@inproceedings{53532d501c98497d9d1d75081c1b9750,
title = "Using Variability Modeling to Support Security Evaluations: Virtualizing the Right Attack Scenarios",
abstract = "A software system{\textquoteright}s security is constantly threatened by vulnerabilities that result from faults in the system{\textquoteright}s design (e.g., unintended feature interactions) and which can be exploited with attacks. While various databases summarize information on vulnerabilities and other security issues for many software systems, these databases face severe limitations. For example, the information{\textquoteright}s quality is unclear, often only semi-structured, and barely connected to other information. Consequently, it can be challenging for any security-related stakeholder to extract and understand what information is relevant, considering that most systems exist in different variants and versions. To tackle this problem, we propose to design vulnerability feature models that represent the vulnerabilities of a system and enable developers to virtualize corresponding attack scenarios. In this paper, we report a first case study on Mozilla Firefox for which we extracted vulnerabilities and used them to virtualize vulnerable instances in Docker. To this end, we focused on extracting information from available databases and on evaluating the usability of the results. Our findings indicate several problems with the extraction that complicate modeling, understanding, and testing of vulnerabilities. Nonetheless, the databases provide a valuable foundation for our technique, which we aim to extend with automatic synthesis and analyses of feature models, as well as virtualization for attack scenarios in future work.",
keywords = "Vulnerability, Exploit, Attack Scenario, Software Architecture, Docker-Container, Variability Model, Feature Model, Attack Scenarios",
author = "Andy Kenner and Stephan Dassow and Christian Lausberger and Jacob Kr{\"u}ger and Thomas Leich",
note = "DBLP License: DBLP's bibliographic metadata records provided through http://dblp.org/ are distributed under a Creative Commons CC0 1.0 Universal Public Domain Dedication. Although the bibliographic metadata records are provided consistent with CC0 1.0 Dedication, the content described by the metadata records is not. Content may be subject to copyright, rights of privacy, rights of publicity and other restrictions.",
year = "2020",
month = feb,
day = "5",
doi = "10.1145/3377024.3377026",
language = "English",
series = "ACM International Conference Proceeding Series",
publisher = "Association for Computing Machinery, Inc",
pages = "10:1--10:9",
editor = "Maxime Cordy and Mathieu Acher and Danilo Beuche and Gunter Saake",
booktitle = "Proceedings - VaMoS 2020",
address = "United States",
}