Skip to main content
SpringerLink
Log in

A Vulnerability Model Construction Method Based on Chemical Abstract Machine

  • Computer Science
  • Published:
Wuhan University Journal of Natural Sciences

Abstract

It is difficult to formalize the causes of vulnerability, and there is no effective model to reveal the causes and characteristics of vulnerability. In this paper, a vulnerability model construction method is proposed to realize the description of vulnerability attribute and the construction of a vulnerability model. A vulnerability model based on chemical abstract machine (CHAM) is constructed to realize the CHAM description of vulnerability model, and the framework of vulnerability model is also discussed. Case study is carried out to verify the feasibility and effectiveness of the proposed model. In addition, a prototype system is also designed and implemented based on the proposed vulnerability model. Experimental results show that the proposed model is more effective than other methods in the detection of software vulnerabilities.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. CVND. 2016 CNVD Vulnerability Data Statistics Briefing [EB/OL].[2017-04-12]. http://www.cnvd.org.cn/webinfo/show/40-40.

  2. Aslam T, Krsul I. Use of a taxonomy of security faults. eugene spafford [C]//Proceedings of the 19th National Information Systems Security Conference. Baltimore: Purdue University, 1996: 551–560.

    Google Scholar 

  3. Krsul I. Software Vulnerability Analysis[R].West Lafayette: Department of Computer Sciences, Purdue University, 1998, 23 (3): 25–36.

    Google Scholar 

  4. Li P, Cui B. A comparative study on software vulnerability static analysis techniques and tools[C]//IEEE International Conference on Information Theory and Information Security. Washington D C: IEEE, 2010: 521–524.

    Google Scholar 

  5. Cadariu M, Bouwers E, Visser J, et al. Tracking known security vulnerabilities in proprietary software systems[C]//International Conference on Software Analysis, Evolution and Reengineering. Washington D C: IEEE Computer Society, 2015: 516–519.

    Google Scholar 

  6. Zhang S, Caragea D, Ou X. An empirical study on using the national vulnerability database to predict software vulnerabilities[C]//International Conference on Database and Expert Systems Applications. Berlin: Springer-Verlag, 2011, 6860: 217–231.

    Article  Google Scholar 

  7. Anand P. Overview of root causes of software vulnerabilities-technical and user-side perspectives[C]//International Conference on Software Security and Assurance (ICSSA). Washington D C: IEEE, 2016: 70–74.

    Chapter  Google Scholar 

  8. Scholte T, Balzarotti D, Kirda E. Have things changed now? An empirical study on input validation vulnerabilities in web applications[J]. Computers & Security, 2012, 31: 344–356.

    Article  Google Scholar 

  9. Tang Y, Zhao F, Yang Y, et al. Predicting vulnerable components via text mining or software metrics? An effortaware perspective[C]//IEEE International Conference on Software Quality, Reliability and Security (QRS). Washington D C: IEEE, 2015: 27–36.

    Google Scholar 

  10. Kapur P, Yadavali V S, Shrivastava A. A comparative study of vulnerability discovery modeling and software reliability growth modeling[C]//International Conference on Futuristic Trends on Computational Analysis and Knowledge Management (ABLAZE), 2015: 246–251.

    Google Scholar 

  11. Li H, Kim T, Bat-Erdene M, et al. Software vulnerability detection using backward trace analysis and symbolic execution[C]//International Conference on Availability, Reliability and Security. Washington D C: IEEE Computer Society, 2013, 6(3): 446–454.

    Google Scholar 

  12. Younis A A, Malaiya Y K, Ray I. Using attack surface entry points and reachability analysis to assess the risk of software vulnerability exploitability[C]//IEEE International Symposium on High-Assurance Systems Engineering. Washington D C: IEEE Computer Society, 2014: 1–8.

    Google Scholar 

  13. Anand A, Bhatt N. Vulnerability discovery modeling and weighted criteria based ranking[J]. Journal of the Indian Society for Probability and Statistics, 2016, 17(1):1–10.

    Article  Google Scholar 

  14. Wang T, Han L, Fu C, et al. Software vulnerability static detection model and detection framework[J]. Computer Science, 2016, 43 (5): 80–86 (Ch).

    Google Scholar 

  15. Chen J F, Chen J M, Huang R B, et al. An approach of security testing for third-party component based on state mutation[J]. Security and Communication Networks (SCN), 2016, 9(15): 2827–2842.

    Article  Google Scholar 

  16. Tang C L, Dong J Q, Dai D B, et al. A similarity query algorithm for sequence pattern[J]. Computer Research and Development, 2011: 132–139 ( Ch).

    Google Scholar 

  17. Chen J F, Zhu L L, Xie Z B, et al. An effective long string searching algorithm towards component security testing[J]. China Communications, 2016, 13(11): 153–169.

    Article  Google Scholar 

  18. Yamaguchi F, Golde N, Arp D, et al. Modeling and discovering vulnerabilities with code property graphs[C]//2014 IEEE Symposium on Security and Privacy (SP). Washington D C: IEEE, 2014: 590–604.

    Google Scholar 

  19. Singh D, Choudhary J P, De M. An effort to select a preferable metaheuristic model for knowledge discovery in data mining[J]. Inderscience Publishers, 2015, 4(1): 57–90.

    Google Scholar 

  20. Osman A M, Dafa-Allah A, Elhag A A M. Proposed security model for web based applications and services[C]//International Conference on Communication, Control, Computing and Electronics Engineering. Washington D C: IEEE, 2017: 1–6.

    Google Scholar 

  21. Liu B, Shi L, Cai Z, et al. Software vulnerability discovery techniques: A survey[C]//The fourth International Conference on Multimedia Information Networking and Security (MINES). Washington D C: IEEE, 2012: 152–156.

    Google Scholar 

  22. Nestmann U, Teleki L. A chemical abstract machine for a calculus of communicating functions[C]//Interner Bericht IMMD714/92. Nürnberg Area, Germany: Universitat Erlangen, 2012.

    Google Scholar 

  23. Chen J F, Lu Y S, Wang H H. Component security testing approach based on extended chemical abstract machine[J]. International Journal of Software Engineering & Knowledge Engineering, 2012, 22(1):59–83.

    Article  Google Scholar 

  24. Chen J, Li Q, Wang H, et al. Describing component behavior using improved chemical abstract machine[C]//IEEE Computer Software and Applications Conference. Washington D C: IEEE, 2013:605–606.

    Google Scholar 

  25. Kapur P, Yadavali V S, Shrivastava A. A comparative study of vulnerability discovery modeling and software reliability growth modeling[C]//Futuristic Trends on Computational Analysis and Knowledge Management. Washington D C: IEEE, 2015: 246–251.

    Google Scholar 

  26. NIST. Software Assurance Reference Dataset (SARD) [DB/OL]. [2017-06-15]. https://samate.nist.gov/SRD/testsuite. php. America, 2017.

  27. FindBugs™-Find Bugs in Java Programs [EB/OL]. [2017-05-01]. http://findbugs.sourceforge.net/.

  28. PMD Source Code Analyzer [EB/OL]. [2017-04-22]. https://pmd.github.io/.

Download references

Author information

Authors and Affiliations

  1. National Key Laboratory of Science and Technology on Information System Security, Beijing, 100101, China

    Xiang Li, Zhechao Lin & Zibin Wang

  2. Beijing Institute of System Engineering, Beijing, 100101, China

    Xiang Li, Zhechao Lin & Zibin Wang

  3. School of Computer Science and Communication Engineering, Jiangsu University, Zhenjiang, 212013, Jiangsu, China

    Jinfu Chen, Lin Zhang, Minmin Zhou & Wanggen Xie

Authors
  1. Xiang Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jinfu Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Zhechao Lin
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Lin Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Zibin Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Minmin Zhou
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Wanggen Xie
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jinfu Chen.

Additional information

Foundation item: Supported by the National Natural Science Foundation of China (61202110 and 61502205), and the Project of Jiangsu Provincial Six Talent Peaks (XYDXXJS-016)

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Li, X., Chen, J., Lin, Z. et al. A Vulnerability Model Construction Method Based on Chemical Abstract Machine. Wuhan Univ. J. Nat. Sci. 23, 150–162 (2018). https://doi.org/10.1007/s11859-018-1305-2

Download citation

  • Received:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11859-018-1305-2

Key words

CLC number

Search

Navigation