To Fear or Not to Fear That is the Question
| Autor: | Indrajit Ray, Awad A. Younis, Yashwant K. Malaiya, Charles W. Anderson |
|---|---|
| Rok vydání: | 2016 |
| Předmět: |
Exploit
Computer science National Vulnerability Database Vulnerability Security domain 020207 software engineering 02 engineering and technology Vulnerability management Computer security computer.software_genre ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS Software security assurance CVSS 0202 electrical engineering electronic engineering information engineering 020201 artificial intelligence & image processing computer Secure coding |
| Zdroj: | CODASPY |
| DOI: | 10.1145/2857705.2857750 |
| Popis: | Not all vulnerabilities are equal. Some recent studies have shown that only a small fraction of vulnerabilities that have been reported has actually been exploited. Since finding and addressing potential vulnerabilities in a program can take considerable time and effort, recently effort has been made to identify code that is more likely to be vulnerable. This paper tries to identify the attributes of the code containing a vulnerability that makes the code more likely to be exploited. We examine 183 vulnerabilities from the National Vulnerability Database for Linux Kernel and Apache HTTP server. These include eighty-two vulnerabilities that have been found to have an exploit according to the Exploit Database. We characterize the vulnerable functions that have no exploit and the ones that have an exploit using eight metrics. The results show that the difference between a vulnerability that has no exploit and the one that has an exploit can potentially be characterized using the chosen software metrics. However, predicting exploitation of vulnerabilities is more complex than predicting just the presence of vulnerabilities and further research is needed using metrics that consider security domain knowledge for enhancing the predictability of vulnerability exploits. |
| Databáze: | OpenAIRE |
| Externí odkaz: |
|