VULNERABILITY: Rigorous approach to software vulnerability life cycle management

Executive summary

The purpose of the project is to develop a framework aimed at rigorous vulnerability management (including vulnerability scanning, alerting, isolation, removal, intrusion avoidance, etc.). Recent WanaCrypt0r epidemic justifies the importance of rigorous approach for vulnerability management. Existing security scanners mainly focus on finding those software products having known vulnerabilities for which patches are already available but have not applied yet by a system administrator. Mainly, they interact with the NVD vulnerability database via the SCAP protocol. Aimed at reducing “white risks” (so called “user days-of-risk”) they DO NOT address the problems of black, grey caused by zero- or forever-day vulnerabilities.

To advance at system security analysis and vulnerability management assessment during software product life time we introduce a technique of estimating (i) days-of-risk per individual vulnerability, (ii) current number of forever-day vulnerabilities existing in a particular software product or computer system, (iii) system mean time-to-vulnerability, etc. The technique proposed makes use of run-time monitoring and interaction with CVE, NVD, EXPLOIT-DB and other vulnerability and exploit databases together to identify vulnerability window as a period between the times when a vulnerability is disclosed, and when an exploit and a vulnerability patch are issued by hackers and the product vendor respectively.

The ultimate goal of the project is to deliver for a market a set of tools to advance on system security analysis and risk measurement: (i) forever-day vulnerability scanning tool, (ii) forever-day vulnerability alerting web service, (iii) intrusion avoidance guideline.

Description of proposed research

A vulnerability is a weakness which allows an attacker to reduce a system’s information assurance. Vulnerabilities of operating system and system software represent threats to dependability and, in particular, to security of computer systems, that are additional to faults, errors and failures traditionally dealt with by the dependability community. One of the most important vulnerability characteristics related to vulnerability life cycle is Days-of-Risk (DoR) (also known as a vulnerability window) which is the time period of greatly increased risk from when a vulnerability has been publicly disclosed until a vendor patch is available to fix the vulnerability. It can be divided into several intervals:

1. “black risk” which is the time period from discovery to disclosure, when only a small closed group is aware of the vulnerability and able to exploit it;
2. “grey risk” which is the time period commonly measured as the “days-of-risk”, when the vulnerability (called forever-day vulnerability) is widely and publicly known within the security community, but a vendor patch or full mitigation is not yet available;
3. “white risk” or “user days-of-risk” which is the time period after a patch or full mitigation is available, but before a user has applied it to his system(s).