Current techniques for software security vulnerability identification include the use of abstract, graph-based models to represent information about an attack. These models can be in the form of attack trees or attack nets and can be accompanied with a supporting text-based profile. Matching the abstract models to specific system architectures for effective vulnerability identification can be a challenging process. This thesis suggests that abstract regular expressions can be used to represent events of known attacks for the identification of security vulnerabilities in future applications. The process of matching the events in the regular expression to a sequence of components in a system design may facilitate the means of identifying vulnerabilities. Performing the approach in the design phase of a software process encourages security to be integrated early into a software application. Students in an undergraduate security course demonstrated a strong ability to accurately match regular expressions to a system design. The identification of vulnerabilities is limited to known attacks of other systems and does not offer descriptions of what new attacks are possible to a future application. Extending the approach to incorporate new attacks is an avenue of future work.
| Identifer | oai:union.ndltd.org:NCSU/oai:NCSU:etd-08202004-171053 |
| Date | 24 August 2004 |
| Creators | Gegick, Michael |
| Contributors | Dr. Annie Anton, Dr. Laurie Williams, Dr. Julie Earp |
| Publisher | NCSU |
| Source Sets | North Carolina State University |
| Language | English |
| Detected Language | English |
| Type | text |
| Format | application/pdf |
| Source | http://www.lib.ncsu.edu/theses/available/etd-08202004-171053/ |
| Rights | unrestricted, I hereby certify that, if appropriate, I have obtained and attached hereto a written permission statement from the owner(s) of each third party copyrighted matter to be included in my thesis, dissertation, or project report, allowing distribution as specified below. I certify that the version I submitted is the same as that approved by my advisory committee. I hereby grant to NC State University or its agents the non-exclusive license to archive and make accessible, under the conditions specified below, my thesis, dissertation, or project report in whole or in part in all forms of media, now or hereafter known. I retain all other ownership rights to the copyright of the thesis, dissertation or project report. I also retain the right to use in future works (such as articles or books) all or part of this thesis, dissertation, or project report. |
Page generated in 0.001 seconds