An information flow-based taxonomy to understand the nature of software vulnerabilities

Daniela Oliveira, Jedidiah Crandall, Harry Kalodner, Nicole Morin, Megan Maher, Jesus Navarro, Felix Emiliano

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Scopus citations

Abstract

Despite the emphasis on building secure software, the number of vulnerabilities found in our systems is increasing every year, and wellunderstood vulnerabilities continue to be exploited. A common response to vulnerabilities is patch-based mitigation, which does not completely address the flaw and is often circumvented by an adversary. The problem actually lies in a lack of understanding of the nature of vulnerabilities. Vulnerability taxonomies have been proposed, but their usability is limited because of their ambiguity and complexity. This paper presents a taxonomy that views vulnerabilities as fractures in the interpretation of information as it flows in the system. It also presents a machine learning study validating the taxonomy’s unambiguity. A manually labeled set of 641 vulnerabilities trained a classifier that automatically categorized more than 70000 vulnerabilities from three distinct databases with an average success rate of 80%. Important lessons learned are discussed such as (i) approximately 12%of the studied reports provide insufficient information about vulnerabilities, and (ii) the roles of the reporter and developer are not leveraged, especially regarding information about tools used to find vulnerabilities and approaches to address them.

Original languageEnglish (US)
Title of host publicationICT Systems Security and Privacy Protection - 31st IFIP TC 11 International Conference, SEC 2016, Proceedings
EditorsStefan Katzenbeisser, Jaap-Henk Hoepman
PublisherSpringer New York LLC
Pages227-242
Number of pages16
ISBN (Print)9783319336299
DOIs
StatePublished - 2016
Externally publishedYes
Event31st IFIP TC 11 International Conference on Systems Security and Privacy Protection, SEC 2016 - Ghent, Belgium
Duration: May 30 2016Jun 1 2016

Publication series

NameIFIP Advances in Information and Communication Technology
Volume471
ISSN (Print)1868-4238

Conference

Conference31st IFIP TC 11 International Conference on Systems Security and Privacy Protection, SEC 2016
CountryBelgium
CityGhent
Period5/30/166/1/16

ASJC Scopus subject areas

  • Information Systems
  • Computer Networks and Communications
  • Information Systems and Management

Fingerprint Dive into the research topics of 'An information flow-based taxonomy to understand the nature of software vulnerabilities'. Together they form a unique fingerprint.

Cite this