Expert Assessment on the Probability of Successful Remote Code Execution Attacks

Hannes Holm, Teodor Sommestad, Ulrik Franke, Mathias Ekstedt

Abstract

This paper describes a study on how cyber security experts assess the importance of three variables related to the probability of successful remote code execution attacks – presence of: (i) non-executable memory, (ii) access and (iii) exploits for High or Medium vulnerabilities as defined by the Common Vulnerability Scoring System. The rest of the relevant variables were fixed by the environment of a cyber defense exercise where the respondents participated. The questionnaire was fully completed by fifteen experts. These experts perceived access as the most important variable and availability of exploits for High vulnerabilities as more important than Medium vulnerabilities. Non-executable memory was not seen as significant, however, presumably due to lack of address space layout randomization and canaries in the network architecture of the cyber defense exercise scenario.

References

  1. J. Homer, K. Manhattan, X. Ou, and D. Schmidt, A Sound and Practical Approach to Quantifying Security Risk in Enterprise Networks, Kansas: 2010.
  2. T. Sommestad, M. Ekstedt, and P. Johnson, “A Probabilistic Relational Model for Security Risk Analysis,” Computers & Security, 2010.
  3. C. Cowan, P. Wagle, C. Pu, S. Beattie, and J. Walpole, “Buffer Overflows : Attacks and Defenses for the Vulnerability of the Decade,” Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems], 2003, pp. 227-237.
  4. A. One, “Smashing the stack for fun and profit,” Phrack magazine, vol. 7, 1996, p. 1996- 11.
  5. Y. Younan, “Efficient countermeasures for software vulnerabilities due to memory management errors,” 2008.
  6. T. Jim, G. Morrisett, D. Grossman, M. Hicks, J. Cheney, and Y. Wang, “Cyclone: A safe dialect of C,” USENIX, Monterrey, CA, USA: 2002, pp. 275-288.
  7. L.-chung L. T.-cker Chiueh, “Checking Array Bound Violation Using Segmentation Hardware,” 2005 International Conference on Dependable Systems and Networks (DSN'05), 2005, pp. 388-397.
  8. PaX Team, PaX address space layout randomization (ASLR).
  9. G. Kc, A. Keromytis, and V. Prevelakis, “Countering code-injection attacks with instruction-set randomization,” Proceedings of the 10th ACM conference on Computer and communications security, 2003, p. 280.
  10. A. Baratloo and N. Singh, “Transparent run-time defense against stack smashing attacks,” Proceedings of the annual conference on USENIX, 2000.
  11. S. H. Yong and S. Horwitz, “Protecting C programs from attacks via invalid pointer dereferences,” ACM SIGSOFT Software Engineering Notes, vol. 28, Sep. 2003, p. 307.
  12. C. Cowan, M. Barringer, S. Beattie, G. Kroah-Hartman, M. Frantzen, and J. Lokier, “FormatGuard: Automatic protection from printf format string vulnerabilities,” Proceedings of the 10th conference on USENIX Security Symposium-Volume 10, USENIX Association, 2001, p. 15-15.
  13. J. Newsome, “Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software,” Network and Distributed System Security, 2005.
  14. R. H. and B. Joyce., “Purify: Fast detection of memory leaks and access errors,” Winter USENIX Conferenc, San Francisco, California, USA, January: 1992, p. 125--136.
  15. N. Dor, “Cleanness checking of string manipulations in C programs via integer analysis,” Static Analysis, 2001.
  16. N. Frykholm, “Countermeasures against buffer overflow attacks,” RSA Tech Note, 2000, pp. 1-9.
  17. S. D. Xenitellis, “Identifying security vulnerabilities through input flow tracing and analysis,” Information Management & Computer Security, vol. 11, 2003, pp. 195-199.
  18. U. Erlingsson, Low-level Software Security : Attacks and Defenses Low-level Software Security : Attacks and Defenses, Redmond, WA, USA: 2007.
  19. J. Wilander and M. Kamkar, “A comparison of publicly available tools for dynamic buffer overflow prevention,” Proceedings of the 10th Network and Distributed System Security Symposium, Citeseer, 2003, p. 149-162.
  20. H. Shacham, M. Page, B. Pfaff, and E. Goh, “On the effectiveness of address-space randomization,” ACM conference on, 2004, p. 298.
  21. P. Mell, K. Scarfone, and S. Romanosky, “A Complete Guide to the Common Vulnerability Scoring System Version 2.0,” System, 2007, pp. 1-23.
  22. K. Geers, “Live Fire Exercise: Preparing for Cyber War,” 2010.
  23. H. Holm, T. Sommestad, J. Almroth, and M. Persson, “A quantitative evaluation of vulnerability scanning,” Information Management & Computer Security.
  24. P. H. Garthwaite, J.B. Kadane, and A. O'Hagan, “Statistical methods for eliciting probability distributions,” Journal of the American Statistical Association, vol. 100, 2005, pp. 680-701.
  25. R. M. Warner, Applied statistics: From Bivariate through Multivariate Techniques, Sage Publications, Inc, 2008.
  26. D. C. Montgomery, Design and analysis of experiments, John Wiley & Sons Inc, 2008.
  27. J. Pincus and B. Baker, “Beyond stack smashing: Recent advances in exploiting buffer overruns,” Security & Privacy, IEEE, vol. 2, 2004, p. 20-27.
  28. H. Einhorn, “Expert judgment: Some necessary conditions and an example,” Journal of Applied Psychology, 1974.
Download


Paper Citation


in Harvard Style

Holm H., Sommestad T., Franke U. and Ekstedt M. (2011). Expert Assessment on the Probability of Successful Remote Code Execution Attacks . In Proceedings of the 8th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2011) ISBN 978-989-8425-61-4, pages 49-58. DOI: 10.5220/0003578700490058


in Bibtex Style

@conference{wosis11,
author={Hannes Holm and Teodor Sommestad and Ulrik Franke and Mathias Ekstedt},
title={Expert Assessment on the Probability of Successful Remote Code Execution Attacks},
booktitle={Proceedings of the 8th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2011)},
year={2011},
pages={49-58},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0003578700490058},
isbn={978-989-8425-61-4},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 8th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2011)
TI - Expert Assessment on the Probability of Successful Remote Code Execution Attacks
SN - 978-989-8425-61-4
AU - Holm H.
AU - Sommestad T.
AU - Franke U.
AU - Ekstedt M.
PY - 2011
SP - 49
EP - 58
DO - 10.5220/0003578700490058