Abstract
It is difficult to formalize the causes of vulnerability, and there is no effective model to reveal the causes and characteristics of vulnerability. In this paper, a vulnerability model construction method is proposed to realize the description of vulnerability attribute and the construction of a vulnerability model. A vulnerability model based on chemical abstract machine (CHAM) is constructed to realize the CHAM description of vulnerability model, and the framework of vulnerability model is also discussed. Case study is carried out to verify the feasibility and effectiveness of the proposed model. In addition, a prototype system is also designed and implemented based on the proposed vulnerability model. Experimental results show that the proposed model is more effective than other methods in the detection of software vulnerabilities.
Similar content being viewed by others
References
CVND. 2016 CNVD Vulnerability Data Statistics Briefing [EB/OL].[2017-04-12]. http://www.cnvd.org.cn/webinfo/show/40-40.
Aslam T, Krsul I. Use of a taxonomy of security faults. eugene spafford [C]//Proceedings of the 19th National Information Systems Security Conference. Baltimore: Purdue University, 1996: 551–560.
Krsul I. Software Vulnerability Analysis[R].West Lafayette: Department of Computer Sciences, Purdue University, 1998, 23 (3): 25–36.
Li P, Cui B. A comparative study on software vulnerability static analysis techniques and tools[C]//IEEE International Conference on Information Theory and Information Security. Washington D C: IEEE, 2010: 521–524.
Cadariu M, Bouwers E, Visser J, et al. Tracking known security vulnerabilities in proprietary software systems[C]//International Conference on Software Analysis, Evolution and Reengineering. Washington D C: IEEE Computer Society, 2015: 516–519.
Zhang S, Caragea D, Ou X. An empirical study on using the national vulnerability database to predict software vulnerabilities[C]//International Conference on Database and Expert Systems Applications. Berlin: Springer-Verlag, 2011, 6860: 217–231.
Anand P. Overview of root causes of software vulnerabilities-technical and user-side perspectives[C]//International Conference on Software Security and Assurance (ICSSA). Washington D C: IEEE, 2016: 70–74.
Scholte T, Balzarotti D, Kirda E. Have things changed now? An empirical study on input validation vulnerabilities in web applications[J]. Computers & Security, 2012, 31: 344–356.
Tang Y, Zhao F, Yang Y, et al. Predicting vulnerable components via text mining or software metrics? An effortaware perspective[C]//IEEE International Conference on Software Quality, Reliability and Security (QRS). Washington D C: IEEE, 2015: 27–36.
Kapur P, Yadavali V S, Shrivastava A. A comparative study of vulnerability discovery modeling and software reliability growth modeling[C]//International Conference on Futuristic Trends on Computational Analysis and Knowledge Management (ABLAZE), 2015: 246–251.
Li H, Kim T, Bat-Erdene M, et al. Software vulnerability detection using backward trace analysis and symbolic execution[C]//International Conference on Availability, Reliability and Security. Washington D C: IEEE Computer Society, 2013, 6(3): 446–454.
Younis A A, Malaiya Y K, Ray I. Using attack surface entry points and reachability analysis to assess the risk of software vulnerability exploitability[C]//IEEE International Symposium on High-Assurance Systems Engineering. Washington D C: IEEE Computer Society, 2014: 1–8.
Anand A, Bhatt N. Vulnerability discovery modeling and weighted criteria based ranking[J]. Journal of the Indian Society for Probability and Statistics, 2016, 17(1):1–10.
Wang T, Han L, Fu C, et al. Software vulnerability static detection model and detection framework[J]. Computer Science, 2016, 43 (5): 80–86 (Ch).
Chen J F, Chen J M, Huang R B, et al. An approach of security testing for third-party component based on state mutation[J]. Security and Communication Networks (SCN), 2016, 9(15): 2827–2842.
Tang C L, Dong J Q, Dai D B, et al. A similarity query algorithm for sequence pattern[J]. Computer Research and Development, 2011: 132–139 ( Ch).
Chen J F, Zhu L L, Xie Z B, et al. An effective long string searching algorithm towards component security testing[J]. China Communications, 2016, 13(11): 153–169.
Yamaguchi F, Golde N, Arp D, et al. Modeling and discovering vulnerabilities with code property graphs[C]//2014 IEEE Symposium on Security and Privacy (SP). Washington D C: IEEE, 2014: 590–604.
Singh D, Choudhary J P, De M. An effort to select a preferable metaheuristic model for knowledge discovery in data mining[J]. Inderscience Publishers, 2015, 4(1): 57–90.
Osman A M, Dafa-Allah A, Elhag A A M. Proposed security model for web based applications and services[C]//International Conference on Communication, Control, Computing and Electronics Engineering. Washington D C: IEEE, 2017: 1–6.
Liu B, Shi L, Cai Z, et al. Software vulnerability discovery techniques: A survey[C]//The fourth International Conference on Multimedia Information Networking and Security (MINES). Washington D C: IEEE, 2012: 152–156.
Nestmann U, Teleki L. A chemical abstract machine for a calculus of communicating functions[C]//Interner Bericht IMMD714/92. Nürnberg Area, Germany: Universitat Erlangen, 2012.
Chen J F, Lu Y S, Wang H H. Component security testing approach based on extended chemical abstract machine[J]. International Journal of Software Engineering & Knowledge Engineering, 2012, 22(1):59–83.
Chen J, Li Q, Wang H, et al. Describing component behavior using improved chemical abstract machine[C]//IEEE Computer Software and Applications Conference. Washington D C: IEEE, 2013:605–606.
Kapur P, Yadavali V S, Shrivastava A. A comparative study of vulnerability discovery modeling and software reliability growth modeling[C]//Futuristic Trends on Computational Analysis and Knowledge Management. Washington D C: IEEE, 2015: 246–251.
NIST. Software Assurance Reference Dataset (SARD) [DB/OL]. [2017-06-15]. https://samate.nist.gov/SRD/testsuite. php. America, 2017.
FindBugs™-Find Bugs in Java Programs [EB/OL]. [2017-05-01]. http://findbugs.sourceforge.net/.
PMD Source Code Analyzer [EB/OL]. [2017-04-22]. https://pmd.github.io/.
Author information
Authors and Affiliations
Corresponding author
Additional information
Foundation item: Supported by the National Natural Science Foundation of China (61202110 and 61502205), and the Project of Jiangsu Provincial Six Talent Peaks (XYDXXJS-016)
Rights and permissions
About this article
Cite this article
Li, X., Chen, J., Lin, Z. et al. A Vulnerability Model Construction Method Based on Chemical Abstract Machine. Wuhan Univ. J. Nat. Sci. 23, 150–162 (2018). https://doi.org/10.1007/s11859-018-1305-2
Received:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11859-018-1305-2
Key words
- software security
- vulnerability detection
- vulnerability analysis
- vulnerability model
- chemical abstract machine