A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2015; you can also visit <a rel="external noopener" href="http://www.cs.colostate.edu/~malaiya/p/younisSoftwareStructure.pdf">the original URL</a>. The file type is <code>application/pdf</code>.
Using Software Structure to Predict Vulnerability Exploitation Potential
<span title="">2014</span>
<i title="IEEE">
<a target="_blank" rel="noopener" href="https://fatcat.wiki/container/onbsentw55e5hgvyh5sfj5xnke" style="color: black;">2014 IEEE Eighth International Conference on Software Security and Reliability-Companion</a>
</i>
Preserved Fulltext
Most of the attacks on computer systems are due to the presence of vulnerabilities in software. Recent trends show that number of newly discovered vulnerabilities still continue to be significant. Studies have also shown that the time gap between the vulnerability public disclosure and the release of an automated exploit is getting smaller. Therefore, assessing vulnerabilities exploitability risk is critical as it aids decision-makers prioritize among vulnerabilities, allocate resources, and
<span class="external-identifiers">
<a target="_blank" rel="external noopener noreferrer" href="https://doi.org/10.1109/sere-c.2014.17">doi:10.1109/sere-c.2014.17</a>
<a target="_blank" rel="external noopener" href="https://dblp.org/rec/conf/ssiri/YounisM14.html">dblp:conf/ssiri/YounisM14</a>
<a target="_blank" rel="external noopener" href="https://fatcat.wiki/release/4xf2g3e26jfffmodz7httr44eu">fatcat:4xf2g3e26jfffmodz7httr44eu</a>
</span>
more »
... ose between alternatives. Several methods have recently been proposed in the literature to deal with this challenge. However, these methods are either subjective, requires human involvement in assessing exploitability, or do not scale. In this research, our aim is to first identify vulnerability exploitation risk problem. Then, we introduce a novel vulnerability exploitability metric based on software structure properties viz.: attack entry points, vulnerability location, presence of dangerous system calls, and reachability. Based on our preliminary results, reachability and the presence of dangerous system calls appear to be a good indicator of exploitability. Next, we propose using the suggested metric as feature to construct a model using machine learning techniques for automatically predicting the risk of vulnerability exploitation. To build a vulnerability exploitation model, we propose using Support Vector Machines (SVMs). Once the predictor is built, given unseen vulnerable function and their exploitability features the model can predict whether the given function is exploitable or not.
<a target="_blank" rel="noopener" href="https://web.archive.org/web/20151001212528/http://www.cs.colostate.edu/~malaiya/p/younisSoftwareStructure.pdf" title="fulltext PDF download" data-goatcounter-click="serp-fulltext" data-goatcounter-title="serp-fulltext">
<button class="ui simple right pointing dropdown compact black labeled icon button serp-button">
<i class="icon ia-icon"></i>
Web Archive
[PDF]
<div class="menu fulltext-thumbnail">
<img src="https://blobs.fatcat.wiki/thumbnail/pdf/f0/1a/f01a65a09abe4edfb41648dd6d21c110c5e6c925.180px.jpg" alt="fulltext thumbnail" loading="lazy">
</div>
</button>
</a>
<a target="_blank" rel="external noopener noreferrer" href="https://doi.org/10.1109/sere-c.2014.17">
<button class="ui left aligned compact blue labeled icon button serp-button">
<i class="external alternate icon"></i>
ieee.com
</button>
</a>