The Impact of Security Mechanisms on Software Vulnerabilities

Authors

Master of Computer Science, Imam Hossein University (AS)

Abstract

Nowadays, the vulnerabilities of operating systems and commonly applied software have provided a
major hole for intruders to attacks to the information technology infrastructures. In this way, attackers may
take the control of computer systems. Researches in software area have struggled a lot to develop and operate
security mechanisms, to be applied in software development lifecycle, to resist the increasing growth of
vulnerabilities. This paper evaluates the measure of impact and effectiveness of these security mechanisms
by reviewing and statistical analysis of the existent reports in global database vulnerabilities. According to
our conducted surveys, it is clarified that despite of the growing development of security mechanisms, some
of the vulnerabilities have grown up and some of them are about removal from the list of the proposed vulnerabilities.
The valuable point of this survey is introducing the rate of using a software as a parameter for
estimating the amount of damage caused by software vulnerabilities.

Keywords


[1] MITRE. (2011). 2011 CWE/SANS Top 25 Most Dangerous
Software Errors. Available: http://cwe.mitre.org/
top25/
[2] A. One, "Smashing the Stack for Fun and Profit,"
BugTraq Archives, p. http://immunix.org/StackGuard/
profit.html, 1996.
[3] C. P. C. Cowan, D. Maier, H. Hinton, P. Bakke, S. Beattie,
A. Grier, P. Wagle and Q. Zhang, " Automatic Detection
and Prevention of Buffer-Overflow Attacks," 7th
USENIX Security Symposium, 1998.
[4] A. S. L. R. A. T.P. Team. (2003). ASLR. Available:
http://pax.grsecurity.net/docs/aslr.txt
[5] WIKI. (2012). Stack buffer overflow. Available: http://
en.wikipedia.org/wiki/Stack_buffer_overflow
[6] Z. K. Jun Xu, and K. I. Ravishankar , "Transparent
Runtime Randomization for Security.
[7] C. P. Kyungtae-Kim, "Securing heap memory by datapointer
encoding," Elsevier, 2011.
[8] Z. K. Jun Xu, and Ravishankar K. Iyer, "Transparent
Runtime Randomization for Security," 2002.
[9] J. P.anderson, "Computer Security Technology Planning
Study," EDS-TR-73-51, vol. 2, pp. 61-61, Octobr 1972
1972.
[10] D. Seeley. A Tour of the Worm. Available: http://
web.archive.org/web/20070520233435/http://
world.std.com/~franl/worm.html#p4.5.2
[11] WIKI. (2012). Buffer overflow. Available: http://
en.wikipedia.org/wiki/Buffer_overflow
[12] D. Alhambra "Smashing The Stack For Fun And Profit,"
phrack vol. seven, August 1996.
[13] M. technet, "Microsoft Security Bulletin MS02-039,"
2007-06-03 2003.
[14] Games industry, "Hacker breaks Xbox protection without
mod-chip," 2003.
[15] C. P. C. Cowan, D. Maier, J. Walpole, P. Bakke, S.
Beattie, A. Grier, P. Wagle, and Q. Zhang,,
"StackGuard: Automatic Adaptive Detection and Prevention
of Buffer-Overflow Attacks," 1998.
[16] P. W. C. Cowan, C. Pu, S. Beattie, and Jo. Walpole,
"Buffer Overflows: Attacks and Defenses for the Vulnerability
of the Decade*," 1999.
[17] J. S. F. D. Wagner, E. A. Brewer, Al. Aiken, "A First
Step Towards Automated Detection of Buffer Overrun
Vulnerabilities," 2000.
[18] D. E. D. Larochelle, "Statically Detecting Likely Buffer
Overflow Vulnerabilities," 2001.
[19] S. B. C. Cowan, J. Johansen, P. Wagle, "Point
GuardTM: Protecting Pointers From Buffer Overflow
Vulnerabilities," ed Washington, D.C., USA, 2003.
[20] M. B. E. Haugh "Testing C programs for buffer overflow
vulnerabilities," 2003.
[21] M. L. O. Ruwase, "A Practical Dynamic Buffer
Overflow Detector," 2004.
[22] P. K. R. Jones "Backwards-compatible bounds checking
for arrays and pointers in C programs," pp. 13-26, 1997.
[23] F. P. Y. Younan, W. Joosen, "Protecting global and
static variables from buer overflow attacks without
overhead," 2006.
[24] Y. F. Y. Fen, S. Xiaobing, Y. Xinchun, M. Bing "A
New Data Randomization Method to Defend Buffer
Overflow Attacks," Elsevie, 2011.
[25] D. Lea. (2009). A Memory Allocator. Available: http://
g.oswego.edu/dl/html/malloc.html
[26] C. K. Th. Toth, "Accurate Buffer Overflow Detection
via Abstract Payload Execution," 2002.
[27] A. D. K. Gaurav S. Kc, Vassilis Prevelakis, "Countering
Code-Injection Attacks With Instruction-Set Randomization,"
Copyright 2003 ACM, 2003.
[28] M. S. L. Olatunji Ruwase, "A Practical Dynamic Buffer
Overflow Detector," 2003.
[29] J. J. Ch. Kil, Ch. Bookholt, J. Xu, P. Ning, "Address
Space Layout Permutation (ASLP): Towards Fine-
Grained Randomization of Commodity Software,"
2005.
[30] P. N. Jun Xu, Ch. Kil, Y. Zhai, Ch. Bookholt,
"Automatic Diagnosis and Response to Memory Corruption
Vulnerabilities," ACM, 2005.
[31] X. J. M. Kharbutli, Y. Solihin, G. Venkataramani, M.
Prvulovic, "Comprehensively and Efficiently Protecting
the Heap," Intl. Symp. on Architecture Support for Programming
Languages and Operating Systems, 2006.
[32] B. G. Z. Emery D. Berger, "DieHard: Probabilistic
Memory Safety for Unsafe Languages," ACM, 2006.
[33] M. R. C. M. Linn, S. Baker, C. Collberg, S. K. Debray,
J. H. Hartman, "Protecting Against Unexpected System
Calls," 2005.
[34] W. J. Y. Younan, and F. Piessens, "Efficient protection
against heap-based buffer overflows without resorting
to magic," 2005.
[35] J. C. Z. Shao , K. C.C. Chan, C. Xue, E. H.-M. Sha,
"Hardware/software optimization for array & pointer
boundary checking against buffer overflow attacks,"
ScienceDirect, 2006.
[36] A. G. Del Grosso C, Di Penta M, "An evolutionary
testing approach to detect buffer overflow," 2004.
[37] D. P. M. Del Grosso C, Antoniol G, Merlo E, Galinier
P, "Improving network applications security: a new
heuristic to generate stress testing data," 2005.
[38] G. A. C. Del Grosso, E. Merlo, P. Galinier, "Detecting
buffer overflow via automatic test input data generation,"
www.elsevier.com, 2007.
[39] B. L. P. Ratanaworabhan, B. Zorn, "Nozzle: A Defense
Against Heap-spraying Code Injection Attacks," Microsoft
Research Technical Report MSR-TR-2008-176,
2008.
[40] C. H. H. Fu-Hau Hsu, Chi-Hsien Hsu, Chih-Wen Ou, Li
-Han Chen, Ping-Cheng Chiu, "HSP: A solution against
heap sprays," http://www.elsevier.com/locate/jss, 2010.
[41] Symantec, "Analysis of GS protections in Microsoft®
Windows Vista™," 2007.
[42] Symantec, "An Analysis of Address Space Layout Randomization
on Windows Vista™," 2010.
[43] Secunia, "DEP/ASLR Implementation Progress in Popular
Third-party Windows Applications," 2010.
[44] nvd.nist.gov/, "National Vulnerability Database," 2012.
[45] Wiki. (2012). Usage_share_of_web_browsers. Available:
http://en.wikipedia.org/
wikiUsage_share_of_web_browsers
[46] Wiki.(2012).Usage_share_of_operating_systems. Available
:http://en.wikipedia.org/wikiUsage share of operating
systems.
Volume 2, Issue 1 - Serial Number 1
September 2020
Pages 49-60
  • Receive Date: 09 September 2014
  • Revise Date: 03 July 2023
  • Accept Date: 19 September 2018
  • Publish Date: 22 May 2014