File(s) under permanent embargo
Supporting automated vulnerability analysis using formalized vulnerability signatures
conference contribution
posted on 2012-10-05, 00:00 authored by M Almorsy, John Grundy, Amani IbrahimAdopting publicly accessible platforms such as cloud computing model to host IT systems has become a leading trend. Although this helps to minimize cost and increase availability and reachability of applications, it has serious implications on applications' security. Hackers can easily exploit vulnerabilities in such publically accessible services. In addition to, 75% of the total reported application vulnerabilities are web application specific. Identifying such known vulnerabilities as well as newly discovered vulnerabilities is a key challenging security requirement. However, existing vulnerability analysis tools cover no more than 47% of the known vulnerabilities. We introduce a new solution that supports automated vulnerability analysis using formalized vulnerability signatures. Instead of depending on formal methods to locate vulnerability instances where analyzers have to be developed to locate specific vulnerabilities, our approach incorporates a formal vulnerability signature described using OCL. Using this formal signature, we perform program analysis of the target system to locate signature matches (i.e. signs of possible vulnerabilities). A newly-discovered vulnerability can be easily identified in a target program provided that a formal signature for it exists. We have developed a prototype static vulnerability analysis tool based on our formalized vulnerability signatures specification approach. We have validated our approach in capturing signatures of the OWSAP Top10 vulnerabilities and applied these signatures in analyzing a set of seven benchmark applications.
History
Event
Automated Software Engineering. IEEE/ACM International Conference (27th : 2012 : Essen, Germany)Pagination
100 - 109Publisher
Association for Computing MachineryLocation
Essen, GermanyPlace of publication
New York, N.Y.Publisher DOI
Start date
2012-09-03End date
2012-09-07ISBN-13
9781450312042Language
rngPublication classification
E Conference publication; E1.1 Full written paper - refereedCopyright notice
2012, ACMEditor/Contributor(s)
M Goedicke, T Menzies, M SaekiTitle of proceedings
2012 27th IEEE/ACM International Conference on Automated Software Engineering, ASE 2012 - ProceedingsUsage metrics
Categories
No categories selectedKeywords
Licence
Exports
RefWorks
BibTeX
Ref. manager
Endnote
DataCite
NLM
DC