understanding vulnerability by refining taxonomy
DESCRIPTION
In this presentation slide, we share our reviews and critics on various vulnerability taxonomy. We also proposed on criteria for a taxonomy to be graded as well-defined taxonomy. On top of that, we share our taxonomy that specifically constructed to understand various vulnerability in C programming languageTRANSCRIPT
₁ FSKM, UiTM Shah Alam
₂ MIMOS Berhad
Nurul Haszeli Ahmad₁
Syed Ahmad Aljunid₁
Jamalul-lail Ab Manan₂
Understanding Vulnerabilities by Refining Taxonomy
• Introduction• Taxonomy and Criteria of a Well-Defined
Taxonomy• Previous Vulnerabilities Taxonomies and Gaps• Refining Previous Taxonomies• Taxonomy of C Overflow Vulnerabilities Attack• Contribution• Conclusion• Q & A
Contents
• Vulnerabilities and exploitations starts in the late 80s
• Experts start to identify vulnerabilities to improve understanding of behavior and nature of vulnerability in early 90s (Aslam, 1995; Howard et.al., 2009; Viega & McGraw, 2001; Seacord, 2005; etc.)
• Using the classifications, programming rules and tools are constructed
• However, vulnerabilities is still at large (Microsoft, 2011; MITRE, 2011; and IBM, 2011)
• Most dominant and prominent – overflow vulnerabilities in applications developed using C language
Introduction
• This paper is focusing– Identify and describe the criteria of a Well-Defined
Taxonomy– Criticize previous taxonomies; including identifying
gaps, and proposing improvements– Present briefly C overflow vulnerabilities attack
taxonomy
• Why?– Accurate comprehension on the problems is
crucial towards improvement of security implementation and analysis tool (Krsul, 1998)
– Understanding vulnerabilities is crucial towards developing a secure software thus gaining trustworthiness from users (Bill Gates, 2002)
Introduction… cont.
• Introduction
• Taxonomy and Criteria of a Well-Defined Taxonomy
• Previous Taxonomy and Gaps• Propose improvement for previous taxonomy• Taxonomy of C Overflow Vulnerabilities Attack• Contribution• Conclusion• Q & A
Contents
• Definition (Krsul, 1998; Patrick, 2006; Merriam-Webster, 2011)
– Taxonomy• a study to generalize and classify studied objects
– Classification• an arrangement of studied objects into specific
order or sharing the same behaviour– Vulnerabilities Taxonomy
• A generalize and classification of vulnerabilities
– Criteria of a well-defined taxonomy• Set of criterions that ensure a taxonomy covers
the scope of the objects studied.
Taxonomy and Criteria of a Well-Defined Taxonomy
•An arrangement or classifications structures that fulfil list of criterions which ensure it is complete and understandable thus becomes useful in building knowledge on objects studied.
Well-Defined Taxonomy
Criteria of A Well-Defined Taxonomy
1. Simplicity
2. Organized Structures
3. Obvious
4. Repeatability
5. Mutual Exclusive
6. Completeness
7. Similarity
8. Knowledge Compliant
Source: Krsul, 1998; Alhazmi et.al., 2006; Howard et.al., 1998; Vijayaraghavan & Kaner, 2003; Hansmann, 2003; Killhourhy et.al., 2004; Bishop, 1999; Igure & Williams, 2008; Hansmann & Hunt, 2005; Venter & Eloff, 2003; Bishop & Bailey, 1996.
Criteria of A Well-Defined TaxonomyNo. Characteristics Description
1 Simplicity •Simplified into diagram or structures
2 Organized Structures
•Organized into readable structures.
3 Obvious •SMART and Observable objective.•Process flow is clear and easily followed.
4 Repeatability •Repeatable result
5 Specificity / Mutual Exclusive / Primitive
•Specific and Explicit value •Object belongs to ONLY one class.
6 Completeness *covers all object of the same behavior or character
7 Similarity *Similar characteristics of objects in a class
8 Knowledge Compliant
Built using known existing terminology
Source: Krsul, 1998; Alhazmi et.al., 2006; Howard et.al., 1998; Vijayaraghavan & Kaner, 2003; Hansmann, 2003; Killhourhy et.al., 2004; Bishop, 1999; Igure & Williams, 2008; Hansmann & Hunt, 2005; Venter & Eloff, 2003; Bishop & Bailey, 1996.
• Introduction• Taxonomy and Criteria of a Well-Defined Taxonomy
• Previous Taxonomy and Gaps• Propose improvement for previous taxonomy• Taxonomy of C Overflow Vulnerabilities Attack• Contribution• Conclusion• Q & A
Contents
Previous Vulnerabilities Taxonomies and Gaps (General)
Taxonomy Well-Defined Characteristics1 2 3 4 5 6 7 8
H. Shahriar, M. Zulkernine (2011)
√ √ X X X X √ √
A. Bazaz, J. D. Arthur (2007)
√ √ X X X X √ √
O. H. Alhazmi et. al. (2006) √ √ √ √ √ X √ √
M. Gegick, L. Williams (2005)
√ X √ √ √ X √ √
K. Tsipenyuk, et. al. (2005) √ √ √ X X X √ √
S. Hansman, R. Hunt (2005)
X √ X √ X √ √ √
V. Pothamsetty, B. Akyol (2004)
X X √ X X √ √ √
Killourhy, K. S., et. al. (2004)
√ √ √ X √ X √ √
Lough, D. L. (2001) √ √ X X X X √ √
Krsul, I. V. (1998) √ √ X X X X √ √
Howard, J. D., Longstaff, T. A (1998)
√ √ X X √ √ √ √
Aslam, T. (1995) √ √ X X X X √ √
Previous Vulnerabilities Taxonomies and Gaps (C Overflow)
Taxonomy Well-Defined Characteristics1 2 3 4 5 6 7 8
H. D. Moore (2007) √ √ X √ X X √ √
A. I. Sotirov (2005) √ √ √ X √ X √ √
M. A. Zhivich (2005) √ √ √ X X X √ √
K. Kratkiewicz (2005) √ √ √ X X X √ √
M. Zitser (2003) √ √ √ X X X √ √
• Introduction• Taxonomy and Criteria of a Well-Defined Taxonomy• Previous Taxonomy and Gaps
• Propose improvement for previous taxonomy
• Taxonomy of C Overflow Vulnerabilities Attack• Contribution• Conclusion• Q & A
Contents
Proposed improvements for previous taxonomies (General)
Taxonomy Proposed ImprovementH. Shahriar, M. Zulkernine (2011)
•Combine classes with object sharing similar characteristics•Clear and observable definition and process flow
A. Bazaz, J. D. Arthur (2007)
•Divide classes into sub-class due to generality•Clear and observable process flow•Reduce constraint or assumption
O. H. Alhazmi et. al. (2006)
•Combine process and classes for both by type and severity•Further divided into sub-classes
M. Gegick, L. Williams (2005)
•Build on top of existing knowledge.•Clear and observable process flow
K. Tsipenyuk, et. al. (2005)
•Combine classes that share characteristic•Well-structures to differentiate languages used•Too many classes and to wide – should reduce the scope
S. Hansman, R. Hunt (2005)
•Reduce the scope•Rearrange the classification
Proposed improvements for previous taxonomies (General)
Taxonomy Proposed ImprovementV. Pothamsetty, B. Akyol (2004)
•Further divide into sub-classes•Reduce the scope•Rearrange the class structure
Killourhy, K. S., et. al. (2004)
•Clear and observable process flow and definition•Build on top of existing knowledge
Lough, D. L. (2001)
•Further divide into sub-classes.
Krsul, I. V. (1998)
•Clear and observable process flow•Well-structure classes
Howard, J. D., Longstaff, T. A (1998)
•Clear and observable process flow•Well-structure of classes•Further divide into sub-classes
Aslam, T. (1995) •Extend the list further•Rearrange the classes
Proposed improvements for previous taxonomies (C Overflow)
Taxonomy Proposed Improvement
H. D. Moore
(2007)
•Clear definition of class
•Divide further into few sub-classes
A. I. Sotirov
(2005)
•To extend and generalize to cover latest
vulnerabilities
•Restructure the class.
M. A. Zhivich
(2005)
•To extend the list of overflow vulnerabilities
•Restructure to have specific class on
overflows
K. Kratkiewicz
(2005)
•Restructure the classes
•To implement hierarchy based class
M. Zitser (2003) •Restructure the classes
•To implement hierarchy based class
• Introduction• Taxonomy and Criteria of a Well-Defined Taxonomy• Previous Taxonomy and Gaps• Propose improvement for previous taxonomy
• Taxonomy of C Overflow Vulnerabilities Attack
• Contribution• Conclusion• Q & A
Contents
Taxonomy of C Overflow Vulnerabilities Attack
Sources: Ahmad, et. al., 2011 (ICSECS); Ahmad, et. al. ,2011 (IJNCAA)
• Introduction• Taxonomy and Criteria of a Well-Defined Taxonomy• Previous Taxonomy and Gaps• Propose improvement for previous taxonomy• Taxonomy of C Overflow Vulnerabilities Attack
• Contribution• Conclusion• Q & A
Contents
Contribution
1
•Consolidate and construct criterions of well-define taxonomy
2
•Consolidate all reviews on previous taxonomies
3
•Critical reviews; including identifying gaps and proposing potential improvements on previous taxonomy
• Introduction• Taxonomy and Criteria of a Well-Defined Taxonomy• Previous Taxonomy and Gaps• Propose improvement for previous taxonomy• Taxonomy of C Overflow Vulnerabilities Attack• Contribution
• Conclusion• Q & A
Contents
• Construct and discuss characteristics of well-defined taxonomy
• Critical review on previous vulnerabilities taxonomies in the context of well-defined characteristics
• Propose possible improvements for previous taxonomies
• Share briefly constructed taxonomy specific to C overflow vulnerabilities which meet the criteria of well-defined taxonomy
Conclusion
Nurul Haszeli AhmadUiTM Shah AlamEmail: [email protected]: http://malaysiandeveloper.blogspot.comSkype, LinkedIn & Twitter: masteramuk
Syed Ahmad AljunidFSMK, UiTM Shah AlamEmail: [email protected]
Jamalul-lail Ab MananMIMOS BerhadEmail: [email protected]