Visible to the public BP: Profiling Vulnerabilities on the Attack SurfaceConflict Detection Enabled

TitleBP: Profiling Vulnerabilities on the Attack Surface
Publication TypeConference Paper
Year of Publication2018
AuthorsChristopher Theisen, Hyunwoo Sohn, Dawson Tripp, Laurie Williams
Conference NameIEEE SecDev
Date Published09/2018
PublisherIEEE
Conference LocationCambridge, MA
ISBN Number978-1-5386-7662-2
Accession Number18274354
Keywords2018: July, CPS Domains, cybersecurity; attack surface, Human Behavior, NCSU, Predicting the Difficulty of Compromise through How Attackers Discover Vulnerabilities
Abstract

Security practitioners use the attack surface of software systems to prioritize areas of systems to test and analyze. To date, approaches for predicting which code artifacts are vulnerable have utilized a binary classification of code as vulnerable or not vulnerable. To better understand the strengths and weaknesses of vulnerability prediction approaches, vulnerability datasets with classification and severity data are needed. The goal of this paper is to help researchers and practitioners make security effort prioritization decisions by evaluating which classifications and severities of vulnerabilities are on an attack surface approximated using crash dump stack traces. In this work, we use crash dump stack traces to approximate the attack surface of Mozilla Firefox. We then generate a dataset of 271 vulnerable files in Firefox, classified using the Common Weakness Enumeration (CWE) system. We use these files as an oracle for the evaluation of the attack surface generated using crash data. In the Firefox vulnerability dataset, 14 different classifications of vulnerabilities appeared at least once. In our study, 85.3%
of vulnerable files were on the attack surface generated using crash data. We found no difference between the severity of vulnerabilities found on the attack surface generated using crash data and vulnerabilities not occurring on the attack surface. Additionally, we discuss lessons learned during the development of this vulnerability dataset.

URLhttps://ieeexplore.ieee.org/document/8543394
DOI10.1109/SecDev.2018.00022
Citation Keynode-54845
Refereed DesignationRefereed

Other available formats:

theisen_coverage_bp_rework.pdf
AttachmentSize
bytes