Abstract | ||
---|---|---|
Security vulnerabilities in system software are a major concern, especially when the software is highly exposed. This paper studies whether it is possible to emulate security vulnerabilities through software fault injection by using well known emulation operators. Emulating security vulnerabilities in the C programming language, in a realistic way using field data, is an unanswered research question, although most systems software is written in C. We analyzed publicly known vulnerabilities from the Xen, Linux, and Apache projects, and mapped those vulnerabilities onto combinations of software fault operators. The results show that most vulnerabilities require operators that are not in the set of frequent software faults. Furthermore, a fairly high number of vulnerabilities consists of a combination of two or three software faults that may cause combinatorial explosion. The implication of these observations for practice is that software fault injection, based on the most frequent software faults, has limited ability to emulate software vulnerabilities. |
Year | DOI | Venue |
---|---|---|
2017 | 10.1109/EDCC.2017.28 | 2017 13th European Dependable Computing Conference (EDCC) |
Keywords | Field | DocType |
Dependability,Security,Software Vulnerabilities,Verification | System software,Software fault,Research question,Software engineering,Computer science,Software,Emulation,Operator (computer programming),Combinatorial explosion,Vulnerability,Distributed computing | Conference |
ISBN | Citations | PageRank |
978-1-5386-0603-2 | 1 | 0.36 |
References | Authors | |
9 | 4 |
Name | Order | Citations | PageRank |
---|---|---|---|
Frederico Cerveira | 1 | 13 | 3.62 |
Raul Barbosa | 2 | 110 | 19.08 |
Marta Mercier | 3 | 1 | 0.36 |
Henrique Madeira | 4 | 1307 | 122.00 |