Spelling suggestions: "subject:"vulnerability dentification"" "subject:"vulnerability didentification""
1 |
Can Developer Data Predict Vulnerabilities? : Examining Developer and Vulnerability Correlation in the Kibana ProjectLövgren, Johan January 2023 (has links)
Open-source software is often chosen with the expectation of increased security. The transparency and peer review process of open development offer advantages in terms of more secure code. However, developing secure code remains a challenging task that requires more than just expertise. Even with adequate knowledge, human errors can occur, leading to mistakes and overlooked issues that may result in exploitable vulnerabilities. It is reasonable to assume that not all developers introduce bugs or vulnerabilities randomly since each developer brings unique experience and knowledge to the development process. The objective of this thesis is to investigate a method for identifying high-risk developers who are more likely to introduce vulnerabilities or bugs, which can be used to predict potential locations of bugs or vulnerabilities in the source code based on the developer who wrote the code. Metrics related to developers’ code churn, code complexity, bug association, and experience were collected during a case study of the open- source project Kibana. The findings provide empirical evidence suggesting that developers that write code with higher complexity and have a greater project activity pose a higher risk of introducing vulnerabilities and bugs. Developers who have introduced vulnerabilities also tend to exhibit higher code churn, code complexity, and bug association compared to those who have not introduced a vulnerability. However, the metrics employed in this study were not sufficiently discriminative for identifying developers with a higher risk of introducing vulnerabilities or bugs per commit. Nevertheless, the results of this study serve as a foundation for further research in this area exploring the topic further. / Programvara med öppen källkod väljs ofta med förväntningar om ökad säkerhet. Transparensen och peer review-processen erbjuder fördelar i form av säkrare kod. Men att utveckla säker kod är fortfarande en utmanande uppgift som kräver mer än bara expertis. Även med tillräcklig kunskap kan mänskliga fel uppstå, vilket leder till misstag och förbisedda problem som kan resultera i exploaterbara sårbarheter. Det är rimligt att anta att inte alla utvecklare introducerar buggar eller sårbarheter slumpmässigt, eftersom varje utvecklare tar med sig unik erfarenhet och kunskap till utvecklingsprocessen. Syftet med detta examensarbete är att identifiera en metod att identifiera högriskutvecklare som är mer benägna att introducera sårbarheter eller buggar, vilket kan användas för att förutsäga potentiella platser för buggar eller sårbarheter i källkoden baserat på utvecklaren som skrev koden. Mätvärden relaterade till utvecklarnas omsättning av kod, kodkomplexitet, buggassociation och erfarenhet samlades in under en fallstudie av det öppna källkodsprojektet Kibana. Fynden ger empiriska bevis som tyder på att utvecklare med högre kodkomplexitetsmått och större projektaktivitet utgör en högre risk för att introducera sårbarheter och buggar. Utvecklare som har introducerat sårbarheter tenderar också att uppvisa högre omsättning av kod, kodkomplexitet och buggassociation jämfört med de som inte har introducerat en sårbarhet. De mätvärden som användes i denna studie var dock inte tillräckligt diskriminerande för att identifiera utvecklare med en högre risk att introducera sårbarheter eller buggar per commit. Ändå fungerar resultaten av denna studie som en grund för vidare studier inom detta område.
|
2 |
Can Developer Data Predict Vulnerabilities? : Examining Developer and Vulnerability Correlation in the Kibana Project / Kan Utvecklardata Förutse Sårbarheter? : Studie om Korrelation Mellan Utvecklare och Sårbarheter i Kibanas KällkodLövgren, Johan January 2023 (has links)
Open-source software is often chosen with the expectation of increased security [1]. The transparency and peer review process of open development offer advantages in terms of more secure code. However, developing secure code remains a challenging task that requires more than just expertise. Even with adequate knowledge, human errors can occur, leading to mistakes and overlooked issues that may result in exploitable vulnerabilities. It is reasonable to assume that not all developers introduce bugs or vulnerabilities randomly since each developer brings unique experience and knowledge to the development process. The objective of this thesis is to investigate a method for identifying high-risk developers who are more likely to introduce vulnerabilities or bugs, which can be used to predict potential locations of bugs or vulnerabilities in the source code based on the developer who wrote the code. Metrics related to developers’ code churn, code complexity, bug association, and experience were collected during a case study of the open-source project Kibana. The findings provide empirical evidence suggesting that developers that write code with higher complexity and have a greater project activity pose a higher risk of introducing vulnerabilities and bugs. Developers who have introduced vulnerabilities also tend to exhibit higher code churn, code complexity, and bug association compared to those who have not introduced a vulnerability. However, the metrics employed in this study were not sufficiently discriminative for identifying developers with a higher risk of introducing vulnerabilities or bugs per commit. Nevertheless, the results of this study serve as a foundation for further research in this area exploring the topic further. / Programvara med öppen källkod väljs ofta med förväntningar om ökad säkerhet [1]. Transparensen och peer review-processen erbjuder fördelar i form av säkrare kod. Men att utveckla säker kod är fortfarande en utmanande uppgift som kräver mer än bara expertis. Även med tillräcklig kunskap kan mänskliga fel uppstå, vilket leder till misstag och förbisedda problem som kan resultera i exploaterbara sårbarheter. Det är rimligt att anta att inte alla utvecklare introducerar buggar eller sårbarheter slumpmässigt, eftersom varje utvecklare tar med sig unik erfarenhet och kunskap till utvecklingsprocessen. Syftet med detta examensarbete är att identifiera en metod att identifiera högriskutvecklare som är mer benägna att introducera sårbarheter eller buggar, vilket kan användas för att förutsäga potentiella platser för buggar eller sårbarheter i källkoden baserat på utvecklaren som skrev koden. Mätvärden relaterade till utvecklarnas omsättning av kod, kodkomplexitet, buggassociation och erfarenhet samlades in under en fallstudie av det öppna källkodsprojektet Kibana. Fynden ger empiriska bevis som tyder på att utvecklare med högre kodkomplexitetsmått och större projektaktivitet utgör en högre risk för att introducera sårbarheter och buggar. Utvecklare som har introducerat sårbarheter tenderar också att uppvisa högre omsättning av kod, kodkomplexitet och buggassociation jämfört med de som inte har introducerat en sårbarhet. De mätvärden som användes i denna studie var dock inte tillräckligt diskriminerande för att identifiera utvecklare med en högre risk att introducera sårbarheter eller buggar per commit. Ändå fungerar resultaten av denna studie som en grund för vidare studier inom detta område.
|
3 |
PROACTIVE VULNERABILITY IDENTIFICATION AND DEFENSE CONSTRUCTION -- THE CASE FOR CANKhaled Serag Alsharif (8384187) 25 July 2023 (has links)
<p>The progressive integration of microcontrollers into various domains has transformed traditional mechanical systems into modern cyber-physical systems. However, the beginning of this transformation predated the era of hyper-interconnectedness that characterizes our contemporary world. As such, the principles and visions guiding the design choices of this transformation had not accounted for many of today's security challenges. Many designers had envisioned their systems to operate in an air-gapped-like fashion where few security threats loom. However, with the hyper-connectivity of today's world, many CPS find themselves in uncharted territory for which they are unprepared.</p>
<p><br></p>
<p>An example of this evolution is the Controller Area Network (CAN). CAN emerged during the transformation of many mechanical systems into cyber-physical systems as a pivotal communication standard, reducing vehicle wiring and enabling efficient data exchange. CAN's features, including noise resistance, decentralization, error handling, and fault confinement mechanisms, made it a widely adopted communication medium not only in transportation but also in diverse applications such as factories, elevators, medical equipment, avionic systems, and naval applications.</p>
<p><br></p>
<p>The increasing connectivity of modern vehicles through CD players, USB sticks, Bluetooth, and WiFi access has exposed CAN systems to unprecedented security challenges and highlighted the need to bolster their security posture. This dissertation addresses the urgent need to enhance the security of modern cyber-physical systems in the face of emerging threats by proposing a proactive vulnerability identification and defense construction approach and applying it to CAN as a lucid case study. By adopting this proactive approach, vulnerabilities can be systematically identified, and robust defense mechanisms can be constructed to safeguard the resilience of CAN systems.</p>
<p><br></p>
<p>We focus on developing vulnerability scanning techniques and innovative defense system designs tailored for CAN systems. By systematically identifying vulnerabilities before they are discovered and exploited by external actors, we minimize the risks associated with cyber-attacks, ensuring the longevity and reliability of CAN systems. Furthermore, the defense mechanisms proposed in this research overcome the limitations of existing solutions, providing holistic protection against CAN threats while considering its performance requirements and operational conditions.</p>
<p><br></p>
<p>It is important to emphasize that while this dissertation focuses on CAN, the techniques and rationale used here could be replicated to secure other cyber-physical systems. Specifically, due to CAN's presence in many cyber-physical systems, it shares many performance and security challenges with those systems, which makes most of the techniques and approaches used here easily transferrable to them. By accentuating the importance of proactive security, this research endeavors to establish a foundational approach to cyber-physical systems security and resiliency. It recognizes the evolving nature of cyber-physical systems and the specific security challenges facing each system in today's hyper-connected world and hence focuses on a single case study. </p>
|
Page generated in 0.1129 seconds