Emulating representative software vulnerabilities using field data

Authors

Abstract

Security vulnerabilities are a concern in systems and software exposed via networked interfaces. Previous research has shown that only a minority of vulnerabilities can be emulated through software fault injection techniques. This paper aims to accurately emulate software security vulnerabilities. To this end, the paper provides a field-data study on the operators needed to emulate vulnerabilities in software written in the C programming language. A practical implementation is constructed and the feasibility of emulating software vulnerabilities is evaluated. The emulation operators were obtained by analyzing publicly available vulnerability databases for the Linux kernel, the Xen hypervisor, and the OpenSSH tool. The results show that a typical security vulnerability involves a single function and consists of combinations of up to three fault operator instances. The expected impact of this study is to allow practical emulation of security defects in large software projects, to support software quality and security assessment.

Keywords

Security, dependability, security vulnerabilities, software faults

Subject

Software engineering

Journal

Springer Computing, Vol. 101, #2, pp. 119-138, August 2018

PDF File

DOI