Empirical Models for Vulnerability Exploits - UMD - October 2016

PI(s): Tudor Dumitras
Researchers: Sanghyun Hong, Octavian Suciu, Soumya Indela, Michael Hicks, Jonathan Katz, Joseph JaJa

HARD PROBLEM(S) ADDRESSED

Security-Metrics-Driven Evaluation, Design, Development, and Deployment

Project synopsis
The security of deployed and actively used systems is influenced by factors not captured in existing security metrics. For example, the count and severity of unpatched vulnerabilities in source code, as well as the corresponding attack surface, are commonly used as measures of a software product's security. But simply estimating the number of vulnerabilities in source code does not account for the fact that some vulnerabilities are never exploited by attackers, perhaps due to reduced attack surfaces or because of other technologies that render exploits less likely to succeed. Conversely, vulnerabilities that have been "patched" can continue to impact security in the real world because some users do not deploy the corresponding software patches. Overall, we currently do not know how to assess the security of real-world systems. In this task, we will conduct empirical studies of security in the real world. Our goals are to derive empirical models of vulnerabilities and attack surfaces exercised in cyber attacks and to understand the deployment-specific factors that influence the security of systems in active use.