Abstract
The fast adaptation of Cloud computing has led to an increase in novel information technology threats. The targets of these new threats range from large scale distributed system, such as the Large Hadron Collider by the CERN, to industrial (water, power, electricity, oil, gas, etc.) distributed systems, i.e. SCADA systems. The use of automated tools for vulnerability assessment is quite attractive, but while these tools can find common problems in a program’s source code, they miss a significant number of critical and complex vulnerabilities. In addition, middleware systems frequently base their security on mechanisms such as authentication, authorization, and delegation. While these mechanisms have been studied in depth and can control key resources, they are not enough to assure that all application’s resources are safe. Therefore, security of distributed systems have been placed under the watchful eye of security practitioners in government, academia, and industry. To tackle the problem of assessing the security of critical middleware systems, we propose a new automated vulnerability assessment approach, called Attack Vector Analyzer (AvA), which is able to automatically hint at which middleware components should be assessed and why. AvA is based on automating part of the First Principles Vulnerability Assessment, an analyst-centric (manual) methodology that has been used successfully to evaluate many production middleware systems. AvA’s results are language-independent, provide a comprehensive assessment attack vector in the middleware, and it is based on the Common Weakness Enumeration (CWE) system, a widely-use labeling of security weaknesses. Our results are contrasted against a previous manual vulnerability assessment of the CrossBroker grid resource manager, and corroborate which middleware components should be assessed and why.
This research has been supported by the MEC-MICINN Spain under contract TIN2007-64974 and by Department of Homeland Security grant FA8750-10-2-0030.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Sommestad, T., Ericsson, G.N., Nordlander, J.: Scada system cyber security - a comparison of standards. In: Power and Energy Society General Meeting IEEE, pp. 1–8 (July 2010)
Coverity Prevent, http://www.coverity.com
Fortify Source Code Analyzer, http://www.fortify.com
Kupsch, J., Miller, B.: Manual vs. automated vulnerability assessment: A case study. In: International Workshop on Managing Insider Security Threats, vol. 469, pp. 83–97 (June 2009)
Kupsch, J., Miller, B., Heymann, E., Cesar, E.: First principles vulnerability assessment, mist project. tech. rep., UAB & UW (September 2009)
Condor Project, http://www.cs.wisc.edu/condor
Storage Resource Broker, http://www.sdsc.edu/srb/
Fernandez del Castillo, E.: Scheduling for Interactive and Parallel Applications on Grid. PhD thesis, Universitat Autònoma de Barcelona (2008)
MIST Group: Middleware security and testing web site, http://www.cs.wisc.edu/mist
The Common Weakness Enumeration, http://cwe.mitre.org/
McGraw, G., Tsipenyuk, K., Chess, B.: Seven pernicious kingdoms: A taxonomy of software security errors. IEEE Security and Privacy 3, 81–84 (2005)
The open web application security project (owasp), https://www.owasp.org/
Swiderski, F., Snyder, W.: Threat Modeling. Microsoft Press (2004)
The Common Weakness Scoring System, http://cwe.mitre.org/cwss/
Serrano Latorre, J.D., Heymann, E., Cesar, E.: Manual vs automated vulnerability assessment on grid middleware. III Congreso Espanol de Informatica (CEDI 2010) (September 2010)
Serrano Latorre, J.D., Heymann, E., Cesar, E.: Developing new automatic vulnerability strategies for hpc systems. In: Latinamerican Conference on High Performance Computing (CLCAR), pp. 166–173 (August 2010)
gLExec - Gluing grid computing jobs to the Unix world, https://www.nikhef.nl/
The virtual organization membership service (voms), http://edg-wp2.web.cern.ch/edg-wp2/security/voms/voms.html
Serrano Latorre, J.D., Heymann, E., Cesar, E., Miller, B.: Vulnerability assessment enhancement for middleware. In: 5th Iberian Grid Infrastructure Conference (IBERGRID) (June 2011)
The GraphML File Format, http://graphml.graphdrawing.org/
Crossgrid EU Project, http://www.eu-crossgrid.org/
Interactive European Grid Project, http://grid.ifca.es/inteugrid_ifca.htm
Baud, J.-P.B., Caey, J., Lemaitre, S., Nicholson, C., Smith, D., Stewart, G.: Lcg data management: From edg to egee (2005)
Andreetto, P., et al.: Practical approaches to grid workload and resource management in the egee project. In: Proceedings of the International Computing in High Energy and Nuclear Physics, pp. 899–902 (2004)
OVAL - Open Vulnerability and Assessment Language, http://oval.mitre.org/
Byers, D., Ardi, S., Shahmehri, N., Duma, C.: Modeling software vulnerabilities with vulnerability cause graphs. In: 22nd IEEE International Conference on Software Maintenance (ICSM 2006), pp. 411–422 (2006)
The Common Vulnerability and Exposures, http://cve.mitre.org/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Serrano, J., Cesar, E., Heymann, E., Miller, B. (2013). Increasing Automated Vulnerability Assessment Accuracy on Cloud and Grid Middleware. In: Deng, R.H., Feng, T. (eds) Information Security Practice and Experience. ISPEC 2013. Lecture Notes in Computer Science, vol 7863. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-38033-4_20
Download citation
DOI: https://doi.org/10.1007/978-3-642-38033-4_20
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-38032-7
Online ISBN: 978-3-642-38033-4
eBook Packages: Computer ScienceComputer Science (R0)