TY - GEN
T1 - An information flow-based taxonomy to understand the nature of software vulnerabilities
AU - Oliveira, Daniela
AU - Crandall, Jedidiah
AU - Kalodner, Harry
AU - Morin, Nicole
AU - Maher, Megan
AU - Navarro, Jesus
AU - Emiliano, Felix
N1 - Funding Information:
This material is based upon work supported by the National Science Foundation under Grant Nos. #1149730, #0844880, #0905177, and #1017602.
Publisher Copyright:
© IFIP International Federation for Information Processing 2016.
PY - 2016
Y1 - 2016
N2 - Despite the emphasis on building secure software, the number of vulnerabilities found in our systems is increasing every year, and wellunderstood vulnerabilities continue to be exploited. A common response to vulnerabilities is patch-based mitigation, which does not completely address the flaw and is often circumvented by an adversary. The problem actually lies in a lack of understanding of the nature of vulnerabilities. Vulnerability taxonomies have been proposed, but their usability is limited because of their ambiguity and complexity. This paper presents a taxonomy that views vulnerabilities as fractures in the interpretation of information as it flows in the system. It also presents a machine learning study validating the taxonomy’s unambiguity. A manually labeled set of 641 vulnerabilities trained a classifier that automatically categorized more than 70000 vulnerabilities from three distinct databases with an average success rate of 80%. Important lessons learned are discussed such as (i) approximately 12%of the studied reports provide insufficient information about vulnerabilities, and (ii) the roles of the reporter and developer are not leveraged, especially regarding information about tools used to find vulnerabilities and approaches to address them.
AB - Despite the emphasis on building secure software, the number of vulnerabilities found in our systems is increasing every year, and wellunderstood vulnerabilities continue to be exploited. A common response to vulnerabilities is patch-based mitigation, which does not completely address the flaw and is often circumvented by an adversary. The problem actually lies in a lack of understanding of the nature of vulnerabilities. Vulnerability taxonomies have been proposed, but their usability is limited because of their ambiguity and complexity. This paper presents a taxonomy that views vulnerabilities as fractures in the interpretation of information as it flows in the system. It also presents a machine learning study validating the taxonomy’s unambiguity. A manually labeled set of 641 vulnerabilities trained a classifier that automatically categorized more than 70000 vulnerabilities from three distinct databases with an average success rate of 80%. Important lessons learned are discussed such as (i) approximately 12%of the studied reports provide insufficient information about vulnerabilities, and (ii) the roles of the reporter and developer are not leveraged, especially regarding information about tools used to find vulnerabilities and approaches to address them.
UR - http://www.scopus.com/inward/record.url?scp=84970005339&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84970005339&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-33630-5_16
DO - 10.1007/978-3-319-33630-5_16
M3 - Conference contribution
AN - SCOPUS:84970005339
SN - 9783319336299
T3 - IFIP Advances in Information and Communication Technology
SP - 227
EP - 242
BT - ICT Systems Security and Privacy Protection - 31st IFIP TC 11 International Conference, SEC 2016, Proceedings
A2 - Katzenbeisser, Stefan
A2 - Hoepman, Jaap-Henk
PB - Springer New York LLC
T2 - 31st IFIP TC 11 International Conference on Systems Security and Privacy Protection, SEC 2016
Y2 - 30 May 2016 through 1 June 2016
ER -