Skip to main content
SpringerLink
Log in

A Bayesian Cogntive Approach to Quantifying Software Exploitability Based on Reachability Testing

  • Conference paper
  • First Online:
Book cover Information Security (ISC 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9866))

Included in the following conference series:

Abstract

Computer hackers or their malware surrogates constantly look for software vulnerabilities in the cyberspace to perform various online crimes, such as identity theft, cyber espionage, and denial of service attacks. It is thus crucial to assess accurately the likelihood that a software can be exploited before it is put into practical use. In this work, we propose a cognitive framework that uses Bayesian reasoning as its first principle to quantify software exploitability. Using the Bayes’ rule, our framework combines in an organic manner the evaluator’s prior beliefs with her empirical observations from software tests that check if the security-critical components of a software are reachable from its attack surface. We rigorously analyze this framework as a system of nonlinear equations, and henceforth perform extensive numerical simulations to gain insights into issues such as convergence of parameter estimation and the effects of the evaluator’s cognitive characteristics.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Crest: Concolic test generation tool for c. https://jburnim.github.io/crest/

  2. http://www.securityweek.com/shellshock-attacks-could-already-top-1-billion-report

  3. Stp constraint solver. http://stp.github.io/

  4. https://nvd.nist.gov/

  5. https://www.exploit-db.com/

  6. http://www.osvdb.org/

  7. The Yices SMT Solver. http://yices.csl.sri.com

  8. Avgerinos, T., Cha, S.K., Hao, B.L.T., Brumley, D.: AEG: automatic exploit generation. NDSS 11, 59–66 (2011)

    Google Scholar 

  9. Bellovin, S.M.: On the brittleness of software and the infeasibility of security metrics. IEEE Secur. Priv. 4(4), 96 (2006)

    Article  Google Scholar 

  10. Brumley, D., Poosankam, P., Song, D., Zheng, J.: Automatic patch-based exploit generation is possible: techniques and implications. In: IEEE Symposium on Security and Privacy (2008)

    Google Scholar 

  11. Cadar, C., Dunbar, D., Engler, D.R.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. OSDI 8, 209–224 (2008)

    Google Scholar 

  12. Cadar, C., Ganesh, V., Pawlowski, P.M., Dill, D.L., Engler, D.R.: EXE: automatically generating inputs of death. ACM Trans. Inf. Syst. Secur. (TISSEC) 12(2), 10 (2008)

    Article  Google Scholar 

  13. Cadar, C., Sen, K.: Symbolic execution for software testing: three decades later. Commun. ACM 56(2), 82–90 (2013)

    Article  Google Scholar 

  14. CERT. Basic fuzzing framework (bff). https://www.cert.org/vulnerability-analysis/tools/bff.cfm?

  15. Cha, S.K., Avgerinos, T., Rebert, A., Brumley, D.: Unleashing mayhem on binary code. In: IEEE Symposium on Security and Privacy (SP), pp. 380–394. IEEE (2012)

    Google Scholar 

  16. Cha, S.K., Woo, M., Brumley, D.: Program-adaptive mutational fuzzing. In: Proceedings of the IEEE Symposium on Security and Privacy (2015)

    Google Scholar 

  17. Cooper, G.F.: The computational complexity of probabilistic inference using Bayesian belief networks. Artif. Intell. 42(2), 393–405 (1990)

    Article  MathSciNet  MATH  Google Scholar 

  18. Godefroid, P., Levin, M.Y., Molnar, D.: SAGE: whitebox fuzzing for security testing. Queue 10(1), 20 (2012)

    Article  Google Scholar 

  19. Godefroid, P., Levin, M.Y., Molnar, D.A.: Automated whitebox fuzz testing. In: Proceedings of Network and Distributed System Security Symposium (NDSS) (2008)

    Google Scholar 

  20. Griffiths, T.L., Kemp, C., Tenenbaum, J.B.: Bayesian models of cognition (2008)

    Google Scholar 

  21. Hoglund, G., McGraw, G.: Exploiting Software: How to Break Code. Addison-Wesley, Boston (2004)

    Google Scholar 

  22. Jansen, W.: Directions in Security Metrics Research. Diane Publishing, Collingdale (2010)

    Google Scholar 

  23. Lebiere, C., Bennati, S., Thomson, R., Shakarian, P., Nunes, E.: Functional cognitive models of malware identification. In: Proceedings of International Conference on Cognitive Modeling (2015)

    Google Scholar 

  24. Manadhata, P.K., Wing, J.M.: An attack surface metric. IEEE Trans. Soft. Eng. 37(3), 371–386 (2011)

    Article  Google Scholar 

  25. McMorrow, D.: Science of cyber-security. Technical report, JASON Program Office (2010)

    Google Scholar 

  26. Nagaraju, S., Craioveanu, C., Florio, E., Miller, M.: Software vulnerability exploitation trends (2013)

    Google Scholar 

  27. Nayak, K., Marino, D., Efstathopoulos, P., Dumitraş, T.: Some vulnerabilities are different than others. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 426–446. Springer, Heidelberg (2014)

    Google Scholar 

  28. Forum of Incident Response and Security Teams (FIRST). Common vulnerabilities scoring system (cvss). http://www.first.org/cvss/

  29. Perfors, A., Tenenbaum, J.B., Griffiths, T.L., Xu, F.: A tutorial introduction to bayesian models of cognitive development. Cognition 120(3), 302–321 (2011)

    Article  Google Scholar 

  30. Rebert, A., Cha, S.K., Avgerinos, T., Foote, J., Warren, D., Grieco, G., Brumley, D.: Optimizing seed selection for fuzzing. In: Proceedings of the USENIX Security Symposium (2014)

    Google Scholar 

  31. Microsoft Research. Z3. https://github.com/Z3Prover/z3

  32. Smith, S.W.: Security and cognitive bias: exploring the role of the mind. IEEE Secur. Priv. 5, 75–78 (2012)

    Article  Google Scholar 

  33. Telang, R., Wattal, S.: An empirical analysis of the impact of software vulnerability announcements on firm stock price. IEEE Trans. Soft. Eng. 33(8), 544–557 (2007)

    Article  Google Scholar 

  34. Verendel, V.: Quantified security is a weak hypothesis: a critical survey of results and assumptions. In: Proceedings of the 2009 Workshop on New Security Paradigms Workshop. ACM (2009)

    Google Scholar 

  35. Yan, G., Kucuk, Y., Slocum, M., Last, D.C.: A Bayesian cogntive approach to quantifying software exploitability based on reachability testing (extended version). http://www.cs.binghamton.edu/~ghyan/papers/extended-isc16.pdf

  36. Younis, A., Malaiya, Y.K., Ray, I.: Assessing vulnerability exploitability risk using software properties. Soft. Qual. J 24(1), 1–44 (2016)

    Article  Google Scholar 

  37. Zhong, C., Yen, J., Liu, P., Erbacher, R., Etoty, R., Garneau, C.: An integrated computer-aided cognitive task analysis method for tracing cyber-attack analysis processes. In: Proceedings of the 2015 Symposium and Bootcamp on the Science of Security. ACM (2015)

    Google Scholar 

Download references

Acknowledgment

We acknowledge the support of the Air Force Research Laboratory Visiting Faculty Research Program for this work.

Author information

Authors and Affiliations

  1. Department of Computer Science, Binghamton University, State University of New York, Binghamton, USA

    Guanhua Yan, Yunus Kucuk & Max Slocum

  2. Defense Sciences Institute, Turkish Military Academy, Ankara, Turkey

    Yunus Kucuk

  3. Resilient Synchronized Systems Branch, Air Force Research Laboratory, Rome, USA

    David C. Last

Authors
  1. Guanhua Yan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yunus Kucuk
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Max Slocum
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. David C. Last
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Guanhua Yan .

Editor information

Editors and Affiliations

  1. University of California , Davies, USA

    Matt Bishop

  2. University of Washington , Tacoma, Washington, USA

    Anderson C A Nascimento

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Yan, G., Kucuk, Y., Slocum, M., Last, D.C. (2016). A Bayesian Cogntive Approach to Quantifying Software Exploitability Based on Reachability Testing. In: Bishop, M., Nascimento, A. (eds) Information Security. ISC 2016. Lecture Notes in Computer Science(), vol 9866. Springer, Cham. https://doi.org/10.1007/978-3-319-45871-7_21

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-45871-7_21

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-45870-0

  • Online ISBN: 978-3-319-45871-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation