A New View on Classification of Software Vulnerability Mitigation Methods

A New View on Classification of Software Vulnerability Mitigation Methods

Babak Sadeghiyan

Contact

Maryam Mouzarani

Contact

Amirkabir University of Technology

A New View on Classification of Software Vulnerability Mitigation Methods

Article Fingerprint

ReserarchID

CSTSDE57MZB

A New View on Classification of Software Vulnerability Mitigation Methods Banner

AI TAKEAWAY

Connecting with the Eternal Ground

Abstract

Software vulnerability mitigation is a well-known research area, and many methods have been proposed for it. Some papers try to classify these methods from different specific points of views. In this paper, we aggregate all proposed classifications and present a comprehensive classification of vulnerability mitigation methods. We define software vulnerability as a kind of software fault, and correspond the classes of software vulnerability mitigation methods accordingly. In this paper, the software vulnerability mitigation methods are classified into vulnerability prevention, vulnerability tolerance, vulnerability removal and vulnerability forecasting. We define each vulnerability mitigation method in our new point of view and indicate some methods for each class. Our general point of view helps to consider all of the proposed methods in this review. We also identify the fault mitigation methods that might be effective in mitigating the software vulnerabilities but are not yet applied in this area. Based on that, new directions are suggested for the future research.

References

137 Cites in Article

Reference Format

W Jimenez,A Mammar,A Cavalli,R Fourier (2009). Software vulnerabilities, prevention and detection methods: a review.
Hossain Shahriar,Mohammad Zulkernine (2012). Mitigating program security vulnerabilities.
K Zafar,A Ali Static techniques for vulnerability detection.
M Pistoia,S Chandra,S Fink,E Yahav (2007). A survey of static analysis methods for identifying security vulnerabilities in software systems.
B Liu,L Shi,Z Cai,M Li (2012). Software vulnerability discovery techniques: A survey.
M Bishop (1995). A taxonomy of unix system and network vulnerabilities.
Matt Bishop,David Bailey (1996). A Critical Analysis of Vulnerability Taxonomies.
M Bishop (2002). Computer security: art and science.
H Shahriari,R Jalili,M Bishop A general framework for categorizing vulnerabilities regarding their impact on security policy.
I Krsul (1998). Software vulnerability analysis.
R Seacord,A Householder (2005). A structured approach to classifying security vulnerabilities.
A Avizienis,J-C Laprie,B Randell,C Landwehr (2004). Basic concepts and taxonomy of dependable and secure computing.
Michael Ringenburg,Dan Grossman (2005). Preventing format-string attacks via automatic and efficient dynamic checking.
G Mcgraw (2006). Software security: building security in.
M Howard (2005). How do they do it? a look inside the security development lifecycle at microsoft.
N Mead,T Stehney (2005). Security quality requirements engineering (SQUARE) methodology.
(2016). https://library.wcs.org/en-us/Scientific-Research/Research-Publications/Publications-Library/ctl/view/mid/40093/pubid/DMX5240300000.aspx.
R Seacord (2005). Secure Coding in C and C++.
F Long,D Mohindra,R Seacord,D Sutherland,D Svoboda (2011). The CERT Oracle Secure Coding Standard for Java.
(2012). The Shields Project.
David Byers,Nahid Shahmehri (2010). Unified modeling of attacks, vulnerabilities and security activities.
N Shahmehri,A Mammar,E Montes De Oca,D Byers,A Cavalli,S Ardi,W Jimenez (2012). An advanced approach for modeling and detecting software vulnerabilities.
C Cowan,F Wagle,Calton Pu,S Beattie,J Walpole (1998). Buffer overflows: attacks and defenses for the vulnerability of the decade.
T.-C Chiueh,F.-H Hsu (2001). Rad: A compile-time solution to buffer overflow attacks.
B Madan,S Phoha,K Trivedi (2005). StackOFFence: a technique for defending against buffer overflow attacks.
M Dalton,H Kannan,C Kozyrakis (2007). Raksha: a flexible information flow architecture for software security.
G Suh,J Lee,D Zhang,S Devadas (2004). Secure program execution via dynamic information flow tracking.
J Clause,W Li,A Orso (2007). Dytan: a generic dynamic taint analysis framework.
B Stock,S Lekies,T Mueller,P Spiegel,M Johns (2014). Precise clientside protection against dom-based cross-site scripting.
Sruthy Manmadhan,T Manesh (2012). A Method of Detecting Sql Injection Attack to Secure Web Applications.
Zhendong Su,Gary Wassermann (2006). The essence of command injection attacks in web applications.
C Cowan,M Barringer,S Beattie,G Kroah-Hartman,M Frantzen,J Lokier (2001). Formatguard: Automatic protection from printf format string vulnerabilities.
B Salamat,A Gal,T Jackson,K Manivannan,G Wagner,M Franz (2008). Multi-variant program execution: Using multi-core systems to defuse buffer-overflow vulnerabilities.
G Kc,A Keromytis,V Prevelakis (2003). Countering code-injection attacks with instruction-set randomization.
G Iha,H Doi (2009). An implementation of the binding mechanism in the web browser for preventing xss attacks: introducing the bind-value headers.
Suhas Gupta,Pranay Pratap,Huzur Saran,S Arun-Kumar (2006). Dynamic code instrumentation to detect and recover from return address corruption.
M Zhang,H Yin (2014). Appsealer: Automatic generation of vulnerability specific patches for preventing component hijacking attacks in android applications.
Weidong Cui,Marcus Peinado,Helen Wang,Michael Locasto (2007). ShieldGen: Automatic Data Patch Generation for Unknown Vulnerabilities with Informed Probing.
T Wang,C Song,W Lee (2014). Diagnosis and emergency patch generation for integer overflow exploits.
A Smirnov,T.-C Chiueh (2007). Automatic patch generation for buffer overflow attacks.
Z Liang,R Sekar,D Duvarney (2005). Automatic synthesis of filters to discard buffer overflow attacks: A step towards realizing self-healing systems.
M Ernst (2003). Static and dynamic analysis: Synergy and duality.
D Wheeler (2001). LAS VEGAS SANDS CORP., a Nevada corporation, Plaintiff, v. UKNOWN REGISTRANTS OF www.wn0000.com, www.wn1111.com, www.wn2222.com, www.wn3333.com, www.wn4444.com, www.wn5555.com, www.wn6666.com, www.wn7777.com, www.wn8888.com, www.wn9999.com, www.112211.com, www.4456888.com, www.4489888.com, www.001148.com, and www.2289888.com, Defendants..
J Viega,J.-T Bloch,Y Kohno,G Mcgraw (2000). ITS4: a static vulnerability scanner for C and C++ code.
S Johnson (1977). Science Film Program Under Way at Bell Telephone Laboratories.
F Yamaguchi,M Lottmann,K Rieck (2012). Generalized vulnerability extrapolation using abstract syntax trees.
H Kim,T.-H Choi,S.-C Jung,H.-C Kim,O Lee,K.-G Doh (2008). Applying dataflow analysis to detecting software vulnerability.
N Jovanovic,C Kruegel,E Kirda (2006). Pixy: A static analysis tool for detecting web application vulnerabilities.
D Wagner,J Foster,E Brewer,A Aiken (2000). A first step towards automated detection of buffer overrun vulnerabilities.
S Ganapathy,D Jha,D Chandler,D Melski,Vitek (2003). Buffer overrun detection using linear programming and static analysis.
Y Xia,J Luo,M Zhang (2005). Detecting memory access errors with flow-sensitive conditional range analysis.
Fang Yu,Tevfik Bultan,Oscar Ibarra (2009). Symbolic String Verification: Combining String Analysis and Size Analysis.
D Evans,D Larochelle (2002). Improving security using extensible lightweight static analysis.
Junfeng Yang,Ted Kremenek,Yichen Xie,Dawson Engler (2003). MECA.
Y Tsuruoka,J Tsujii,S Ananiadou (2008). Accelerating the annotation of sparse named entities by dynamic sentence selection.
M Howard (2006). A brief introduction to the standard annotation language (SAL).
Lin Tan,Yuanyuan Zhou,Yoann Padioleau (2011). aComment.
D Detlefs,G Nelson,J Saxe (2005). Simplify: a theorem prover for program checking.
G Tian-Yang,S Yin-Sheng,F You-Yuan (2010). Information Technology: Computer Science, Software Engineering and Cyber Security.
Sagar Chaki,Scott Hissam (2005). Precise Buffer Overflow Detection via Model Checking.
N Verma,M Hanmandlu (2005). Interactive Fuzzy System Using CWM.
W.-S R¨odiger (2011). Merging static analysis and model checking for improved security vulnerability detection.
H Chen,D Wagner (2002). Mops: an infrastructure for examining security properties of software.
R Hadjidj,X Yang,S Tlili,M Debbabi (2008). Modelchecking for software vulnerabilities detection with multi-language support.
Javier Esparza,David Hansel,Peter Rossmanith,Stefan Schwoon (2000). Efficient Algorithms for Model Checking Pushdown Systems.
J Ren,B Cai,H He,C Hu (2011). A method for detecting software vulnerabilities based on clustering and model analyzing.
Midya Alqaradaghi (2005). Finding Security Vulnerabilities in Java Code with Static Analysis.
G Wassermann,Z Su (2008). Static detection of cross-site scripting vulnerabilities.
D Newsome,Song (2005). Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software.
P Hooimeijer,B Livshits,D Molnar,P Saxena,M Veanes (2011). Fast and precise sanitizer analysis with bek.
Lei Wang,Qiang Zhang,Pengchao Zhao (2008). Automated Detection of Code Vulnerabilities Based on Program Analysis and Model Checking.
G Pellegrino,D Balzarotti (2014). Toward black-box detection of logic flaws in web applications.
S Kals,E Kirda,C Kruegel,N Jovanovic (2006). Secubat: a web vulnerability scanner.
J Takanen,C Demott,Miller (2008). Fuzzing for software security testing and quality assurance.
D Zhang,D Liu,Y Lei,D Kung,C Csallner,N Nystrom,W Wang (2012). Simfuzz: Test case similarity directed deep fuzzing.
Tielei Wang,Tao Wei,Guofei Gu,Wei Zou (2010). TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection.
L Doup´e,C Cavedon,G Kruegel,Vigna (2012). Enemy of the state: A state-aware black-box web vulnerability scanner.
Chaturvedula Pratyusha (2008). Automatic Generation of Coverage tests for System Programs.
P Godefroid,M Levin,D Molnar (2008). Automated whitebox fuzz testing.
C Cadar,V Ganesh,P Pawlowski,D Dill,D Engler (2008). Exe: automatically generating inputs of death.
A Haller,M Slowinska,H Neugschwandtner,Bos (2013). Dowsing for overflows: A guided fuzzer to find buffer boundary violations.
S Heelan (2011). Vulnerability detection syst ems:Think cyborg, not robot.
S Sparks,S Embleton,R Cunningham,C Zou (2007). Automated vulnerability analysis: Leveraging control flow for evolutionary input crafting.
J Demott,R Enbody,W Punch Revolutionizing the field of greybox attack surface testing with evolutionary fuzzing.
H Shahriar,M Zulkernine (2008). Music: Mutation-based sql injection vulnerability checking.
R Groce,Joshi (2008). Extending model checking with dynamic analysis.
Ranjit Jhala,Rupak Majumdar (2009). Software model checking.
P Godefroid (1997). Model checking for programming languages using verisoft.
K Havelund,T Pressburger (2000). Model checking java programs using java pathfinder.
M Musuvathi,D Park,A Chou,D Engler,D Dill (2002). Cmc: A pragmatic approach to model checking real code.
M Dwyer,J Hatcliff (2003). Bogor: an extensible and highly-modular software model checking framework.
Patrice Godefroid,Nils Klarlund,Koushik Sen (2005). DART.
E Schwartz,T Avgerinos,D Brumley (2010). All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask).
S Lekies,B Stock,M Johns (2013). 25 million flows later: large-scale detection of dom-based xss.
M Kang,S Mccamant,P Poosankam,D Song (2011). Dta++: Dynamictaint analysis with targeted controlflow propagation.
Davide Balzarotti,Marco Cova,Vika Felmetsger,Nenad Jovanovic,Engin Kirda,Christopher Kruegel,Giovanni Vigna (2008). Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications.
G Sarwar,O Mehani,R Boreli,D Kaafar (2013). On the Effectiveness of Dynamic Taint Analysis for Protecting against Private Information Leaks on Android-based Devices.
Lori Clarke (1976). A program testing system.
D Davidson,B Moench,T Ristenpart,S Jha (2013). Fie on firmware: Finding vulnerabilities in embedded systems using symbolic execution.
D Ganesh,Dill (2007). A decision procedure for bitvectors and arrays.
Leonardo De Moura,Nikolaj Bjørner (2008). Z3: An Efficient SMT Solver.
Adam Kiezun,Vijay Ganesh,Philip Guo,Pieter Hooimeijer,Michael Ernst (2009). HAMPI.
Minh-Thai Trinh,Duc-Hiep Chu,Joxan Jaffar (2014). S3.
Cristian Cadar,Koushik Sen (2013). Symbolic execution for software testing.
Z Wang,J Ming,C Jia,D Gao (2011). Linear obfuscation to combat symbolic execution.
K Sen,D Marinov,G Agha (2005). Dynamic test generation to find integer bugs in x86 binary linux programs.
C Cho,D Babic,P Poosankam,K Chen,E Wu,D Song (2011). Mace: Model-inference-assisted concolic exploration for protocol and vulnerability discovery.
M Monga,R Paleari,E Passerini (2009). A hybrid analysis framework for detecting web application vulnerabilities.
W Halfond,A Orso (2005). Combining static analysis and runtime monitoring to counter sql-injection attacks.
L Felmetsger,C Cavedon,G Kruegel,Vigna (2010). Toward automated detection of logic vulnerabilities in web applications.
S.-W Woo,H Joh,O Alhazmi,Y Malaiya (2011). Modeling vulnerability discovery process in apache and iis http servers.
O Alhazmi,Y Malaiya (2005). Quantitative vulnerability assessment of systems software.
O Alhazmi,Y Malaiya,I Ray (2005). Security vulnerabilities in software systems: A quantitative perspective.
S Rahimi,M Zargham (2013). Vulnerability Scrying Method for Software Vulnerability Discovery Prediction Without a Vulnerability Database.
O Alhazmi,Y Malaiya (2008). Application of vulnerability discovery models to major operating A New View on Classification of Software Vulnerability Mitigation Methods systems, Reliability.
H Joh,Y Malaiya (2009). Seasonal variation in the vulnerability discovery process.
Daniela Oliveira,Marissa Rosenthal,Nicole Morin,Kuo-Chuan Yeh,Justin Cappos,Yanyan Zhuang (2014). It's the psychology stupid.
H Xue,N Dautenhahn,S King (2012). Using replicated execution for a more secure and reliable web browser.
L Szekeres,M Payer,T Wei,D Song (2007). Multi-module vulnerability analysis of web-based applications.
J Bau,E Bursztein,D Gupta,J Mitchell (2010). State of the art: Automated black-box web application vulnerability testing.
Mohamed Almorsy,John Grundy,Amani Ibrahim (2012). Supporting automated vulnerability analysis using formalized vulnerability signatures.
Fabian Yamaguchi,Nico Golde,Daniel Arp,Konrad Rieck (2014). Modeling and Discovering Vulnerabilities with Code Property Graphs.
W Mallouli,A Mammar,A Cavalli,W Jimenez (2011). Vdc-based dynamic code analysis: Application to c programs.
B Livshits (2006). Improving software security with precise static and runtime analysis.
U Shankar,K Talwar,J Foster,D Wagner (2001). Format String Vulnerabilities.
L Paulson (1997). Proving properties of security protocols by induction.
M Burrows,M Abadi,Roger Needham (1989). A logic of authentication.
T Nipkow,L Paulson,M Wenzel (2002). Isabelle/HOL.
D Larochelle,D Evans (2001). Statically detecting likely buffer overflow vulnerabilities.
C Landwehr,A Bull,J Mcdermott,W Choi (1994). A taxonomy of computer program security flaws.
R Abbott,J Chin,J Donnelley,W Konigsford,S Tokubo,D Webb (1976). Security analysis and enhancements of computer operating systems.
R Bisbey,D Hollingworth (1978). Protection analysis: Final report.
Thomas Henzinger,Ranjit Jhala,Rupak Majumdar,Grégoire Sutre (2003). Software Verification with BLAST.
S Rawat,D Ceara,L Mounier,M.-L Potet Combining static and dynamic analysis for vulnerability detection.
R Anderson,E (2005). Security in open versus closed system the dance of boltzmann, coase and moore.
John Musa,Kazuhira Okumoto (1984). Application of Basic and Logarithmic Poisson Execution Time Models in Software Reliability Measurement.
Johannes Dahse,Thorsten Holz (2014). Simulation of Built-in PHP Features for Precise Static Code Analysis.

Download References

Funding

No external funding was declared for this work.

Conflict of Interest

The authors declare no conflict of interest.

Ethical Approval

No ethics committee approval was required for this article type.

Data Availability

Not applicable for this article.

How to Cite This Article

Babak Sadeghiyan. 2017. \u201cA New View on Classification of Software Vulnerability Mitigation Methods\u201d. Global Journal of Computer Science and Technology - C: Software & Data Engineering GJCST-C Volume 17 (GJCST Volume 17 Issue C1): .

More Citation Formats

Select Citation Style:

Download Citation

Download Article

GJCST Volume 17 Issue C1
Pg. 41- 61

Explore Journals Explore Volume Read This Issue

Journal Specifications

Crossref Journal DOI 10.17406/gjcst

Print ISSN 0975-4350

e-ISSN 0975-4172

Keywords

Not Found

Classification

H.3.4

Submission ReceivedDecember 6, 2016
Peer Review Double Blind
Handling Editor
Accepted January 3, 2017
Published January 15, 2017

Version of record

v1.2

Issue date

April 26, 2017

Language

Experiance in AR

Explore published articles in an immersive Augmented Reality environment. Our platform converts research papers into interactive 3D books, allowing readers to view and interact with content using AR and VR compatible devices.

View in VR

Read in 3D

Your published article is automatically converted into a realistic 3D book. Flip through pages and read research papers in a more engaging and interactive format.

View in 3D

Article Matrices

Total Score: 82

Country: Iran

Subject: Global Journal of Computer Science and Technology - C: Software & Data Engineering

Authors: Maryam Mouzarani, Babak Sadeghiyan (PhD/Dr. count: 0)

View Count (all-time): 270

Total Views (Real + Logic): 6755

Total Downloads (simulated): 1768

Publish Date: 2017 04, Wed

Monthly Totals (Real + Logic):

Month 1: 50 views
Month 2: 53 views
Month 3: 37 views
Month 4: 38 views
Month 5: 25 views
Month 6: 39 views
Month 7: 41 views
Month 8: 43 views
Month 9: 42 views
Month 10: 19 views
Month 11: 25 views
Month 12: 32 views
Month 13: 20 views
Month 14: 21 views
Month 15: 37 views
Month 16: 21 views
Month 17: 28 views
Month 18: 32 views
Month 19: 33 views
Month 20: 46 views
Month 21: 28 views
Month 22: 25 views
Month 23: 20 views
Month 24: 21 views
Month 25: 25 views
Month 26: 49 views
Month 27: 48 views
Month 28: 20 views
Month 29: 26 views
Month 30: 32 views
Month 31: 28 views
Month 32: 15 views
Month 33: 21 views
Month 34: 24 views
Month 35: 33 views
Month 36: 27 views
Month 37: 19 views
Month 38: 25 views
Month 39: 27 views
Month 40: 42 views
Month 41: 35 views
Month 42: 38 views
Month 43: 39 views
Month 44: 27 views
Month 45: 28 views
Month 46: 21 views
Month 47: 26 views
Month 48: 23 views
Month 49: 38 views
Month 50: 41 views
Month 51: 38 views
Month 52: 23 views
Month 53: 45 views
Month 54: 31 views
Month 55: 16 views
Month 56: 16 views
Month 57: 24 views
Month 58: 45 views
Month 59: 34 views
Month 60: 41 views
Month 61: 28 views
Month 62: 32 views
Month 63: 39 views
Month 64: 42 views
Month 65: 31 views
Month 66: 18 views
Month 67: 20 views
Month 68: 31 views
Month 69: 47 views
Month 70: 37 views
Month 71: 27 views
Month 72: 35 views
Month 73: 16 views
Month 74: 34 views
Month 75: 15 views
Month 76: 37 views
Month 77: 41 views
Month 78: 25 views
Month 79: 24 views
Month 80: 43 views
Month 81: 28 views
Month 82: 32 views
Month 83: 32 views
Month 84: 24 views
Month 85: 16 views
Month 86: 34 views
Month 87: 14 views
Month 88: 22 views
Month 89: 20 views
Month 90: 17 views
Month 91: 34 views
Month 92: 16 views
Month 93: 45 views
Month 94: 24 views
Month 95: 29 views
Month 96: 41 views
Month 97: 18 views
Month 98: 25 views
Month 99: 18 views
Month 100: 43 views
Month 101: 18 views
Month 102: 39 views
Month 103: 43 views
Month 104: 40 views
Month 105: 40 views
Month 106: 76 views
Month 107: 38 views
Month 108: 39 views

Total Views: 6755

Total Downloads: 1768

2026 Trends

Published Article

Our website is actively being updated, and changes may occur frequently. Please clear your browser cache if needed. For feedback or error reporting, please email [email protected]