The relationship of software vulnerabilities and workarounds

Document Type : Original Article

Authors

Computer Engineering Department, Yazd University, Yazd, Iran.

Abstract

This paper investigates the relationship between vulnerability types and their workarounds. Via a          workaround solution, users prevent or mitigate the risk of a vulnerability without the need of eliminating it. So far, little attention has been paid to this fruitful approach, whereas workaround solutions can perform so efficiently when dealing with vulnerabilities. In this research, a proper dataset from four mostly referred vulnerability databases (OSVDB, Security Tracker, Cert CC Vulnerability Notes and NVD) is compiled. In this dataset which we have called VuWaDB, the workarounds are organized in six main categories:        configuration, code modification, route alteration, elimination, access restriction and utility tools. The CWEs that the NVD was assigned to, are used to determine vulnerability types. In order to discover the   relationship between vulnerabilities and their related workaround solutions, after a statistical survey, a  relevant bipartite graph is constructed. The obtained results are analyzed and presented in related tables, which provide the relation between software vulnerabilities and their workarounds.
 

Keywords

References

 [1] H. Holm, “Performance of Automated Network Vulnerability Scanning at Remediating Security Issues,” Computers & Security, vol. 31, no. 2, pp. 164-175, 2012.##
[2] S. Bejani and M. Abdollahi Azgomi, “Improving the Security of Web Services Based on Intrusion Tolerance Techniques,” Journal of Electronical and Cyber Defence, vol. 2, pp. 1-17, 2013. (In Persian)##
[3] A. Khazaei and M. Ghasemzadeh, “Software Vulnerability Database Selection Using MoSCoW Prioritization Method,” 3rd Int. Conf. on Applied Research in Computer and Information Technology, Tarbiat Modares Uni., Tehran, 2016. (In Persian)##
 [4] A. Khazaei, M. Ghasemzadeh, and C. Meinel, “VuWaDB: A Vulnerability Workaround Database,” Int. Journal of Information Security and Privacy (IJISP), vol. 12, no. 4, pp. 24-34, 2018. (In Persian)##
[5] V. Piantadosi, S. Scalabrino, and R. Oliveto, “Fixing of Security Vulnerabilities in Open Source Projects: A Case Study of Apache HTTP Server and Apache Tomcat,” 12th IEEE Conference on Software Testing, Validation and Verification (ICST), pp. 68-78, 2019.##
[6] M. H. Sherkat, S. Mohammadi, and M. Jamipour, “A Computational Method Based on CVSS For Quantifying the Vulnerabilities in Computer Networks,” Iranian Research Institute for Science and Technology, vol. 29, no. 4, pp. 1107-1145, 2014.    (In Persian)##
[7] A. Kuhnle, N. P. Nguyen, T. N. Dinh, and M. T. Thai, “Vulnerability of Clustering Under Node Failure in Complex Networks,” Social Network Analysis and Mining, vol. 7, no. 1, p. 8, 2017.##
[8] H. Shahriar and M. Zulkernine, “Taxonomy and Classification of Automatic Monitoring of Program Security Vulnerability Exploitations,” Journal of Systems and Software, vol. 84, pp. 250-269, 2011.##
[9] J. Ryoo, Y. B. Choi, T. H. Oh, and G. Corbin, “A             Multi-Dimensional Classification Framework for Developing Context-Specific Wireless Local Area Network attack Taxonomies,” Int. Journal of Mobile Communications, vol. 7, no. 2, pp. 253-267, 2009.##
[10] N. V. Juliadotter and K. K. R. Choo, “Cloud Attack and Risk Assessment Taxonomy,” IEEE Cloud Computing, vol. 2, no. 1, pp. 14-20, 2015.##
[11] H. V. Corcalciuc, “A Taxonomy of Time and State Attacks,” Seventh Int. Conference on Availability, Reliability and Security (ARES), pp. 564-573, 2012.##
[12] Z. Zhongwen and D. Yingchun, “A New Method of Vulnerability Taxonomy Based on Information Security Attributes,” 12th Int. Conf. on Computer and Information Technology, IEEE, pp. 739-741, 2012.##
[13] MITRE Corp., “Common Weakness Enumeration (CWE),” http://cwe.mitre.org/, accessed 5 Dec. 2018.##
[14] J. D. Howard, “An Analysis of Security Incidents on the Internet 1989-1995,” Ph.D. thesis, Carnegie-Mellon University Pittsburgh PA, 1997.##
[15] S. C. Lee and L. B. Davis, “Learning From Experience: Operating System Vulnerability Trends,” IT professional, vol. 5, no. 1, pp. 17-24, 2003.##
[16] S. A. Mokhov, et. al., “Taxonomy of Linux Kernel Vulnerability Solutions,” Innovative Techniques in Instruction Technology, Springer Netherlands, pp. 485–493, 2008.##
 [17] Y. Younan, “An Overview of Common Programming Scurity Vulnerabilities and Possible Solutions,” Master Thesis, Vrije Universiteit Brussel, 2003.##
[18] V. Dyke, “An In-Depth Analysis of Common Software Vulnerabilities and Their Solutions,” Master thesis, Oregon State University, 2004.##
[19] NVD, “National Vulnerability Database (NVD),” https://nvd.nist.gov/, accessed 5 Dec 2018.##
[20] OSVDB, “Open Source Vulnerability Database,” http://osvdb.org/, accessed 5 Dec 2018.##
[21] MFSA, “Mozilla Foundation Security Advisories,” https://www.mozilla.org/en-US/security/advisories/, Accessed on 5 Dec 2018.##
[22] “Debian Linux Security Information,” http://www.debian.org, Accessed  on 5 Dec. 2018.##
[23] “Security Tracker,” http://securitytracker.com/, Accessed on 5 Dec. 2018.##
[24] “CERT CC Vulnerability Notes Database,” https://www.kb.cert.org/vuls/, Accessed  on 5 Dec. 2018.##
[25] CVE Editorial Board, “Common Vulnerabilities and Exposures,” http://cve.mitre.org/, Accessed on 5 Dec. 2018.##
 

Files

History

  • Receive Date: 28 June 2019
  • Revise Date: 30 July 2019
  • Accept Date: 23 October 2019
  • Publish Date: 22 August 2020

Share

How to cite

Statistics