Abstract
Security and reliability are important attributes of complex software systems. It is now common to use quantitative methods for evaluating and managing reliability. In this work we examine the feasibility of quantitatively characterizing some aspects of security.In particular, we investigate if it is possible to predict the number of vulnerabilities that can potentially be identified in a future release of a software system. We use several major operating systems as representatives of complex software systems. The data on vulnerabilities discovered in some of the popular operating systems is analyzed. We examine this data to determine if the density of vulnerabilities in a program is a useful measure. We try to identify what fraction of software defects are security related, i.e., are vulnerabilities. We examine the dynamics of vulnerability discovery hypothesizing that it may lead us to an estimate of the magnitude of the undiscovered vulnerabilities still present in the system. We consider the vulnerability-discovery rate to see if models can be developed to project future trends. Finally, we use the data for both commercial and open-source systems to determine whether the key observations are generally applicable. Our results indicate that the values of vulnerability densities fall within a range of values, just like the commonly used measure of defect density for general defects. Our examination also reveals that vulnerability discovery may be influenced by several factors including sharing of codes between successive versions of a software system.
Chapter PDF
Similar content being viewed by others
Keywords
- Defect Density
- Software Reliability
- Security Vulnerability
- Quantitative Perspective
- Software Reliability Growth Model
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Schultz Jr., E.E., Brown, D.S., Longstaff, T.A.: Responding to Computer Security Incidents. In: Lawrence Livermore National Laboratory, July 23 (1990), ftp://ftp.cert.dfn.de/pub/docs/csir/ihg.ps.gz
Lyu, M.R. (ed.): Handbook of Software Reliability Engineering. McGraw-Hill, New York (1995)
Musa, J.D., Ianino, A., Okumuto, K.: Software Reliability Measurement Prediction Application. McGraw-Hill, New York (1987)
Malaiya, Y.K., Denton, J.: What Do the Software Reliability Growth Model Parameters Represent? In: Proceedings IEEE International Symposium on Software Reliability Engineering, pp. 124–135 (1997)
Malaiya, Y.K., Denton, J.: Module Size Distribution and Defect Density. In: Proceedings IEEE International Symposium on Software Reliability Engineering, October 2000, pp. 62–71 (2000)
Mohagheghi, P., Conradi, R., Killi, O.M., Schwarz, H.: An Empirical Study of Software Reuse vs. Defect-Density. In: Proceedings 26th International Conference on Software Engineering 2004, May 2004, pp. 282–291 (2004)
Mockus, A., Fielding, R.T., Herbsleb, J.: Two Case Studies of Open Source Software Development: Apache and Mozilla. ACM Transactions Software Engineering and Methodology 11(3), 309–346 (2002)
Littlewood, B., Brocklehurst, S., Fenton, N., Mellor, P., Page, S., Wright, D.: Towards Operational Measures of Computer Security. Journal of Computer Security 2(2/3), 211–230 (1993)
Brocklehurst, S., Littlewood, B., Olovsson, T., Jonsson, E.: On Measurement of Operational Security. In: Proceedings of 9th Annual IEEE Conference on Computer Assurance, Gaithersburg, pp. 257–266. IEEE Computer Society, Los Alamitos (1994)
Arbaugh, W.A., Fithen, W.L., McHugh, J.: Windows of Vulnerability: A Case Study Analysis. IEEE Computer 33(12), 52–59 (2000)
Browne, H.K., Arbaugh, W.A., McHugh, J., Fithen, W.L.: A Trend Analysis of Exploitation. Proceedings of IEEE Symposium on Security and Privacy 2001, 214–229 (2001)
Jonsson, E., Olovsson, T.: A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior. IEEE Transactions on Software Engineering, 235–245 (1997)
Madan, B.B., Goseva-Popstojanova, K., Vaidyanathan, K., Trivedi, K.S.: Modeling and Quantification of Security Attributes of Software Systems. In: Proceedings of IEEE International Performance and Dependability Symposium (IPDS 2002) (June 2002)
Rescorla, E.: Is Finding Security Holes a Good Idea? In: Proceedings Third Annual Workshop on Economics and Information Security (WEIS 2004), May 2004, pp. 1–18 (2004), http://www.dtc.umn.edu/weis2004/rescorla.pdf
Anderson, R.: Security in Open versus Closed Systems – The Dance of Boltzmann, Coase and Moore. In: Conf. on Open Source Software: Economics, Law and Policy, Toulouse, France, June 2002, pp. 1–15 (2002), http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/toulouse.pdf
Alhazmi, O.H., Malaiya, Y.K.: Quantitative Vulnerability Assessment of Systems Software. In: Proceedings of International Symposium on Product Quality and Integrity (RAMS 2005), January 2005, pp.14D3.1-6 (2005)
Labs, O.: Security by the Numbers: The Need for Metrics in Application Security (2004), http://www.ouncelabs.com/library.asp
ICAT Metabase (February 2004), http://icat.nist.gov/icat.cfm
McGraw, G.: From the Ground Up: The DIMACS Software Security Workshop. IEEE Security and Privacy 1(2), 59–66 (2003)
Rodrigues, P.: Windows XP Beta 02. Only 106,500 Bugs (August 2001), http://www.lowendmac.com/tf/010401pf.html
O.S. Data, Windows 98 (March 2004), http://www.osdata.com/oses/win98.htm , .
The MITRE Corporation (February 2005), http://www.mitre.org
Bugzilla, R.H.: (January 2005), https://bugzilla.redhat.com/bugzilla
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 IFIP International Federation for Information Processing
About this paper
Cite this paper
Alhazmi, O., Malaiya, Y., Ray, I. (2005). Security Vulnerabilities in Software Systems: A Quantitative Perspective. In: Jajodia, S., Wijesekera, D. (eds) Data and Applications Security XIX. DBSec 2005. Lecture Notes in Computer Science, vol 3654. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11535706_21
Download citation
DOI: https://doi.org/10.1007/11535706_21
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-28138-2
Online ISBN: 978-3-540-31937-5
eBook Packages: Computer ScienceComputer Science (R0)