Repository logo
 

Quantifying the security risk of discovering and exploiting software vulnerabilities

Simple item page
dc.contributor.authorMussa, Awad A. Younis, author
dc.contributor.authorMalaiya, Yashwant, advisor
dc.contributor.authorRay, Indrajit, committee member
dc.contributor.authorAnderson, Charles W., committee member
dc.contributor.authorVijayasarathy, Leo, committee member
dc.date.accessioned2016-08-18T23:10:10Z
dc.date.available2016-08-18T23:10:10Z
dc.date.issued2016
dc.description.abstractMost of the attacks on computer systems and networks are enabled by vulnerabilities in a software. Assessing the security risk associated with those vulnerabilities is important. Risk models such as the Common Vulnerability Scoring System (CVSS), Open Web Application Security Project (OWASP) and Common Weakness Scoring System (CWSS) have been used to qualitatively assess the security risk presented by a vulnerability. CVSS metrics are the de facto standard and its metrics need to be independently evaluated. In this dissertation, we propose using a quantitative approach that uses an actual data, mathematical and statistical modeling, data analysis, and measurement. We have introduced a novel vulnerability discovery model, Folded model, that estimates the risk of vulnerability discovery based on the number of residual vulnerabilities in a given software. In addition to estimating the risk of vulnerabilities discovery of a whole system, this dissertation has furthermore introduced a novel metrics termed time to vulnerability discovery to assess the risk of an individual vulnerability discovery. We also have proposed a novel vulnerability exploitability risk measure termed Structural Severity. It is based on software properties, namely attack entry points, vulnerability location, the presence of the dangerous system calls, and reachability analysis. In addition to measurement, this dissertation has also proposed predicting vulnerability exploitability risk using internal software metrics. We have also proposed two approaches for evaluating CVSS Base metrics. Using the availability of exploits, we first have evaluated the performance of the CVSS Exploitability factor and have compared its performance to Microsoft (MS) rating system. The results showed that exploitability metrics of CVSS and MS have a high false positive rate. This finding has motivated us to conduct further investigation. To that end, we have introduced vulnerability reward programs (VRPs) as a novel ground truth to evaluate the CVSS Base scores. The results show that the notable lack of exploits for high severity vulnerabilities may be the result of prioritized fixing of vulnerabilities.
dc.format.mediumborn digital
dc.format.mediumdoctoral dissertations
dc.identifierMussa_colostate_0053A_13672.pdf
dc.identifier.urihttp://hdl.handle.net/10217/176641
dc.languageEnglish
dc.language.isoeng
dc.publisherColorado State University. Libraries
dc.relation.ispartof2000-2019
dc.rightsCopyright and other restrictions may apply. User is responsible for compliance with all applicable laws. For information about copyright law, please see https://libguides.colostate.edu/copyright.
dc.subjectsoftware security
dc.subjectvulnerabilities exploitation
dc.subjectvulnerability rewards program and time to vulnerability disclosure
dc.subjectsoftware vulnerabilities
dc.subjectcvss and OWASP metrics
dc.subjectvulnerabilities risk and severity
dc.titleQuantifying the security risk of discovering and exploiting software vulnerabilities
dc.typeText
dcterms.rights.dplaThis Item is protected by copyright and/or related rights (https://rightsstatements.org/vocab/InC/1.0/). You are free to use this Item in any way that is permitted by the copyright and related rights legislation that applies to your use. For other uses you need to obtain permission from the rights-holder(s).
thesis.degree.disciplineComputer Science
thesis.degree.grantorColorado State University
thesis.degree.levelDoctoral
thesis.degree.nameDoctor of Philosophy (Ph.D.)

Files

Original bundle
Now showing 1 - 1 of 1
Thumbnail Image
Name:
Mussa_colostate_0053A_13672.pdf
Size:
2.61 MB
Format:
Adobe Portable Document Format
Download

Collections

2000-2019
Theses and Dissertations