رابطه‌ آسیب‌پذیری نرم‌افزارها و راه‌حل‌های جنبی

نوع مقاله : مقاله پژوهشی

نویسندگان

1 گروه مهندسی کامپیوتر، دانشگاه یزد، یزد، ایران

2 گروه مهندسی کامپیوتر، دانشگاه یزد، یزد، ایران.

چکیده

این مقاله به بررسی ارتباط انواع آسیب‌پذیری نرم‌افزارها و راه‌حل‌های جنبی آن‌ها می‌پردازد. یک راه‌حل‌ جنبی روشی است که توسط آن کاربر بدون حذف آسیب‌پذیری، خطر بهره‌کشی ناشی از آن را از بین می‌برد یا کاهش می‌دهد. تاکنون توجه اندکی به این امکانِ بالقوه صورت گرفته است. راه‌حل‌های جنبی می‌توانند در خودکارسازی مقابله با آسیب‌پذیری‌ها بسیار مؤثر باشند. در این پژوهش ابتدا با ترکیب داده‌های حاصل از چهار پایگاه‌داده‌ی مرجعِ آسیب‌پذیری‌ (OSVDB، Security Tracker، Cert CC Vulnerability Notes و NVD)، یک پایگاه‌داده‌ی جدید برای راه‌حل‌های جنبی تدوین گردید. در این پایگاه‌داده‌ که آن را VuWaDB نامیده‌ایم، راه‌حل‌های جنبی در شش دسته‌ی اصلی پیکربندی، اصلاح کد، تغییر مسیر، حذف، دسترسی محدود و ابزارهای کاربردی سازمان‌دهی شده‌اند. تعیین نوع آسیب‌پذیری‌ها مبتنی بر CWEهایی که در NVD به آن‌ها اختصاص داده شده، صورت گرفت. به‌منظور کشف رابطه‌ی آسیب‌پذیری‌ها و راه‌حل‌های جنبی مربوطه، پس از انجام یک بررسی‌ آماری، یک گراف دوبخشی استخراج گردید. نتایج حاصل از این بررسی‌ها در جداول مرتبط ارائه و تحلیل شده‌اند. نتایج حاصله، رابطه آسیب‌پذیری نرم‌افزار و راه‌حل‌های جنبی را در اختیار می‌گذارند.

کلیدواژه‌ها


عنوان مقاله [English]

The relationship of software vulnerabilities and workarounds

نویسندگان [English]

  • A. khazaei 1
  • M. Ghasemzadeh 2
1 Computer Engineering Department, Yazd University, Yazd, Iran.
2 Computer Engineering Department, Yazd University, Yazd, Iran.
چکیده [English]

This paper investigates the relationship between vulnerability types and their workarounds. Via a          workaround solution, users prevent or mitigate the risk of a vulnerability without the need of eliminating it. So far, little attention has been paid to this fruitful approach, whereas workaround solutions can perform so efficiently when dealing with vulnerabilities. In this research, a proper dataset from four mostly referred vulnerability databases (OSVDB, Security Tracker, Cert CC Vulnerability Notes and NVD) is compiled. In this dataset which we have called VuWaDB, the workarounds are organized in six main categories:        configuration, code modification, route alteration, elimination, access restriction and utility tools. The CWEs that the NVD was assigned to, are used to determine vulnerability types. In order to discover the   relationship between vulnerabilities and their related workaround solutions, after a statistical survey, a  relevant bipartite graph is constructed. The obtained results are analyzed and presented in related tables, which provide the relation between software vulnerabilities and their workarounds.
 

کلیدواژه‌ها [English]

  • Software Vulnerability
  • Workaround
  • VuWaDB Database
  • CWE
  • Bipartite Graph
 [1] H. Holm, “Performance of Automated Network Vulnerability Scanning at Remediating Security Issues,” Computers & Security, vol. 31, no. 2, pp. 164-175, 2012.##
[2] S. Bejani and M. Abdollahi Azgomi, “Improving the Security of Web Services Based on Intrusion Tolerance Techniques,” Journal of Electronical and Cyber Defence, vol. 2, pp. 1-17, 2013. (In Persian)##
[3] A. Khazaei and M. Ghasemzadeh, “Software Vulnerability Database Selection Using MoSCoW Prioritization Method,” 3rd Int. Conf. on Applied Research in Computer and Information Technology, Tarbiat Modares Uni., Tehran, 2016. (In Persian)##
 [4] A. Khazaei, M. Ghasemzadeh, and C. Meinel, “VuWaDB: A Vulnerability Workaround Database,” Int. Journal of Information Security and Privacy (IJISP), vol. 12, no. 4, pp. 24-34, 2018. (In Persian)##
[5] V. Piantadosi, S. Scalabrino, and R. Oliveto, “Fixing of Security Vulnerabilities in Open Source Projects: A Case Study of Apache HTTP Server and Apache Tomcat,” 12th IEEE Conference on Software Testing, Validation and Verification (ICST), pp. 68-78, 2019.##
[6] M. H. Sherkat, S. Mohammadi, and M. Jamipour, “A Computational Method Based on CVSS For Quantifying the Vulnerabilities in Computer Networks,” Iranian Research Institute for Science and Technology, vol. 29, no. 4, pp. 1107-1145, 2014.    (In Persian)##
[7] A. Kuhnle, N. P. Nguyen, T. N. Dinh, and M. T. Thai, “Vulnerability of Clustering Under Node Failure in Complex Networks,” Social Network Analysis and Mining, vol. 7, no. 1, p. 8, 2017.##
[8] H. Shahriar and M. Zulkernine, “Taxonomy and Classification of Automatic Monitoring of Program Security Vulnerability Exploitations,” Journal of Systems and Software, vol. 84, pp. 250-269, 2011.##
[9] J. Ryoo, Y. B. Choi, T. H. Oh, and G. Corbin, “A             Multi-Dimensional Classification Framework for Developing Context-Specific Wireless Local Area Network attack Taxonomies,” Int. Journal of Mobile Communications, vol. 7, no. 2, pp. 253-267, 2009.##
[10] N. V. Juliadotter and K. K. R. Choo, “Cloud Attack and Risk Assessment Taxonomy,” IEEE Cloud Computing, vol. 2, no. 1, pp. 14-20, 2015.##
[11] H. V. Corcalciuc, “A Taxonomy of Time and State Attacks,” Seventh Int. Conference on Availability, Reliability and Security (ARES), pp. 564-573, 2012.##
[12] Z. Zhongwen and D. Yingchun, “A New Method of Vulnerability Taxonomy Based on Information Security Attributes,” 12th Int. Conf. on Computer and Information Technology, IEEE, pp. 739-741, 2012.##
[13] MITRE Corp., “Common Weakness Enumeration (CWE),” http://cwe.mitre.org/, accessed 5 Dec. 2018.##
[14] J. D. Howard, “An Analysis of Security Incidents on the Internet 1989-1995,” Ph.D. thesis, Carnegie-Mellon University Pittsburgh PA, 1997.##
[15] S. C. Lee and L. B. Davis, “Learning From Experience: Operating System Vulnerability Trends,” IT professional, vol. 5, no. 1, pp. 17-24, 2003.##
[16] S. A. Mokhov, et. al., “Taxonomy of Linux Kernel Vulnerability Solutions,” Innovative Techniques in Instruction Technology, Springer Netherlands, pp. 485–493, 2008.##
 [17] Y. Younan, “An Overview of Common Programming Scurity Vulnerabilities and Possible Solutions,” Master Thesis, Vrije Universiteit Brussel, 2003.##
[18] V. Dyke, “An In-Depth Analysis of Common Software Vulnerabilities and Their Solutions,” Master thesis, Oregon State University, 2004.##
[19] NVD, “National Vulnerability Database (NVD),” https://nvd.nist.gov/, accessed 5 Dec 2018.##
[20] OSVDB, “Open Source Vulnerability Database,” http://osvdb.org/, accessed 5 Dec 2018.##
[21] MFSA, “Mozilla Foundation Security Advisories,” https://www.mozilla.org/en-US/security/advisories/, Accessed on 5 Dec 2018.##
[22] “Debian Linux Security Information,” http://www.debian.org, Accessed  on 5 Dec. 2018.##
[23] “Security Tracker,” http://securitytracker.com/, Accessed on 5 Dec. 2018.##
[24] “CERT CC Vulnerability Notes Database,” https://www.kb.cert.org/vuls/, Accessed  on 5 Dec. 2018.##
[25] CVE Editorial Board, “Common Vulnerabilities and Exposures,” http://cve.mitre.org/, Accessed on 5 Dec. 2018.##