Improving VRSS-based vulnerability prioritization using analytic hierarchy process

The number of vulnerabilities discovered in computer systems has increased explosively. Thus, a key question for system administrators is which vulnerabilities to prioritize. The need for vulnerability prioritization in organizations is widely recognized. The significant role of the vulnerability evaluation system is to separate vulnerabilities from each other as far as possible. There are two major methods to assess the severity of vulnerabilities: qualitative and quantitative methods. In this paper, we first describe the design space of vulnerability evaluation methodology and discuss the measures of well-defined evaluation framework. We analyze 11,395 CVE vulnerabilities to expose the differences among three current vulnerability evaluation systems (X-Force, CVSS and VRSS). We find that vulnerabilities are not separated from each other as much as possible. In order to increase the diversity of the results, we firstly enable vulnerability type to prioritize vulnerabilities using analytic hierarchy process on the basis of VRSS. We quantitatively characterize the vulnerability type and apply the method on the set of 11,395 CVE vulnerabilities. The results show that the quality of the quantitative scores can be improved with the help of vulnerability type.     

基于形式化方法的区块链系统漏洞检测模型

随着区块链技术在各行各业的广泛应用,区块链系统的架构变得越来越复杂,这也增加了安全问题的数量.目前,在区块链系统中采用了模糊测试、符号执行等传统的漏洞检测方法,但这些技术无法有效检测出未知的漏洞.为了提高区块链系统的安全性,本文提出了基于形式化理论的区块链系统漏洞检测模型VDMBS (Vulnerability Detection Model for Blockchain Systems),该模型综合了系统迁移状态、安全规约和节点间信任关系等多种安全因素,同时提供了基于业务流程执行语言BPEL (Business Process Execution Language)流程的漏洞模型构建方法.最后,本文用NuSMV在基于区块链的电子投票选举系统上验证了所提出的漏洞检测模型的有效性,实验结果表明,与现有的五种形式化测试工具相比,所提出的VDMBS模型能够检测出更多的区块链系统业务逻辑漏洞和智能合约漏洞.     

The Laws of Vulnerabilities: Which security vulnerabilities really matter?

New security vulnerabilities are discovered on a daily basis. With each new announcement, the same questions arise. How significant is this vulnerability? How prevalent? How easy is it to exploit? Due to a lack of global vulnerability data, answers are hard to find and risk rating is even more difficult. The Laws of Vulnerabilities are the conclusions of analyzing statistical vulnerability information over a three-year period. Those vulnerabilities have been identified in the real world across hundreds of thousands of systems and networks. These data are not identifiable to individual users or systems. However, it provides significant statistical data for research and analysis, which enabled us to define and publish the Laws of Vulnerabilities (http://www.qualys.com/research/rnd/vulnlaws/).     

Assessment Of Vulnerability Scanners

Securing information over the Internet can be facilitated by a multitude of security technologies. Technologies such as intrusion detection systems, anti-virus software, firewalls and crypto devices have all contributed significantly to the security of information. This article focuses on vulnerability scanners (VSs). A VS has a vulnerability database containing hundreds of known vulnerabilities, which it scans for. VSs do not scan for the same type of vulnerabilities since the vulnerability databases for each VS differ extensively. In addition, there is an overlap of vulnerabilities between the vulnerability databases of various VSs. The concept of harmonised vulnerability categories is introduced in this paper. Harmonised vulnerability categories consider the entire scope of known vulnerabilities across various VSs in a bid to act as a mediator in assessing the vulnerabilities that VSs scan for. Harmonised vulnerability categories, thus, are used to do an objective assessment of the vulnerability database of a VS.     

基于可靠性理论的分布式系统脆弱性模型

对现有的脆弱性分析方法进行分析和比较,提出基于可靠性理论的分布式系统脆弱性模型.针对影响分布式系统安全性的各项因素进行脆弱性建模,利用模型检验方法构造系统的脆弱性状态图,描述系统脆弱性的完整利用过程,引入可靠性理论对分布式系统的脆弱性进行分析和量化评估,从而为增强分布式系统的安全性提供理论依据.     

A New Taxonomy of Linux/Unix Operating System and Network Vulnerabilities

This paper analyzes the existing taxonomies of software vulnerability, describes the actuality of researches on software vulnerability. Then this paper lists the major characters describing software vulnerabilities, which include cause, location, impact, remedy, verification, detect and attack characters. For Unix/Linux operation systems, this paper proposes a two-dimensional taxonomy of software vulnerability based on location and cause attributes, describes the choosing reason of taxonomic attributes, and the classification scheme is described in detail. Design vulnerabilities are important class of vulnerabilities, but no classification identifies the types of design vulnerabilities in further detail yet, so this paper pays attention to design vulnerabilities.     

基于权限验证图的Web应用访问控制漏洞检测

针对Web应用中的访问控制漏洞缺乏有效检测手段的问题，提出了一种基于权限验证图的检测算法。首先，在程序控制流图（CFG）的基础上，识别权限验证节点和资源节点，通过T和F边将节点连成权限验证图。然后，遍历资源节点对应的所有权限验证路径，计算路径验证权限，与资源节点访问权限比较，检测是否存在访问控制漏洞。实验结果表明，在7个Web应用中，发现了8个已知和未知漏洞，相比较于已有的访问控制漏洞检测算法，该算法可以有效检测4种访问控制漏洞，扩大了漏洞检测范围。     

网络应用程序漏洞扫描器的局限性

设计了一个专用的网络攻击测试环境,对应用程序服务器发起过程可控的网络漏洞攻击,并记录各类Web应用程序漏洞扫描器的检测结果。从而发现其存在的技术缺陷和功能限制,并对此提出改进建议。     

智能合约安全漏洞检测研究进展

智能合约是运行在区块链合约层的计算机程序,能够管理区块链上的加密数字货币和数据,实现多样化的业务逻辑,扩展了区块链的应用.由于智能合约中通常涉及大量资产,吸引了大量攻击者试图利用其中的安全漏洞获得经济利益.近年来,随着多起智能合约安全事件的发生(例如TheDAO、Parity安全事件等),针对智能合约的安全漏洞检测技术成为国内外研究热点.提出智能合约安全漏洞检测的研究框架,分别从漏洞发现与识别、漏洞分析与检测、数据集与评价指标这3个方面分析现有检测方法研究进展.首先,梳理安全漏洞信息收集的基本流程,将已知漏洞根据基础特征归纳为13种漏洞类型并提出智能合约安全漏洞分类框架;然后,按照符号执行、模糊测试、机器学习、形式化验证和静态分析5类检测技术对现有研究进行分析,并讨论各类技术的优势及局限性;第三,整理常用的数据集和评价指标;最后,对智能合约安全漏洞检测的未来研究方向提出展望.     

Perturbation-based user-input-validation testing of web applications

User-input-validation (UIV) is the first barricade that protects web applications from application-level attacks. Most UIV test tools cannot detect semantics-related vulnerabilities in validators, such as filling a five-digit number to a field that accepts a year. To address this issue, we propose a new approach to generate test inputs for UIV based on the analysis of client-side information. In particular, we use input-field information to generate valid inputs, and then perturb valid inputs to generate invalid test inputs. We conducted an empirical study to evaluate our approach. The empirical result shows that, in comparison to existing vulnerability scanners, our approach is more effective than existing vulnerability scanners in finding semantics-related vulnerabilities of UIV for web applications.     

Securing decentralized reputation management using TrustGuard

Reputation systems have been popular in estimating the trustworthiness and predicting the future behavior of nodes in a large-scale distributed system where nodes may transact with one another without prior knowledge or experience. One of the fundamental challenges in distributed reputation management is to understand vulnerabilities and develop mechanisms that can minimize the potential damages to a system by malicious nodes. In this paper, we identify three vulnerabilities that are detrimental to decentralized reputation management and propose TrustGuard—a safeguard framework for providing a highly dependable and yet efficient reputation system. First, we provide a dependable trust model and a set of formal methods to handle strategic malicious nodes that continuously change their behavior to gain unfair advantages in the system. Second, a transaction-based reputation system must cope with the vulnerability that malicious nodes may misuse the system by flooding feedbacks with fake transactions. Third, but not the least, we identify the importance of filtering out dishonest feedbacks when computing reputation-based trust of a node, including the feedbacks filed by malicious nodes through collusion. Our experiments show that, comparing with existing reputation systems, our framework is highly dependable and effective in countering malicious nodes regarding strategic oscillating behavior, flooding malevolent feedbacks with fake transactions, and dishonest feedbacks.     

Enlargement of vulnerable web applications for testing

There are two main kinds of vulnerable web applications, usual applications developed with a specific aim and applications which are vulnerable by design. On one hand, the usual applications are those that are used everywhere and on a daily basis, and where vulnerabilities are detected, and often mended, such as online banking systems, newspaper sites, or any other Web site. On the other hand, vulnerable by design web applications are developed for proper evaluation of web vulnerability scanners and for training in detecting web vulnerabilities. The main drawback of vulnerable by design web applications is that they used to include just a short set of well-known types of vulnerabilities, usually from famous classifications like the OWASP Top Ten. They do not include most of the types of web vulnerabilities. In this paper, an analysis and assessment of vulnerable web applications is conducted in order to select the applications that include the larger set of types of vulnerabilities. Then those applications are enlarged with more types of web vulnerabilities that vulnerable web applications do not include. Lastly, the new vulnerable web applications have been analyzed to check whether web vulnerability scanners are able to detect the new added vulnerabilities, those vulnerabilities that vulnerable by design web applications do not include. The results show that the tools are not very successful in detecting those vulnerabilities, less than well-known vulnerabilities.     

基于数据流传播路径学习的智能合约时间戳漏洞检测

智能合约是一种被大量部署在区块链上的去中心化的应用. 由于其具有经济属性, 智能合约漏洞会造成潜在的巨大经济和财产损失, 并破坏以太坊的稳定生态. 因此, 智能合约的漏洞检测具有十分重要的意义. 当前主流的智能合约漏洞检测方法(诸如Oyente和Securify)采用基于人工设计的启发式算法, 在不同应用场景下的复用性较弱且耗时高, 准确率也不高. 为了提升漏洞检测效果, 针对智能合约的时间戳漏洞, 提出基于数据流传播路径学习的智能合约漏洞检测方法Scruple. 所提方法首先获取时间戳漏洞的潜在的数据传播路径, 然后对其进行裁剪并利用融入图结构的预训练模型对传播路径进行学习, 最后对智能合约是否具有时间戳漏洞进行检测. 相比而言, Scruple具有更强的漏洞捕捉能力和泛化能力, 传播路径学习的针对性强, 避免了对程序整体依赖图学习时造成的层次太深而无法聚焦漏洞的问题. 为了验证Scruple的有效性, 在真实智能合约的数据集上, 开展Scruple方法与13种主流智能合约漏洞检测方法的对比实验. 实验结果表明, Scruple在检测时间戳漏洞上的准确率, 召回率和F1值分别可以达到0.96, 0.90和0.93, 与13种当前主流方法相比, 平均相对提升59%, 46%和57%, 从而大幅提升时间戳漏洞的检测能力.     

TaintPoint:使用活跃轨迹高效挖掘污点风格漏洞

覆盖反馈的灰盒Fuzzing已经成为漏洞挖掘最有效的方式之一.广泛使用的边覆盖是一种控制流信息,然而在面向污点风格(taint-style)的漏洞挖掘时,这种反馈信息过于粗糙.大量污点无关的种子被加入队列,污点相关的种子数量又过早收敛,导致Fuzzing失去进化方向,无法高效测试Source和Sink之间的信息流.首先,详细分析了现有反馈机制在检测污点风格漏洞时不够高效的原因;其次,提出了专门用于污点风格漏洞挖掘的模糊器TaintPoint.TaintPoint在控制流轨迹的基础上加入了活跃污点这一数据流信息,形成活跃轨迹(livetrace)作为覆盖反馈,并围绕活跃轨迹分别在插桩、种子过滤、选择和变异阶段改进现有方法.在UAFBench上的实验结果表明:TaintPoint检测污点风格漏洞的效率、产出和速度优于业界领先的通用模糊器AFL++及定向模糊器AFLGO;此外,在两个开源项目上发现了4个漏洞并被确认.     

Useful vulnerability assessment

It is a commonly held view that the goal of vulnerability testing is to uncover as many vulnerabilities as possible, and ideally to uncover all vulnerabilities in the tested systems. In my opinion this is incorrect; the main point of vulnerability testing should be to enable an organization to fix the vulnerabilities that their risk assessment requires them to fix, and to provide input to their risk assessment process on subjects their current assessment underestimates. This article focuses on a pragmatic approach to vulnerability assessment that helps organizations become more secure.     

Assessing vulnerability exploitability risk using software properties

Attacks on computer systems are now attracting increased attention. While the current trends in software vulnerability discovery indicate that the number of newly discovered vulnerabilities continues to be significant, the time between the public disclosure of vulnerabilities and the release of an automated exploit is shrinking. Thus, assessing the vulnerability exploitability risk is critical because this allows decision-makers to prioritize among vulnerabilities, allocate resources to patch and protect systems from these vulnerabilities, and choose between alternatives. Common vulnerability scoring system (CVSS) metrics have become the de facto standard for assessing the severity of vulnerabilities. However, the CVSS exploitability measures assign subjective values based on the views of experts. Two of the factors in CVSS, Access Vector and Authentication, are the same for almost all vulnerabilities. CVSS does not specify how the third factor, Access Complexity, is measured, and hence it is unknown whether it considers software properties as a factor. In this work, we introduce a novel measure, Structural Severity, which is based on software properties, namely attack entry points, vulnerability location, the presence of the dangerous system calls, and reachability analysis. These properties represent metrics that can be objectively derived from attack surface analysis, vulnerability analysis, and exploitation analysis. To illustrate the proposed approach, 25 reported vulnerabilities of Apache HTTP server and 86 reported vulnerabilities of Linux Kernel have been examined at the source code level. The results show that the proposed approach, which uses more detailed information, can objectively measure the risk of vulnerability exploitability and results can be different from the CVSS base scores.     

Vulnerabilities assessment — Part 2. Getting in through the ‘Net’

In the first part of this article we defined a vulnerability and discussed how to determine the importance of vulnerabilities. We looked at many types of vulnerabilities. Most people think of a vulnerability as something that gets exploited by ‘hacking in’ to organizations and systems by strangers on the outside. We looked at several important vulnerabilities not usually given much consideration because of that preconception: legal vulnerabilities, personnel/human resources vulnerabilities, premises vulnerabilities, phone switch vulnerabilities, disaster recovery/contingency planning vulnerabilities, insurance vulnerabilities, policy vulnerabilities, password vulnerabilities, default value vulnerabilities and improper access control vulnerabilities. It was shown that it was neither possible nor effective to remove all vulnerabilities, but that proper analyses were necessary to determine which to treat.     

基于序列标注的漏洞信息结构化抽取方法

从漏洞信息当中抽取结构化信息对于安全研究而言有重要意义。安全研究者常需要在大规模的CVE数据中按特定要求进行筛选,或对漏洞进行自动化的分析测试。然而现有的CVE数据库中只包含了非结构化的文本描述和并不完备的辅助信息。从描述文本抽取结构化的信息能帮助研究者更好地组织与分析CVE。总结漏洞描述包含的七种核心要素,为结构化抽取建立模型,并将信息抽取转换为一个序列标注模型,构建数据集对其进行训练。实验表明,该模型能够以较高的准确率从CVE文本中抽取出各类关键信息。     

Windows of vulnerability: a case study analysis

The authors propose a life cycle model for system vulnerabilities, then apply it to three case studies to reveal how systems often remain vulnerable long after security fixes are available. For each case, we provide background information about the vulnerability, such as how attackers exploited it and which systems were affected. We then tie the case to the life-cycle model by identifying the dates for each state within the model. Finally, we use a histogram of reported intrusions to show the life of the vulnerability, and we conclude with an analysis specific to the particular vulnerability.