access vector; attack surface entry point; attack surface metric; authentication; damage potential-effort ratio; reachability analysis; risk assessment; security breach; severity measurement; software security; software vulnerability exploitability; Authentication; Complexity theory; Measurement; Servers; Software; Vectors; Attack Surface; CVSS Metrics; Measurement; Risk assessment; Software Security Metrics; Software Vulnerability (ID#: 15-4560)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6754581&isnumber=6754569

Younis, A.A.; Malaiya, Y.K., "Using Software Structure to Predict Vulnerability Exploitation Potential," Software Security and Reliability-Companion (SERE-C), 2014 IEEE Eighth International Conference on, pp. 13, 18, June 30, 2014-July 2, 2014. doi: 10.1109/SERE-C.2014.17 Abstract: Most of the attacks on computer systems are due to the presence of vulnerabilities in software. Recent trends show that a number of newly discovered vulnerabilities still continue to be significant. Studies have also shown that the time gap between the vulnerability public disclosure and the release of an automated exploit is getting smaller. Therefore, assessing vulnerabilities exploitability risk is critical as it aids decision-makers prioritize among vulnerabilities, allocate resources, and choose between alternatives. Several methods have recently been proposed in the literature to deal with this challenge. However, these methods are either subjective, requires human involvement in assessing exploitability, or do not scale. In this research, our aim is to first identify vulnerability exploitation risk problem. Then, we introduce a novel vulnerability exploitability metric based on software structure properties viz.: attack entry points, vulnerability location, presence of dangerous system calls, and reachability. Based on our preliminary results, reachability and the presence of dangerous system calls appear to be a good indicator of exploitability. Next, we propose using the suggested metric as feature to construct a model using machine learning techniques for automatically predicting the risk of vulnerability exploitation. To build a vulnerability exploitation model, we propose using Support Vector Machines (SVMs). Once the predictor is built, given unseen vulnerable function and their exploitability features the model can predict whether the given function is exploitable or not.
Keywords: decision making; learning (artificial intelligence); reachability analysis; software metrics; support vector machines; SVM; attack entry points; computer systems; decision makers; machine learning; reachability; software structure; support vector machines; vulnerabilities exploitability risk; vulnerability exploitability metric; vulnerability exploitation model; vulnerability exploitation potential; vulnerability exploitation risk problem; vulnerability location; vulnerability public disclosure; Feature extraction; Predictive models; Security; Software; Software measurement; Support vector machines; Attack Surface; Machine Learning; Measurement; Risk Assessment; Software Security Metrics; Software Vulnerability (ID#: 15-4561)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6901635&isnumber=6901618

Xun Zhan; Tao Zheng; Shixiang Gao, "Defending ROP Attacks Using Basic Block Level Randomization," Software Security and Reliability-Companion (SERE-C), 2014 IEEE Eighth International Conference on, pp.107,112, June 30 2014-July 2 2014. doi: 10.1109/SERE-C.2014.28 Abstract: Code reuse attacks such as return-oriented programming, one of the most powerful threats to software system, rely on the absolute address of instructions. Therefore, address space randomization should be an effective defending method. However, current randomization techniques either are lack of enough entropy or have significant time or space overhead. In this paper, we present a novel fine-grained randomization technique at basic block level. In contrast to previous work, our technique dealt with critical technical challenges including indirect branches, callbacks and position independent codes properly at least cost. We implement an efficient prototype randomization system which supports Linux ELF file format and x86 architecture. Our evaluation demonstrated that it can defend ROP attacks with tiny performance overhead (4% on average) successfully.
Keywords: Linux; security of data; software architecture Linux ELF file format; address space randomization; basic block level randomization; critical technical challenge; defending ROP attacks; dode reuse attacks; fine-grained randomization technique; performance overhead; position independent codes; prototype randomization system; randomization techniques; return-oriented programming; software system; x86 architecture; Binary codes; Engines; Entropy; Libraries; Programming; Security; Software; ASLR; randomization ;return-oriented programming; software security (ID#: 15-4562)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6901647&isnumber=6901618

Cooper, V.N.; Shahriar, H.; Haddad, H.M., "A Survey of Android Malware Characterisitics and Mitigation Techniques," Information Technology: New Generations (ITNG), 2014 11th International Conference on, pp.327, 332, 7-9 April 2014. doi: 10.1109/ITNG.2014.71 Abstract: As mobile applications are being developed at a faster pace, the security aspect of is being neglected. A solid understanding of the characteristics of malware is the first step to preventing many unwanted consequences. This paper provides an overview of popular security threats posed by Android malware. In particular, we focus on the characteristics commonly found in malware applications and understand the code level features that can enable detection techniques. We also discuss some common defense techniques to mitigate the impact of malware applications.
Keywords: Android (operating system); invasive software; mobile computing; smart phones; Android malware characterisitics; code level features; defense technique; detection technique; malware mitigation technique; mobile applications; security threats; Kernel; Libraries; Malware; Mobile communication; Smart phones; Social network services; Android Malware; Mobile application; Mobile security; Software Security (ID#: 15-4563)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6822218&isnumber=6822158

Mead, N.R.; Morales, J.A., "Using Malware Analysis to Improve Security Requirements on Future Systems," Evolving Security and Privacy Requirements Engineering (ESPRE), 2014 IEEE 1st Workshop on, pp.37, 41, 25-25 Aug. 2014. doi: 10.1109/ESPRE.2014.6890526 Abstract: In this position paper, we propose to enhance current software development lifecycle models by including use cases, based on previous cyberattacks and their associated malware, and to propose an open research question: Are specific types of systems prone to specific classes of malware exploits? If this is the case, developers can create future systems that are more secure, from inception, by including use cases that address previous attacks.
Keywords: invasive software; software engineering; cyberattacks; malware analysis; malware exploits; security requirement improvement; software development lifecycle models; use cases; Authentication; Computer crime; Malware; Software; Software engineering; Standards; SDLC; cyberattacks; malware; software security (ID#: 15-4564)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6890526&isnumber=6890516

Busby Earle, C.C.R.; France, R.B.; Ray, I., "Analysing Requirements to Detect Latent Security Vulnerabilities," Software Security and Reliability-Companion (SERE-C), 2014 IEEE Eighth International Conference on, pp.168,175, June 30 2014-July 2 2014. doi: 10.1109/SERE-C.2014.35 Abstract: To fully embrace the challenge of securing software, security concerns must be considered at the earliest stages of software development. Studies have shown that this reduces the time, cost and effort required to integrate security features into software during development. In this paper we describe a technique for uncovering potential vulnerabilities through an analysis of software requirements and describe its use using a small, motivating example.
Keywords: security of data; software engineering; latent security vulnerabilities detection; security features; software development; software requirements; software security; Context; Educational institutions; Natural languages; Object recognition; Ontologies; Security; Software; Loophole Analysis; Requirements; Security; Vulnerabilities (ID#: 15-4565)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6901654&isnumber=6901618

Kundi, M.; Chitchyan, R., "Position on Metrics for Security in Requirements Engineering," Requirements Engineering and Testing (RET), 2014 IEEE 1st International Workshop on, pp.29, 31, 26-26 Aug. 2014. doi: 10.1109/RET.2014.6908676 Abstract: A number of well-established software quality metrics are in use in code testing. It is our position that for many code-testing metrics for security equivalent requirements level metrics should be defined. Such requirements-level security metrics should be used in evaluating the quality of software security early on, in order to ensure that the resultant software system possesses the required security characteristics and quality.
Keywords: formal specification; program testing; security of data; software metrics; software quality; code-testing metrics; requirements engineering; requirements-level security metrics; software quality metrics; software security; Conferences; Security; Software measurement; Software systems; Testing (ID#: 15-4566)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6908676&isnumber=6908666

Note:

Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to news@scienceofsecurity.net for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.