Jukka Ruohonen

The sigmoidal growth of operating system security vulnerabilities: An empirical revisit

Purpose. Motivated by the calls for more replications, this paper evaluates a theoretical model for the sigmoidal growth of operating system security vulnerabilities by replicating and extending the existing empirical evidence. Approach. The paper investigates the growth of software security vulnerabilities by fitting the linear, logistic, and Gompertz growth models with nonlinear least squares to time series data that covers a number of operating system products from Red Hat and Microsoft. Results. Although the fitted models are not free of statistical problems, the empirical results show that a sigmoidal growth function can be used for descriptive purposes. The paper further shows that a sigmoidal trend applies also to the number of software faults that were fixed in the Red Hat products. Conclusion. The paper supports the contested theoretical growth model. The few discussed theoretical problems can be used to develop the model further.

Trading exploits online: A preliminary case study

A software defect that exposes a software system to a cyber security attack is known as a software vulnerability. A software security exploit is an engineered software solution that successfully exploits the vulnerability. Exploits are used to break into computer systems, but exploits are currently used also for security testing, security analytics, intrusion detection, consultation, and other legitimate and legal purposes. A well-established market emerged in the 2000s for software vulnerabilities. The current market segments populated by small and medium-sized companies exhibit signals that may eventually lead to a similar industrialization of software exploits. To these ends and against these industry trends, this paper observes the first online market place for trading exploits between buyers and sellers. The paper adopts three different perspectives to study the case. The paper (a) portrays the studied exploit market place against the historical background in the software security industry. A qualitative assessment is made to (b) evaluate the case against the common characteristics of traditional online market places. The qualitative observations are used in the quantitative part (c) for predicting the price of exploits with partial least squares regression. The results show that (i) the case is unique from a historical perspective, although (ii) the online market place characteristics are familiar. The regression estimates also indicate that (iii) the pricing of exploits is only partially dependent on such factors as the targeted platform, the date of disclosure of the exploited vulnerability, and the quality assurance service provided by the market place provider. The results allow to contemplate (iv) practical means for enhancing the market place.

Classifying Web Exploits with Topic Modeling

This short empirical paper investigates how well topic modeling and database meta-data characteristics can classify web and other proof-of-concept (PoC) exploits for publicly disclosed software vulnerabilities. By using a dataset comprised of over 36 thousand PoC exploits, near a 0.9 accuracy rate is obtained in the empirical experiment. Text mining and topic modeling are a significant boost factor behind this classification performance. In addition to these empirical results, the paper contributes to the research tradition of enhancing software vulnerability information with text mining, providing also a few scholarly observations about the potential for semi-automatic classification of exploits in the existing tracking infrastructures.

Time series trends in software evolution

The laws of software evolution were formulated to describe time series trends in software over time.

Modeling the delivery of security advisories and CVEs

This empirical paper models three structural factors that are hypothesized to affect the turnaround times between the publication of security advisories and Common Vulnerabilities and Exposures (CVEs). The three structural factors are: (i) software product age at the time of advisory release; (ii) severity of vulnerabilities coordinated; and (iii) amounts of CVEs referenced in advisories. Although all three factors are observed to provide only limited information for statistically predicting the turnaround times in a dataset comprised of Microsoft, openSUSE, and Ubuntu operating system products, the paper outlines new research directions for better understanding the current problems related to vulnerability coordination.

Top management support in software cost estimation: A study of attitudes and practice in Finland

Purpose – A cost estimate is considered to have a high impact on software project success. Because of this, different methodologies for creating an accurate estimate have been studied over decades. Many methodologies produce accurate results, when used properly. However, software projects still suffer from inaccurate estimates. The disparity may result from organisational hindrances. This paper focuses on top management support (TMS) for software cost estimation (SCE). The purpose of this paper is to identify current practices and attitudes of top management involvement in SCE, and to analyse the relationship between these two and project success. Design/methodology/approach – A list of 16 TMS practices for SCE has been developed. A survey was conducted to capture the frequency of use and the experienced importance of support practices. Data has been collected from 114 software professionals in Finland. Correlations between the frequency of use, attitudes and project success were analysed. Findings – Top ...

Mining social networks of open source CVE coordination

Coordination is one central tenet of software engineering practices and processes. In terms of software vulnerabilities, coordination is particularly evident in the processes used for obtaining Common Vulnerabilities and Exposures (CVEs) identifiers for discovered and disclosed vulnerabilities. As the central CVE tracking infrastructure maintained by the non-profit MITRE Corporation has recently been criticized for time delays in CVE assignment, almost an ideal case is available for studying software and security engineering coordination practices with practical relevance. Given this pragmatic motivation, this paper examines open source CVE coordination that occurs on the public oss-security mailing list. By combining social network analysis with a data-driven, exploratory research approach, the paper asks six data mining questions with practical relevance. By contemplating about answers to the questions asked by means of descriptive statistics, the paper consequently contributes not only to the contemporary industry debates, but also to the tradition of empirical vulnerability research. The perspective and the case are both novel in this tradition, thus opening new avenues for further empirical inquiries and practical improvements for the contemporary CVE coordination.

Evaluating the use of internet search volumes for time series modeling of sales in the video game industry

Internet search volumes have been successfully adopted for time series analysis of different phenomena. This empirical paper evaluates the feasibility of search volumes in modeling of weekly video game sales. Building on the theoretical concepts of product life cycle, diffusion, and electronic word-of-mouth advertisement, the empirical analysis concentrates on the hypothesized Granger causality between sales and search volumes. By using a bivariate vector autoregression model with a dataset of nearly a hundred video games, only a few games exhibit such causality to either direction. When correlations are present, these rather occur instantaneously; the current weekly amount of sales tends to mirror the current weekly amount of searches. According to the results, search volumes contribute only a limited additional statistical power for forecasting, however. Besides this statistical limitation, the presented evaluation reveals a number of other limitations for use in practical marketing and advertisement foresight. Internet search volumes continue to provide a valuable empirical instrument, but the value should not be exaggerated for time series modeling of video game sales.

A Survey on Internal Interfaces Used by Exploits and Implications on Interface Diversification

The idea of interface diversification is that internal interfaces in the system are transformed into unique secret instances. On one hand, the trusted programs in the system are accordingly modified so that they can use the diversified interfaces. On the other hand, the malicious code injected into a system does not know the diversification secret, that is the language of the diversified system, and thus it is rendered useless. Based on our study of 500 exploits, this paper surveys the different interfaces that are targeted in malware attacks and can potentially be diversified in order to prevent the malware from reaching its goals. In this study, we also explore which of the identified interfaces have already been covered in existing diversification research and which interfaces should be considered in future research. Moreover, we discuss the benefits and drawbacks of diversifying these interfaces. We conclude that diversification of various internal interfaces could prevent or mitigate roughly 80 % of the analyzed exploits. Most interfaces we found have already been diversified as proof-of-concept implementations but diversification is not widely used in practical systems.

Exploring the clustering of software vulnerability disclosure notifications across software vendors

This exploratory empirical paper investigates annual time delays between vulnerability disclosure notifications and acknowledgments by means of network analysis. These delays are approached through a potential clustering effect of vulnerabilities across software vendors. The analysis is based on a projection from bipartite vendor-vulnerability structures to one-mode vendor-vendor networks, while the hypothesized clustering effect is approached with a conventional community detection algorithm. According to the results, (a) vulnerabilities cluster across vendors, (b) which also explains a portion of the time delays, although (c) the clustering is not stable annually. The computed network (d) clusters can be also interpreted by reflecting these against common software security attack surfaces. The results can be used to contemplate (e) practical means with which the efficiency of vulnerability disclosure could be improved.