Abstract
Package dependency has been considered in many vulnerability assessment systems. However, existing approaches are either coarse-grained and do not accurately reveal the influence and severity of vulnerabilities, or do not provide comprehensive (both incoming and outgoing) analysis of attack surface through package dependency. We propose a systematic approach of measuring attack surface exposed by individual vulnerabilities through component level dependency analysis. The metric could potentially extended to calculate attack surfaces at component, package, and system levels. It could also be used to calculate both incoming and outgoing attack surfaces, which enables system administrators to accurately evaluate how much risk that a vulnerability, a component or a package to the complete system, and the risk that is injected to a component or package by packages it depends on in a given system. To our best knowledge, our approach is the first to quantitatively assess attack surfaces of vulnerabilities, components, packages, and systems through component level dependency.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
VMware ESX and VMware ESXi - The Market Leading Production-Proven Hypervisors. VMware Inc. (2009). http://www.vmware.com/files/pdf/VMware-ESX-and-VMware-ESXi-DS-EN.pdf
Abate, P., Di Cosmo, R., Boender, J., Zacchiroli, S.: Strong dependencies between software components. In: Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement, pp. 89–99. IEEE Computer Society (2009)
Cheng, P., Wang, L., Jajodia, S., Singhal, A.: Aggregating cvss base scores for semantics-rich network security metrics. In: Proceedings of the 31st IEEE International Symposium on Reliable Distributed Systems (SRDS 2012). IEEE Computer Society (2012)
Chowdhury, I., Zulkernine, M.: Can complexity, coupling, and cohesion metrics be used as early indicators of vulnerabilities?. In: Proceedings of the 2010 ACM Symposium on Applied Computing, pp. 1963–1969. ACM (2010)
DeLoach, S.A., Ou, X., Zhuang, R., Zhang, S.: Model-driven, moving-target defense for enterprise network security. In: Bencomo, N., France, R., Cheng, B.H.C., Aßmann, U. (eds.) Models@run.time. LNCS, vol. 8378, pp. 137–161. Springer, Heidelberg (2014)
Drake, J.J.: Exploiting memory corruption vulnerabilities in the java runtime (2011)
Ellison, R.J., Goodenough, J.B., Weinstock, C.B., Woody, C.: Evaluating and mitigating software supply chain security risks. Technical report, DTIC Document (2010)
Goichon, F., Salagnac, G., Parrend, P., Frénot, S.: Static vulnerability detection in java service-oriented components. Journal in Computer Virology, 1–12 (2012)
Gong, L.: Java security: a ten year retrospective. In: Annual Computer Security Applications Conference, ACSAC 2009, pp. 395–405. IEEE (2009)
Homer, J., Zhang, S., Ou, X., Schmidt, D., Du, Y., Rajagopalan, S.R., Singhal, A.: Aggregating vulnerability metrics in enterprise networks using attack graphs. Journal of Computer Security 21(4), 561–597 (2013)
Howard, M., Pincus, J., Wing, J.: Measuring relative attack surfaces. In: Computer Security in the 21st Century, pp. 109–137 (2005)
Huang, H., Zhang, S., Ou, X., Prakash, A., Sakallah, K.: Distilling critical attack graph surface iteratively through minimum-cost sat solving. In: Proceedings of the 27th Annual Computer Security Applications Conference, pp. 31–40. ACM (2011)
Khan, M.A., Mahmood, S.: A graph based requirements clustering approach for component selection. Advances in Engineering Software 54, 1–16 (2012)
Li, T., Zhou, X., Brandstatter, K., Raicu, I.: Distributed key-value store on hpc and cloud systems. In: 2nd Greater Chicago Area System Research Workshop (GCASR). Citeseer (2013)
Li, T., Zhou, X., Brandstatter, K., Zhao, D., Wang, K., Rajendran, A., Zhang, Z., Raicu, I.: Zht: A light-weight reliable persistent dynamic scalable zero-hop distributed hash table. In: 2013 IEEE 27th International Symposium on Parallel & Distributed Processing (IPDPS), pp. 775–787. IEEE (2013)
Liu, X., Edwards, S., Riga, N., Medhi, D.: Design of a software-defined resilient virtualized networking environment. In: 11th International Conference on the Design of Reliable Communication Networks (DRCN), pp. 111–114. IEEE (2015)
Lv, Z., Su, T.: 3D seabed modeling and visualization on ubiquitous context. In: SIGGRAPH Asia 2014 Posters, SA 2014, pp. 33:1–33:1. ACM, New York (2014)
Manadhata, P., Wing, J.M.: Measuring a system’s attack surface. Technical report, DTIC Document (2004)
Manadhata, P.K., Wing, J.M.: An attack surface metric. IEEE Transactions on Software Engineering 37(3), 371–386 (2011)
Marouf, S.M.: An Extensive Analysis of the Software Security Vulnerabilities that exist within the Java Software Execution Environment. PhD thesis, University of Wisconsin (2008)
Mell, P., Scarfone, K., Romanosky, S.: A complete guide to the common vulnerability scoring system version 2.0. In: Published by FIRST-Forum of Incident Response and Security Teams, pp. 1–23 (2007)
Nasiri, S., Azmi, R., Khalaj, R.: Adaptive and quantitative comparison of J2EE vs. net based on attack surface metric. In: 2010 5th International Symposium on Telecommunications (IST), pp. 199–205. IEEE (2010)
Neuhaus, S., Zimmermann, T.: The beauty and the beast: vulnerabilities in red hat’s packages. In: Proceedings of the 2009 Conference on USENIX Annual Technical Conference, USENIX 2009, p. 30. USENIX Association, Berkeley (2009)
Neuhaus, S., Zimmermann, T., Holler, C., Zeller, A.: Predicting vulnerable software components. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 529–540. ACM (2007)
Parrend, P.: Enhancing automated detection of vulnerabilities in java components. In: International Conference on Availability, Reliability and Security, ARES 2009, pp. 216–223. IEEE (2009)
Parrend, P., Frénot, S.: Classification of component vulnerabilities in java service oriented programming (SOP) platforms. In: Chaudron, M.R.V., Ren, X.-M., Reussner, R. (eds.) CBSE 2008. LNCS, vol. 5282, pp. 80–96. Springer, Heidelberg (2008)
Pérez, P.M., Filipiak, J., Sierra, J.M.: LAPSE+ static analysis security software: Vulnerabilities detection in java EE applications. In: Park, J.J., Yang, L.T., Lee, C. (eds.) FutureTech 2011, Part I. CCIS, vol. 184, pp. 148–156. Springer, Heidelberg (2011)
Qian, H., Andresen, D.: Jade: An efficient energy-aware computation offloading system with heterogeneous network interface bonding for ad-hoc networked mobile devices. In: 15th IEEE/ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD) (2014)
Qian, H., Andresen, D.: Emerald: Enhance scientific workflow performance with computation offloading to the cloud. In: 2015 IEEE/ACIS 14th International Conference on Computer and Information Science (ICIS), pp. 443–448. IEEE (2015)
Qian, H., Andresen, D.: An energy-saving task scheduler for mobile devices. In: 2015 IEEE/ACIS 14th International Conference on Computer and Information Science (ICIS), pp. 423–430. IEEE (2015)
Raemaekers, S., van Deursen, A., Visser, J.: Exploring risks in the usage of third party libraries. In: The Goal of the BElgian-NEtherlands Software eVOLution Seminar, p. 31 (2011)
Su, Y., Wang, Y., Agrawal, G., Kettimuthu, R.: Sdquery dsi: integrating data management support with a wide area data transfer protocol. In: Proceedings of the International Conference on High Performance Computing, Networking, Storage and Analysis, p. 47. ACM (2013)
Vijayakumar, H., Jakka, G., Rueda, S., Schiffman, J., Jaeger, T.: Integrity walls: Finding attack surfaces from mandatory access control policies. In: Proceedings of the 7th ACM Symposium on Information, Computer, and Communications Security (ASIACCS 2012), May 2012
Wang, J.J.-Y., Sun, Y., Gao, X.: Sparse structure regularized ranking. Multimedia Tools and Applications, 1–20 (2014)
Wang, K., Liu, N., Sadooghi, I., Yang, X., Zhou, X., Lang, M., Sun, X.-H., Raicu, I.: Overcoming hadoop scaling limitations through distributed task execution
Wang, K., Zhou, X., Chen, H., Lang, M., Raicu, I.: Next generation job management systems for extreme-scale ensemble computing. In: Proceedings of the 23rd International Symposium on High-Performance Parallel and Distributed Computing, pp. 111–114. ACM (2014)
Wang, K., Zhou, X., Qiao, K., Lang, M., McClelland, B., Raicu, I.: Towards scalable distributed workload manager with monitoring-based weakly consistent resource stealing. In: Proceedings of the 24rd International Symposium on High-Performance Parallel and Distributed Computing, pp. 219–222. ACM (2015)
Wang, K., Zhou, X., Li, T., Zhao, D., Lang, M., Raicu, I.: Optimizing load balancing and data-locality with data-aware scheduling. In: 2014 IEEE International Conference on Big Data (Big Data), pp. 119–128. IEEE (2014)
Wang, Y., Nandi, A., Agrawal, G.: Saga: array storage as a DB with support for structural aggregations. In: Proceedings of the 26th International Conference on Scientific and Statistical Database Management, p. 9. ACM (2014)
Wang, Y., Su, Y., Agrawal, G.: Supporting a light-weight data management layer over hdf5. In: 2013 13th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (CCGrid), pp. 335–342. IEEE (2013)
Wei, F., Roy, S., Ou, X., Robby.: Amandroid: A precise and general inter-component data flow analysis framework for security vetting of android apps. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 1329–1341. ACM (2014)
Xiong, H., Zheng, Q., Zhang, X., Yao, D.: Cloudsafe: Securing data processing within vulnerable virtualization environments in the cloud. In: 2013 IEEE Conference on Communications and Network Security (CNS), pp. 172–180. IEEE (2013)
Yamaguchi, F., Lindner, F., Rieck, K.: Vulnerability extrapolation: assisted discovery of vulnerabilities using machine learning. In: Proceedings of the 5th USENIX conference on Offensive Technologies, p. 13. USENIX Association (2011)
Zhang, H., Diao, Y., Immerman, N.: Recognizing patterns in streams with imprecise timestamps. Proceedings of the VLDB Endowment 3(1–2), 244–255 (2010)
Zhang, H., Diao, Y., Immerman, N.: On complexity and optimization of expensive queries in complex event processing. In: Proceedings of the 2014 ACM SIGMOD International Conference on Management of Data, pp. 217–228. ACM (2014)
Zhang, S.: Deep-diving into an easily-overlooked threat: Inter-vm attacks. Whitepaper, provided by Kansas State University, TechRepublic/US2012 (2013). http://www.techrepublic.com/resourcelibrary/whitepapers/deep-diving-into-an-easilyoverlooked-threat-inter-vm-attacks
Zhang, S.: Quantitative risk assessment under multi-context environments. PhD thesis, Kansas State University (2014)
Zhang, S., Caragea, D., Ou, X.: An empirical study on using the national vulnerability database to predict software vulnerabilities. In: Hameurlain, A., Liddle, S.W., Schewe, K.-D., Zhou, X. (eds.) DEXA 2011, Part I. LNCS, vol. 6860, pp. 217–231. Springer, Heidelberg (2011)
Zhang, S., Ou, X., Homer, J.: Effective network vulnerability assessment through model abstraction. In: Holz, T., Bos, H. (eds.) DIMVA 2011. LNCS, vol. 6739, pp. 17–34. Springer, Heidelberg (2011)
Zhang, S., Ou, X., Singhal, A., Homer, J.: An empirical study of a vulnerability metric aggregation method. In: The 2011 International Conference on Security and Management (SAM 2011), Special Track on Mission Assurance and Critical Infrastructure Protection (STMACIP 2011) (2011)
Zhang, S., Zhang, X., Ou, X.: After we knew it: empirical study and modeling of cost-effectiveness of exploiting prevalent known vulnerabilities across iaas cloud. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, pp. 317–328. ACM (2014)
Zhao, D., Zhang, Z., Zhou, X., Li, T., Wang, K., Kimpe, D., Carns, P., Ross, R., Raicu, I.: Fusionfs: Toward supporting data-intensive scientific applications on extreme-scale high-performance computing systems. In: 2014 IEEE International Conference on Big Data (Big Data), pp. 61–70. IEEE (2014)
Zheng, C., Zhu, S., Dai, S., Gu, G., Gong, X., Han, X., Zou, W.: Smartdroid: An automatic system for revealing ui-based trigger conditions in android applications. In: Proceedings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2012, pp. 93–104. ACM, New York (2012)
Zheng, Q., Zhu, W., Zhu, J., Zhang, X.: Improved anonymous proxy re-encryption with cca security. In: Proceedings of the 9th ACM Symposium on Information Computer and Communications Security, ASIA CCS 2014, pp. 249–258. ACM, New York (2014)
Zhou, X., Sun, X., Sun, G., Yang, Y.: A combined static and dynamic software birthmark based on component dependence graph. In: International Conference on Intelligent Information Hiding and Multimedia Signal Processing, pp. 1416–1421. IEEE (2008)
Zhuang, R., Zhang, S., Bardas, A., DeLoach, S.A., Ou, X., Singhal, A.: Investigating the application of moving target defenses to network security. In: 2013 6th International Symposium on Resilient Control Systems (ISRCS), pp. 162–169. IEEE (2013)
Zhuang, R., Zhang, S., DeLoach, S.A., Ou, X., Singhal, A.: Simulation-based approaches to studying effectiveness of moving-target network defense. In: National Symposium on Moving Target Research (2012)
Zimmermann, T., Nagappan, N.: Predicting defects using network analysis on dependency graphs. In: ACM/IEEE 30th International Conference on Software Engineering, ICSE 2008, pp. 531–540. IEEE (2008)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Zhang, S., Zhang, X., Ou, X., Chen, L., Edwards, N., Jin, J. (2015). Assessing Attack Surface with Component-Based Package Dependency. In: Qiu, M., Xu, S., Yung, M., Zhang, H. (eds) Network and System Security. NSS 2015. Lecture Notes in Computer Science(), vol 9408. Springer, Cham. https://doi.org/10.1007/978-3-319-25645-0_29
Download citation
DOI: https://doi.org/10.1007/978-3-319-25645-0_29
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-25644-3
Online ISBN: 978-3-319-25645-0
eBook Packages: Computer ScienceComputer Science (R0)