Using Variability Modeling to Support Security Evaluations: Virtualizing the Right Attack Scenarios

Andy Kenner, Stephan Dassow, Christian Lausberger, Jacob Krüger, Thomas Leich

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

7 Citations (Scopus)

Abstract

A software system’s security is constantly threatened by vulnerabilities that result from faults in the system’s design (e.g., unintended feature interactions) and which can be exploited with attacks. While various databases summarize information on vulnerabilities and other security issues for many software systems, these databases face severe limitations. For example, the information’s quality is unclear, often only semi-structured, and barely connected to other information. Consequently, it can be challenging for any security-related stakeholder to extract and understand what information is relevant, considering that most systems exist in different variants and versions. To tackle this problem, we propose to design vulnerability feature models that represent the vulnerabilities of a system and enable developers to virtualize corresponding attack scenarios. In this paper, we report a first case study on Mozilla Firefox for which we extracted vulnerabilities and used them to virtualize vulnerable instances in Docker. To this end, we focused on extracting information from available databases and on evaluating the usability of the results. Our findings indicate several problems with the extraction that complicate modeling, understanding, and testing of vulnerabilities. Nonetheless, the databases provide a valuable foundation for our technique, which we aim to extend with automatic synthesis and analyses of feature models, as well as virtualization for attack scenarios in future work.
Original languageEnglish
Title of host publicationProceedings - VaMoS 2020
Subtitle of host publication14th International Working Conference on Variability Modelling of Software-Intensive Systems
EditorsMaxime Cordy, Mathieu Acher, Danilo Beuche, Gunter Saake
PublisherAssociation for Computing Machinery, Inc
Pages10:1-10:9
Number of pages9
ISBN (Electronic)9781450375016
DOIs
Publication statusPublished - 5 Feb 2020

Publication series

NameACM International Conference Proceeding Series

Bibliographical note

DBLP License: DBLP's bibliographic metadata records provided through http://dblp.org/ are distributed under a Creative Commons CC0 1.0 Universal Public Domain Dedication. Although the bibliographic metadata records are provided consistent with CC0 1.0 Dedication, the content described by the metadata records is not. Content may be subject to copyright, rights of privacy, rights of publicity and other restrictions.

Keywords

  • Vulnerability
  • Exploit
  • Attack Scenario
  • Software Architecture
  • Docker-Container
  • Variability Model
  • Feature Model
  • Attack Scenarios

Fingerprint

Dive into the research topics of 'Using Variability Modeling to Support Security Evaluations: Virtualizing the Right Attack Scenarios'. Together they form a unique fingerprint.

Cite this