Advanced Search
CS Search Google Search
Subscribers, please login

Published Articles >> Table of Contents >> Abstract

2003 International Conference on Dependable Systems and Networks (DSN'03)   p. 605
A Data-Driven Finite State Machine Model for Analyzing Security Vulnerabilities
Shuo Chen, University of Illinois at Urbana-Champaign
Zbigniew Kalbarczyk, University of Illinois at Urbana-Champaign
Jun Xu, University of Illinois at Urbana-Champaign
Ravishankar K. Iyer, University of Illinois at Urbana-Champaign
Full Article Text: Download PDF of full textBuy this articleGet full text from IEEE Xplore

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/DSN.2003.1209970
Send link to a friend

Abstract
This paper combines an analysis of data on security vulnerabilities (published in Bugtraq database) and a focused source-code examination to develop a finite state machine (FSM) model to depict and reason about security vulnerabilities. An in-depth analysis of the vulnerability reports and the corresponding source code of the applications leads to three observations: (i) exploits must pass through multiple elementary activities, (ii) multiple vulnerable operations on several objects are involved in exploiting a vulnerability, and (iii) the vulnerability data and corresponding code inspections allow us to derive a predicate for each elementary activity. Each predicate is represented as a primitive FSM (pFSM). Multiple pFSMs are then combined to create an FSM model of vulnerable operations and possible exploits. The proposed FSM methodology is exemplified by analyzing several types of vulnerabilities reported in the data: stack buffer overflow, integer overflow, heap overflow, input validation vulnerabilities, and format string vulnerabilities. For the studied vulnerabilities, we identify three types of pFSMs, which can be used to analyze operations involved in exploiting vulnerabilities and to identify the security checks to be performed at the elementary activity level. A demonstration of the practical usefulness of the FSM modeling approach was the discovery of a new heap overflow vulnerability now published in Bugtraq.
Additional Information
Index Terms- security vulnerabilities, data analysis, finite state machine modeling

Citation:  Shuo Chen, Zbigniew Kalbarczyk, Jun Xu, Ravishankar K. Iyer, "A Data-Driven Finite State Machine Model for Analyzing Security Vulnerabilities," dsn, p. 605,  2003 International Conference on Dependable Systems and Networks (DSN'03),  2003

Similar Articles

Abstract Contents
Abstract
Index Terms
Citation

Download Citation
Ascii Text
BibTex
RefWorks
Procite/RefMan/Endnote




Free access to

  • Abstracts
  • Selected PDFs

Electronic subscribers login to:

  • Access HTML/PDFs of full text articles

Subscription information

Get a Web account

PDFs require Adobe Acrobat Reader.

Peer Review Notice

Give us Feedback