Abstract
Vulnerabilities are now part of all software systems. To handle vulnerabilities, many approaches have been proposed till now. Many of these approaches try to analyze vulnerabilities based on model checking techniques. However, the models used in these approaches handle authorized and unauthorized rules separately. This basically cause in weaker modeling abilities and consequently weaker vulnerability analysis. From authorized and unauthorized rules, we mean those emanated from access control model and those originated from vulnerabilities respectively. Currently, a new general graph-based protection system concentrating on vulnerabilities called VGBPS is proposed to overcome the mentioned problem. VGBPS combines vulnerabilities and their related rules in an access control system, in a way that no extra effort is needed to handle them. In contrast, vulnerability analysis in this model can be done by answering safety problem. Using this model, we propose a new approach for vulnerability analysis based on Prolog inference engine. In this approach, we show how to express modeling graph and rules set of a VGBPS model using Prolog facts and rules. Safety problem is also defined by Prolog rules. Finally, we use Prolog inference engine to answer safety problem which is the base of vulnerability analysis in VGBPS. We provide a case study to show how this approach can help us find possible exploits of a specific configuration in a system. Using Prolog, we can also find all possible scenarios of these exploits which can be used in many security analyses.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Shahriari, H.R., Sadoddin, R., Jalili, R., Zakeri, R., Omidian, A.R.: Network vulnerability analysis through vulnerability Take-Grant model (VTG). In: 7th International Conference on Information and Communications Security (2005)
Guttman, J., Herzog, A., Ramsdell, J.: SLAT: Information flow in security enhanced Linux. Included in the SLAT distribution (2003)
Guttman, J., Herzog, A., Ramsdell, J., Skorupka, C.: Verifying Information Flow Goals in Security-Enhanced Linux. Journal of Computer Security 13, 115–134 (2005)
Farmer, D., Spafford, E.H.: The Cops Security Checker System. Technical Report CSDTR-993, Purdue University (1991)
Ramakrishnan, C.R., Sekar, R.: Model-Based Analysis of Configuration Vulnerabilities. Journal of Computer Security, 189–209 (2002)
Fithen, W.L., Hernan, S.V., O’Rourke, P.F., Shinberg, D.A.: Formal Modeling of Vulnerabilities. Bell Lab’s Technical Journal, 173–186 (2004)
Ritchey, R.W., Ammann, P.: Using Model Checking to Analyze Network Vulnerabilities. In: 2000 IEEE Symposium on Security and Privacy, pp. 156–165. IEEE Computer Society Press, Los Alamitos (2000)
Ramakrishnan, C., Sekar, R.: Model-Based Vulnerability Analysis of Computer Systems. In: 2nd International Workshop on Verification, Model Checking and Abstract Interpretation (1998)
Govindavajhala, S., Appel, A.: Windows Access Control Demystified. Technical Report, Princeton University (2006)
Rafiei, M.E., Jalili, R., Mousavi, H.: Vulnerability Analysis through a General Graph-Based Protection System. International Journal of Computer Science and Network Security 6(12), 311–319 (2006)
Bishop, M.: Conspiracy and Information Flow in the Take-Grant Protection Model. Journal of Computer Security, 331–360 (1996)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Rafiei, M.E., Taherian, M., Mousavi, H., Movaghar, A., jalili, R. (2007). Vulnerability Analysis in VGBPS Using Prolog. In: Arbab, F., Sirjani, M. (eds) International Symposium on Fundamentals of Software Engineering. FSEN 2007. Lecture Notes in Computer Science, vol 4767. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-75698-9_28
Download citation
DOI: https://doi.org/10.1007/978-3-540-75698-9_28
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-75697-2
Online ISBN: 978-3-540-75698-9
eBook Packages: Computer ScienceComputer Science (R0)