Abstract
Computer hackers or their malware surrogates constantly look for software vulnerabilities in the cyberspace to perform various online crimes, such as identity theft, cyber espionage, and denial of service attacks. It is thus crucial to assess accurately the likelihood that a software can be exploited before it is put into practical use. In this work, we propose a cognitive framework that uses Bayesian reasoning as its first principle to quantify software exploitability. Using the Bayes’ rule, our framework combines in an organic manner the evaluator’s prior beliefs with her empirical observations from software tests that check if the security-critical components of a software are reachable from its attack surface. We rigorously analyze this framework as a system of nonlinear equations, and henceforth perform extensive numerical simulations to gain insights into issues such as convergence of parameter estimation and the effects of the evaluator’s cognitive characteristics.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Crest: Concolic test generation tool for c. https://jburnim.github.io/crest/
http://www.securityweek.com/shellshock-attacks-could-already-top-1-billion-report
Stp constraint solver. http://stp.github.io/
The Yices SMT Solver. http://yices.csl.sri.com
Avgerinos, T., Cha, S.K., Hao, B.L.T., Brumley, D.: AEG: automatic exploit generation. NDSS 11, 59–66 (2011)
Bellovin, S.M.: On the brittleness of software and the infeasibility of security metrics. IEEE Secur. Priv. 4(4), 96 (2006)
Brumley, D., Poosankam, P., Song, D., Zheng, J.: Automatic patch-based exploit generation is possible: techniques and implications. In: IEEE Symposium on Security and Privacy (2008)
Cadar, C., Dunbar, D., Engler, D.R.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. OSDI 8, 209–224 (2008)
Cadar, C., Ganesh, V., Pawlowski, P.M., Dill, D.L., Engler, D.R.: EXE: automatically generating inputs of death. ACM Trans. Inf. Syst. Secur. (TISSEC) 12(2), 10 (2008)
Cadar, C., Sen, K.: Symbolic execution for software testing: three decades later. Commun. ACM 56(2), 82–90 (2013)
CERT. Basic fuzzing framework (bff). https://www.cert.org/vulnerability-analysis/tools/bff.cfm?
Cha, S.K., Avgerinos, T., Rebert, A., Brumley, D.: Unleashing mayhem on binary code. In: IEEE Symposium on Security and Privacy (SP), pp. 380–394. IEEE (2012)
Cha, S.K., Woo, M., Brumley, D.: Program-adaptive mutational fuzzing. In: Proceedings of the IEEE Symposium on Security and Privacy (2015)
Cooper, G.F.: The computational complexity of probabilistic inference using Bayesian belief networks. Artif. Intell. 42(2), 393–405 (1990)
Godefroid, P., Levin, M.Y., Molnar, D.: SAGE: whitebox fuzzing for security testing. Queue 10(1), 20 (2012)
Godefroid, P., Levin, M.Y., Molnar, D.A.: Automated whitebox fuzz testing. In: Proceedings of Network and Distributed System Security Symposium (NDSS) (2008)
Griffiths, T.L., Kemp, C., Tenenbaum, J.B.: Bayesian models of cognition (2008)
Hoglund, G., McGraw, G.: Exploiting Software: How to Break Code. Addison-Wesley, Boston (2004)
Jansen, W.: Directions in Security Metrics Research. Diane Publishing, Collingdale (2010)
Lebiere, C., Bennati, S., Thomson, R., Shakarian, P., Nunes, E.: Functional cognitive models of malware identification. In: Proceedings of International Conference on Cognitive Modeling (2015)
Manadhata, P.K., Wing, J.M.: An attack surface metric. IEEE Trans. Soft. Eng. 37(3), 371–386 (2011)
McMorrow, D.: Science of cyber-security. Technical report, JASON Program Office (2010)
Nagaraju, S., Craioveanu, C., Florio, E., Miller, M.: Software vulnerability exploitation trends (2013)
Nayak, K., Marino, D., Efstathopoulos, P., Dumitraş, T.: Some vulnerabilities are different than others. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 426–446. Springer, Heidelberg (2014)
Forum of Incident Response and Security Teams (FIRST). Common vulnerabilities scoring system (cvss). http://www.first.org/cvss/
Perfors, A., Tenenbaum, J.B., Griffiths, T.L., Xu, F.: A tutorial introduction to bayesian models of cognitive development. Cognition 120(3), 302–321 (2011)
Rebert, A., Cha, S.K., Avgerinos, T., Foote, J., Warren, D., Grieco, G., Brumley, D.: Optimizing seed selection for fuzzing. In: Proceedings of the USENIX Security Symposium (2014)
Microsoft Research. Z3. https://github.com/Z3Prover/z3
Smith, S.W.: Security and cognitive bias: exploring the role of the mind. IEEE Secur. Priv. 5, 75–78 (2012)
Telang, R., Wattal, S.: An empirical analysis of the impact of software vulnerability announcements on firm stock price. IEEE Trans. Soft. Eng. 33(8), 544–557 (2007)
Verendel, V.: Quantified security is a weak hypothesis: a critical survey of results and assumptions. In: Proceedings of the 2009 Workshop on New Security Paradigms Workshop. ACM (2009)
Yan, G., Kucuk, Y., Slocum, M., Last, D.C.: A Bayesian cogntive approach to quantifying software exploitability based on reachability testing (extended version). http://www.cs.binghamton.edu/~ghyan/papers/extended-isc16.pdf
Younis, A., Malaiya, Y.K., Ray, I.: Assessing vulnerability exploitability risk using software properties. Soft. Qual. J 24(1), 1–44 (2016)
Zhong, C., Yen, J., Liu, P., Erbacher, R., Etoty, R., Garneau, C.: An integrated computer-aided cognitive task analysis method for tracing cyber-attack analysis processes. In: Proceedings of the 2015 Symposium and Bootcamp on the Science of Security. ACM (2015)
Acknowledgment
We acknowledge the support of the Air Force Research Laboratory Visiting Faculty Research Program for this work.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Yan, G., Kucuk, Y., Slocum, M., Last, D.C. (2016). A Bayesian Cogntive Approach to Quantifying Software Exploitability Based on Reachability Testing. In: Bishop, M., Nascimento, A. (eds) Information Security. ISC 2016. Lecture Notes in Computer Science(), vol 9866. Springer, Cham. https://doi.org/10.1007/978-3-319-45871-7_21
Download citation
DOI: https://doi.org/10.1007/978-3-319-45871-7_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-45870-0
Online ISBN: 978-3-319-45871-7
eBook Packages: Computer ScienceComputer Science (R0)