Quantifying the security risk of discovering and exploiting software vulnerabilities
dc.contributor.author | Mussa, Awad A. Younis, author | |
dc.contributor.author | Malaiya, Yashwant, advisor | |
dc.contributor.author | Ray, Indrajit, committee member | |
dc.contributor.author | Anderson, Charles W., committee member | |
dc.contributor.author | Vijayasarathy, Leo, committee member | |
dc.date.accessioned | 2016-08-18T23:10:10Z | |
dc.date.available | 2016-08-18T23:10:10Z | |
dc.date.issued | 2016 | |
dc.description.abstract | Most of the attacks on computer systems and networks are enabled by vulnerabilities in a software. Assessing the security risk associated with those vulnerabilities is important. Risk models such as the Common Vulnerability Scoring System (CVSS), Open Web Application Security Project (OWASP) and Common Weakness Scoring System (CWSS) have been used to qualitatively assess the security risk presented by a vulnerability. CVSS metrics are the de facto standard and its metrics need to be independently evaluated. In this dissertation, we propose using a quantitative approach that uses an actual data, mathematical and statistical modeling, data analysis, and measurement. We have introduced a novel vulnerability discovery model, Folded model, that estimates the risk of vulnerability discovery based on the number of residual vulnerabilities in a given software. In addition to estimating the risk of vulnerabilities discovery of a whole system, this dissertation has furthermore introduced a novel metrics termed time to vulnerability discovery to assess the risk of an individual vulnerability discovery. We also have proposed a novel vulnerability exploitability risk measure termed Structural Severity. It is based on software properties, namely attack entry points, vulnerability location, the presence of the dangerous system calls, and reachability analysis. In addition to measurement, this dissertation has also proposed predicting vulnerability exploitability risk using internal software metrics. We have also proposed two approaches for evaluating CVSS Base metrics. Using the availability of exploits, we first have evaluated the performance of the CVSS Exploitability factor and have compared its performance to Microsoft (MS) rating system. The results showed that exploitability metrics of CVSS and MS have a high false positive rate. This finding has motivated us to conduct further investigation. To that end, we have introduced vulnerability reward programs (VRPs) as a novel ground truth to evaluate the CVSS Base scores. The results show that the notable lack of exploits for high severity vulnerabilities may be the result of prioritized fixing of vulnerabilities. | |
dc.format.medium | born digital | |
dc.format.medium | doctoral dissertations | |
dc.identifier | Mussa_colostate_0053A_13672.pdf | |
dc.identifier.uri | http://hdl.handle.net/10217/176641 | |
dc.language | English | |
dc.language.iso | eng | |
dc.publisher | Colorado State University. Libraries | |
dc.relation.ispartof | 2000-2019 | |
dc.rights | Copyright and other restrictions may apply. User is responsible for compliance with all applicable laws. For information about copyright law, please see https://libguides.colostate.edu/copyright. | |
dc.subject | software security | |
dc.subject | vulnerabilities exploitation | |
dc.subject | vulnerability rewards program and time to vulnerability disclosure | |
dc.subject | software vulnerabilities | |
dc.subject | cvss and OWASP metrics | |
dc.subject | vulnerabilities risk and severity | |
dc.title | Quantifying the security risk of discovering and exploiting software vulnerabilities | |
dc.type | Text | |
dcterms.rights.dpla | This Item is protected by copyright and/or related rights (https://rightsstatements.org/vocab/InC/1.0/). You are free to use this Item in any way that is permitted by the copyright and related rights legislation that applies to your use. For other uses you need to obtain permission from the rights-holder(s). | |
thesis.degree.discipline | Computer Science | |
thesis.degree.grantor | Colorado State University | |
thesis.degree.level | Doctoral | |
thesis.degree.name | Doctor of Philosophy (Ph.D.) |
Files
Original bundle
1 - 1 of 1
Loading...
- Name:
- Mussa_colostate_0053A_13672.pdf
- Size:
- 2.61 MB
- Format:
- Adobe Portable Document Format