Skip to main content
SpringerLink
Log in

Assessing Attack Surface with Component-Based Package Dependency

  • Conference paper
  • First Online:
Book cover Network and System Security (NSS 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9408))

Included in the following conference series:

Abstract

Package dependency has been considered in many vulnerability assessment systems. However, existing approaches are either coarse-grained and do not accurately reveal the influence and severity of vulnerabilities, or do not provide comprehensive (both incoming and outgoing) analysis of attack surface through package dependency. We propose a systematic approach of measuring attack surface exposed by individual vulnerabilities through component level dependency analysis. The metric could potentially extended to calculate attack surfaces at component, package, and system levels. It could also be used to calculate both incoming and outgoing attack surfaces, which enables system administrators to accurately evaluate how much risk that a vulnerability, a component or a package to the complete system, and the risk that is injected to a component or package by packages it depends on in a given system. To our best knowledge, our approach is the first to quantitatively assess attack surfaces of vulnerabilities, components, packages, and systems through component level dependency.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. VMware ESX and VMware ESXi - The Market Leading Production-Proven Hypervisors. VMware Inc. (2009). http://www.vmware.com/files/pdf/VMware-ESX-and-VMware-ESXi-DS-EN.pdf

  2. Abate, P., Di Cosmo, R., Boender, J., Zacchiroli, S.: Strong dependencies between software components. In: Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement, pp. 89–99. IEEE Computer Society (2009)

    Google Scholar 

  3. Cheng, P., Wang, L., Jajodia, S., Singhal, A.: Aggregating cvss base scores for semantics-rich network security metrics. In: Proceedings of the 31st IEEE International Symposium on Reliable Distributed Systems (SRDS 2012). IEEE Computer Society (2012)

    Google Scholar 

  4. Chowdhury, I., Zulkernine, M.: Can complexity, coupling, and cohesion metrics be used as early indicators of vulnerabilities?. In: Proceedings of the 2010 ACM Symposium on Applied Computing, pp. 1963–1969. ACM (2010)

    Google Scholar 

  5. DeLoach, S.A., Ou, X., Zhuang, R., Zhang, S.: Model-driven, moving-target defense for enterprise network security. In: Bencomo, N., France, R., Cheng, B.H.C., Aßmann, U. (eds.) Models@run.time. LNCS, vol. 8378, pp. 137–161. Springer, Heidelberg (2014)

    Google Scholar 

  6. Drake, J.J.: Exploiting memory corruption vulnerabilities in the java runtime (2011)

    Google Scholar 

  7. Ellison, R.J., Goodenough, J.B., Weinstock, C.B., Woody, C.: Evaluating and mitigating software supply chain security risks. Technical report, DTIC Document (2010)

    Google Scholar 

  8. Goichon, F., Salagnac, G., Parrend, P., Frénot, S.: Static vulnerability detection in java service-oriented components. Journal in Computer Virology, 1–12 (2012)

    Google Scholar 

  9. Gong, L.: Java security: a ten year retrospective. In: Annual Computer Security Applications Conference, ACSAC 2009, pp. 395–405. IEEE (2009)

    Google Scholar 

  10. Homer, J., Zhang, S., Ou, X., Schmidt, D., Du, Y., Rajagopalan, S.R., Singhal, A.: Aggregating vulnerability metrics in enterprise networks using attack graphs. Journal of Computer Security 21(4), 561–597 (2013)

    Google Scholar 

  11. Howard, M., Pincus, J., Wing, J.: Measuring relative attack surfaces. In: Computer Security in the 21st Century, pp. 109–137 (2005)

    Google Scholar 

  12. Huang, H., Zhang, S., Ou, X., Prakash, A., Sakallah, K.: Distilling critical attack graph surface iteratively through minimum-cost sat solving. In: Proceedings of the 27th Annual Computer Security Applications Conference, pp. 31–40. ACM (2011)

    Google Scholar 

  13. Khan, M.A., Mahmood, S.: A graph based requirements clustering approach for component selection. Advances in Engineering Software 54, 1–16 (2012)

    Article  Google Scholar 

  14. Li, T., Zhou, X., Brandstatter, K., Raicu, I.: Distributed key-value store on hpc and cloud systems. In: 2nd Greater Chicago Area System Research Workshop (GCASR). Citeseer (2013)

    Google Scholar 

  15. Li, T., Zhou, X., Brandstatter, K., Zhao, D., Wang, K., Rajendran, A., Zhang, Z., Raicu, I.: Zht: A light-weight reliable persistent dynamic scalable zero-hop distributed hash table. In: 2013 IEEE 27th International Symposium on Parallel & Distributed Processing (IPDPS), pp. 775–787. IEEE (2013)

    Google Scholar 

  16. Liu, X., Edwards, S., Riga, N., Medhi, D.: Design of a software-defined resilient virtualized networking environment. In: 11th International Conference on the Design of Reliable Communication Networks (DRCN), pp. 111–114. IEEE (2015)

    Google Scholar 

  17. Lv, Z., Su, T.: 3D seabed modeling and visualization on ubiquitous context. In: SIGGRAPH Asia 2014 Posters, SA 2014, pp. 33:1–33:1. ACM, New York (2014)

    Google Scholar 

  18. Manadhata, P., Wing, J.M.: Measuring a system’s attack surface. Technical report, DTIC Document (2004)

    Google Scholar 

  19. Manadhata, P.K., Wing, J.M.: An attack surface metric. IEEE Transactions on Software Engineering 37(3), 371–386 (2011)

    Article  Google Scholar 

  20. Marouf, S.M.: An Extensive Analysis of the Software Security Vulnerabilities that exist within the Java Software Execution Environment. PhD thesis, University of Wisconsin (2008)

    Google Scholar 

  21. Mell, P., Scarfone, K., Romanosky, S.: A complete guide to the common vulnerability scoring system version 2.0. In: Published by FIRST-Forum of Incident Response and Security Teams, pp. 1–23 (2007)

    Google Scholar 

  22. Nasiri, S., Azmi, R., Khalaj, R.: Adaptive and quantitative comparison of J2EE vs. net based on attack surface metric. In: 2010 5th International Symposium on Telecommunications (IST), pp. 199–205. IEEE (2010)

    Google Scholar 

  23. Neuhaus, S., Zimmermann, T.: The beauty and the beast: vulnerabilities in red hat’s packages. In: Proceedings of the 2009 Conference on USENIX Annual Technical Conference, USENIX 2009, p. 30. USENIX Association, Berkeley (2009)

    Google Scholar 

  24. Neuhaus, S., Zimmermann, T., Holler, C., Zeller, A.: Predicting vulnerable software components. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 529–540. ACM (2007)

    Google Scholar 

  25. Parrend, P.: Enhancing automated detection of vulnerabilities in java components. In: International Conference on Availability, Reliability and Security, ARES 2009, pp. 216–223. IEEE (2009)

    Google Scholar 

  26. Parrend, P., Frénot, S.: Classification of component vulnerabilities in java service oriented programming (SOP) platforms. In: Chaudron, M.R.V., Ren, X.-M., Reussner, R. (eds.) CBSE 2008. LNCS, vol. 5282, pp. 80–96. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  27. Pérez, P.M., Filipiak, J., Sierra, J.M.: LAPSE+ static analysis security software: Vulnerabilities detection in java EE applications. In: Park, J.J., Yang, L.T., Lee, C. (eds.) FutureTech 2011, Part I. CCIS, vol. 184, pp. 148–156. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  28. Qian, H., Andresen, D.: Jade: An efficient energy-aware computation offloading system with heterogeneous network interface bonding for ad-hoc networked mobile devices. In: 15th IEEE/ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD) (2014)

    Google Scholar 

  29. Qian, H., Andresen, D.: Emerald: Enhance scientific workflow performance with computation offloading to the cloud. In: 2015 IEEE/ACIS 14th International Conference on Computer and Information Science (ICIS), pp. 443–448. IEEE (2015)

    Google Scholar 

  30. Qian, H., Andresen, D.: An energy-saving task scheduler for mobile devices. In: 2015 IEEE/ACIS 14th International Conference on Computer and Information Science (ICIS), pp. 423–430. IEEE (2015)

    Google Scholar 

  31. Raemaekers, S., van Deursen, A., Visser, J.: Exploring risks in the usage of third party libraries. In: The Goal of the BElgian-NEtherlands Software eVOLution Seminar, p. 31 (2011)

    Google Scholar 

  32. Su, Y., Wang, Y., Agrawal, G., Kettimuthu, R.: Sdquery dsi: integrating data management support with a wide area data transfer protocol. In: Proceedings of the International Conference on High Performance Computing, Networking, Storage and Analysis, p. 47. ACM (2013)

    Google Scholar 

  33. Vijayakumar, H., Jakka, G., Rueda, S., Schiffman, J., Jaeger, T.: Integrity walls: Finding attack surfaces from mandatory access control policies. In: Proceedings of the 7th ACM Symposium on Information, Computer, and Communications Security (ASIACCS 2012), May 2012

    Google Scholar 

  34. Wang, J.J.-Y., Sun, Y., Gao, X.: Sparse structure regularized ranking. Multimedia Tools and Applications, 1–20 (2014)

    Google Scholar 

  35. Wang, K., Liu, N., Sadooghi, I., Yang, X., Zhou, X., Lang, M., Sun, X.-H., Raicu, I.: Overcoming hadoop scaling limitations through distributed task execution

    Google Scholar 

  36. Wang, K., Zhou, X., Chen, H., Lang, M., Raicu, I.: Next generation job management systems for extreme-scale ensemble computing. In: Proceedings of the 23rd International Symposium on High-Performance Parallel and Distributed Computing, pp. 111–114. ACM (2014)

    Google Scholar 

  37. Wang, K., Zhou, X., Qiao, K., Lang, M., McClelland, B., Raicu, I.: Towards scalable distributed workload manager with monitoring-based weakly consistent resource stealing. In: Proceedings of the 24rd International Symposium on High-Performance Parallel and Distributed Computing, pp. 219–222. ACM (2015)

    Google Scholar 

  38. Wang, K., Zhou, X., Li, T., Zhao, D., Lang, M., Raicu, I.: Optimizing load balancing and data-locality with data-aware scheduling. In: 2014 IEEE International Conference on Big Data (Big Data), pp. 119–128. IEEE (2014)

    Google Scholar 

  39. Wang, Y., Nandi, A., Agrawal, G.: Saga: array storage as a DB with support for structural aggregations. In: Proceedings of the 26th International Conference on Scientific and Statistical Database Management, p. 9. ACM (2014)

    Google Scholar 

  40. Wang, Y., Su, Y., Agrawal, G.: Supporting a light-weight data management layer over hdf5. In: 2013 13th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (CCGrid), pp. 335–342. IEEE (2013)

    Google Scholar 

  41. Wei, F., Roy, S., Ou, X., Robby.: Amandroid: A precise and general inter-component data flow analysis framework for security vetting of android apps. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 1329–1341. ACM (2014)

    Google Scholar 

  42. Xiong, H., Zheng, Q., Zhang, X., Yao, D.: Cloudsafe: Securing data processing within vulnerable virtualization environments in the cloud. In: 2013 IEEE Conference on Communications and Network Security (CNS), pp. 172–180. IEEE (2013)

    Google Scholar 

  43. Yamaguchi, F., Lindner, F., Rieck, K.: Vulnerability extrapolation: assisted discovery of vulnerabilities using machine learning. In: Proceedings of the 5th USENIX conference on Offensive Technologies, p. 13. USENIX Association (2011)

    Google Scholar 

  44. Zhang, H., Diao, Y., Immerman, N.: Recognizing patterns in streams with imprecise timestamps. Proceedings of the VLDB Endowment 3(1–2), 244–255 (2010)

    Article  Google Scholar 

  45. Zhang, H., Diao, Y., Immerman, N.: On complexity and optimization of expensive queries in complex event processing. In: Proceedings of the 2014 ACM SIGMOD International Conference on Management of Data, pp. 217–228. ACM (2014)

    Google Scholar 

  46. Zhang, S.: Deep-diving into an easily-overlooked threat: Inter-vm attacks. Whitepaper, provided by Kansas State University, TechRepublic/US2012 (2013). http://www.techrepublic.com/resourcelibrary/whitepapers/deep-diving-into-an-easilyoverlooked-threat-inter-vm-attacks

  47. Zhang, S.: Quantitative risk assessment under multi-context environments. PhD thesis, Kansas State University (2014)

    Google Scholar 

  48. Zhang, S., Caragea, D., Ou, X.: An empirical study on using the national vulnerability database to predict software vulnerabilities. In: Hameurlain, A., Liddle, S.W., Schewe, K.-D., Zhou, X. (eds.) DEXA 2011, Part I. LNCS, vol. 6860, pp. 217–231. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  49. Zhang, S., Ou, X., Homer, J.: Effective network vulnerability assessment through model abstraction. In: Holz, T., Bos, H. (eds.) DIMVA 2011. LNCS, vol. 6739, pp. 17–34. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  50. Zhang, S., Ou, X., Singhal, A., Homer, J.: An empirical study of a vulnerability metric aggregation method. In: The 2011 International Conference on Security and Management (SAM 2011), Special Track on Mission Assurance and Critical Infrastructure Protection (STMACIP 2011) (2011)

    Google Scholar 

  51. Zhang, S., Zhang, X., Ou, X.: After we knew it: empirical study and modeling of cost-effectiveness of exploiting prevalent known vulnerabilities across iaas cloud. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, pp. 317–328. ACM (2014)

    Google Scholar 

  52. Zhao, D., Zhang, Z., Zhou, X., Li, T., Wang, K., Kimpe, D., Carns, P., Ross, R., Raicu, I.: Fusionfs: Toward supporting data-intensive scientific applications on extreme-scale high-performance computing systems. In: 2014 IEEE International Conference on Big Data (Big Data), pp. 61–70. IEEE (2014)

    Google Scholar 

  53. Zheng, C., Zhu, S., Dai, S., Gu, G., Gong, X., Han, X., Zou, W.: Smartdroid: An automatic system for revealing ui-based trigger conditions in android applications. In: Proceedings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2012, pp. 93–104. ACM, New York (2012)

    Google Scholar 

  54. Zheng, Q., Zhu, W., Zhu, J., Zhang, X.: Improved anonymous proxy re-encryption with cca security. In: Proceedings of the 9th ACM Symposium on Information Computer and Communications Security, ASIA CCS 2014, pp. 249–258. ACM, New York (2014)

    Google Scholar 

  55. Zhou, X., Sun, X., Sun, G., Yang, Y.: A combined static and dynamic software birthmark based on component dependence graph. In: International Conference on Intelligent Information Hiding and Multimedia Signal Processing, pp. 1416–1421. IEEE (2008)

    Google Scholar 

  56. Zhuang, R., Zhang, S., Bardas, A., DeLoach, S.A., Ou, X., Singhal, A.: Investigating the application of moving target defenses to network security. In: 2013 6th International Symposium on Resilient Control Systems (ISRCS), pp. 162–169. IEEE (2013)

    Google Scholar 

  57. Zhuang, R., Zhang, S., DeLoach, S.A., Ou, X., Singhal, A.: Simulation-based approaches to studying effectiveness of moving-target network defense. In: National Symposium on Moving Target Research (2012)

    Google Scholar 

  58. Zimmermann, T., Nagappan, N.: Predicting defects using network analysis on dependency graphs. In: ACM/IEEE 30th International Conference on Software Engineering, ICSE 2008, pp. 531–540. IEEE (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Symantec Corporation, California, USA

    Su Zhang

  2. Samsung Research America, Mountain View, USA

    Xinwen Zhang

  3. University of South Florida, Tampa, USA

    Xinming Ou

  4. Hewlett-Packard Laboratories, Bristol, UK

    Liqun Chen & Nigel Edwards

  5. Intuit Inc., California, USA

    Jing Jin

Authors
  1. Su Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Xinwen Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Xinming Ou
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Liqun Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Nigel Edwards
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Jing Jin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Su Zhang .

Editor information

Editors and Affiliations

  1. Apt. 2A, NEW YORK, New York, USA

    Meikang Qiu

  2. University of Texas, San Antonio, Texas, USA

    Shouhuai Xu

  3. Dept. of Computer Science, Columbia University, New York, New York, USA

    Moti Yung

  4. University of Otago, Dunedin, New Zealand

    Haibo Zhang

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Zhang, S., Zhang, X., Ou, X., Chen, L., Edwards, N., Jin, J. (2015). Assessing Attack Surface with Component-Based Package Dependency. In: Qiu, M., Xu, S., Yung, M., Zhang, H. (eds) Network and System Security. NSS 2015. Lecture Notes in Computer Science(), vol 9408. Springer, Cham. https://doi.org/10.1007/978-3-319-25645-0_29

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-25645-0_29

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-25644-3

  • Online ISBN: 978-3-319-25645-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation