Abstract
Security vulnerabilities are a concern in systems and software exposed via networked interfaces. Previous research has shown that only a minority of vulnerabilities can be emulated through software fault injection techniques. This paper aims to accurately emulate software security vulnerabilities. To this end, the paper provides a field-data study on the operators needed to emulate vulnerabilities in software written in the C programming language. A practical implementation is constructed and the feasibility of emulating software vulnerabilities is evaluated. The emulation operators were obtained by analyzing publicly available vulnerability databases for the Linux kernel, the Xen hypervisor, and the OpenSSH tool. The results show that a typical security vulnerability involves a single function and consists of combinations of up to three fault operator instances. The expected impact of this study is to allow practical emulation of security defects in large software projects, to support software quality and security assessment.
Similar content being viewed by others
References
Aho AV, Lam MS, Sethi R, Ullman JD (2007) Compilers: principles, techniques, and tools, 2nd edn. Pearson/Addison-Wesley, Boston
Barham P, Dragovic B, Fraser K, Hand S, Harris T, Ho A, Neugebauer R, Pratt I, Warfield A (2003) Xen and the art of virtualization. SIGOPS Oper Syst Rev 37(5):164–177. https://doi.org/10.1145/1165389.945462
Cerveira F, Barbosa R, Mercier M, Madeira H (2017) On the emulation of vulnerabilities through software fault injection. In: 2017 13th European dependable computing conference (EDCC)
Chillarege R (1996) Orthogonal defect classification. In: Lyu MR (ed) Handbook of software reliability engineering. IEEE CS Press, McGraw-Hill, Washington, New York, pp 359–400
Chillarege R, Bhandari IS, Chaar JK, Halliday MJ, Moebus DS, Ray BK, Wong MY (1992) Orthogonal defect classification–a concept for in-process measurements. IEEE Trans Softw Eng 18(11):943–956
Christmansson J, Chillarege R (1996) Generation of an error set that emulates software faults based on field data. In: Proceedings of the twenty-sixth international symposium on fault-tolerant computing, IEEE, Washington, pp 304–313
Cotroneo D, Natella R (2013) Fault injection for software certification. IEEE Secur Priv 11(4):38–45. https://doi.org/10.1109/MSP.2013.54
Cotroneo D, Pietrantuono R, Russo S, Trivedi KS (2016) How do bugs surface? a comprehensive study on the characteristics of software bugs manifestation. J Syst Softw 113:27–43
Duraes JA, Madeira HS (2006) Emulation of software faults: a field data study and a practical approach. IEEE Trans Softw Eng 32(11):849–867. https://doi.org/10.1109/TSE.2006.113
Fagan ME (1976) Design and code inspections to reduce errors in program development. IBM Syst J 15(3):182–211
Fonseca J, Vieira M (2008) Mapping software faults with web security vulnerabilities. In: 2008 IEEE international conference on dependable systems and networks With FTCS and DCC (DSN), pp 257–266. https://doi.org/10.1109/DSN.2008.4630094
Fonseca J, Vieira M, Madeira H (2007) Testing and comparing web vulnerability scanning tools for SQL injection and XSS attacks. In: 13th Pacific Rim international symposium on dependable computing (PRDC 2007), pp 365–372. https://doi.org/10.1109/PRDC.2007.55
Fonseca J, Vieira M, Madeira H (2009) Vulnerability & attack injection for web applications. In: 2009 IEEE/IFIP international conference on dependable systems networks, pp 93–102. https://doi.org/10.1109/DSN.2009.5270349
Hsueh MC, Tsai TK, Iyer RK (1997) Fault injection techniques and tools. IEEE Comput 30(4):75–82. https://doi.org/10.1109/2.585157
Love R (2005) Linux kernel development, 2nd edn. Novell Press, Provo
Lucas MW (2012) SSH Mastery: OpenSSH, PuTTY,tunnels and keys. Tilted Windmill Press, Michigan
Maxion RA, Olszewski RT (2000) Eliminating exception handling errors with dependability cases: a comparative, empirical study. IEEE Trans Software Eng 26(9):888–906. https://doi.org/10.1109/32.877848
McCabe TJ (1976) A complexity measure. IEEE Trans Soft Eng SE–2(4):308–320. https://doi.org/10.1109/TSE.1976.233837
McConnell S (1997) Best practices: Gauging software readiness with defect tracking. IEEE Softw 14(3):136, 135
Pereira G, Barbosa R, Madeira H (2016) Practical emulation of software defects in source code. In: 2016 12th European dependable computing conference (EDCC), pp 130–140. https://doi.org/10.1109/EDCC.2016.19
Stallings W, Brown L (2011) Computer security: principles and practice, 2nd edn. Prentice-Hall, Inc, Upper Saddle River
Acknowledgements
This work was supported by project BASE - Biofeedback Augmented Software Engineering, project no. 31581, IC&DT AAC no. 02/SAICT/2017, and the second author was supported by the Portuguese Foundation for Science and Technology (FCT) through doctoral grant SFRH/BD/130601/2017.
Author information
Authors and Affiliations
Corresponding author
Electronic supplementary material
Below is the link to the electronic supplementary material.
Rights and permissions
About this article
Cite this article
Barbosa, R., Cerveira, F., Gonçalo, L. et al. Emulating representative software vulnerabilities using field data. Computing 101, 119–138 (2019). https://doi.org/10.1007/s00607-018-0657-y
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00607-018-0657-y