The Experts below are selected from a list of 11916 Experts worldwide ranked by ideXlab platform
Fabio Massacci - One of the best experts on this subject based on the ideXlab platform.
-
The (Un)Reliability of NVD Vulnerable Versions Data: an Empirical Experiment on Google Chrome Vulnerabilities
arXiv: Cryptography and Security, 2013Co-Authors: Viet Hung Nguyen, Fabio MassacciAbstract:NVD is one of the most popular databases used by researchers to conduct empirical research on data sets of vulnerabilities. Our recent analysis on Chrome vulnerability data reported by NVD has revealed an abnormally phenomenon in the data where almost vulnerabilities were originated from the first Versions. This inspires our experiment to validate the reliability of the NVD Vulnerable Version data. In this experiment, we verify for each Version of Chrome that NVD claims Vulnerable is actually Vulnerable. The experiment revealed several errors in the vulnerability data of Chrome. Furthermore, we have also analyzed how these errors might impact the conclusions of an empirical study on foundational vulnerability. Our results show that different conclusions could be obtained due to the data errors.
-
AsiaCCS - The (un)reliability of NVD Vulnerable Versions data: an empirical experiment on Google Chrome vulnerabilities
Proceedings of the 8th ACM SIGSAC symposium on Information computer and communications security - ASIA CCS '13, 2013Co-Authors: Viet Hung Nguyen, Fabio MassacciAbstract:NVD is one of the most popular databases used by researchers to conduct empirical research on data sets of vulnerabilities. Our recent analysis on Chrome vulnerability data reported by NVD has revealed an abnormally phenomenon in the data where almost vulnerabilities were originated from the first Versions. This inspires our experiment to validate the reliability of the NVD Vulnerable Version data. In this experiment, we verify for each Version of Chrome that NVD claims Vulnerable is actually Vulnerable. The experiment revealed several errors in the vulnerability data of Chrome. Furthermore, we have also analyzed how these errors might impact the conclusions of an empirical study on foundational vulnerability. Our results show that different conclusions could be obtained due to the data errors.
Viet Hung Nguyen - One of the best experts on this subject based on the ideXlab platform.
-
The (Un)Reliability of NVD Vulnerable Versions Data: an Empirical Experiment on Google Chrome Vulnerabilities
arXiv: Cryptography and Security, 2013Co-Authors: Viet Hung Nguyen, Fabio MassacciAbstract:NVD is one of the most popular databases used by researchers to conduct empirical research on data sets of vulnerabilities. Our recent analysis on Chrome vulnerability data reported by NVD has revealed an abnormally phenomenon in the data where almost vulnerabilities were originated from the first Versions. This inspires our experiment to validate the reliability of the NVD Vulnerable Version data. In this experiment, we verify for each Version of Chrome that NVD claims Vulnerable is actually Vulnerable. The experiment revealed several errors in the vulnerability data of Chrome. Furthermore, we have also analyzed how these errors might impact the conclusions of an empirical study on foundational vulnerability. Our results show that different conclusions could be obtained due to the data errors.
-
AsiaCCS - The (un)reliability of NVD Vulnerable Versions data: an empirical experiment on Google Chrome vulnerabilities
Proceedings of the 8th ACM SIGSAC symposium on Information computer and communications security - ASIA CCS '13, 2013Co-Authors: Viet Hung Nguyen, Fabio MassacciAbstract:NVD is one of the most popular databases used by researchers to conduct empirical research on data sets of vulnerabilities. Our recent analysis on Chrome vulnerability data reported by NVD has revealed an abnormally phenomenon in the data where almost vulnerabilities were originated from the first Versions. This inspires our experiment to validate the reliability of the NVD Vulnerable Version data. In this experiment, we verify for each Version of Chrome that NVD claims Vulnerable is actually Vulnerable. The experiment revealed several errors in the vulnerability data of Chrome. Furthermore, we have also analyzed how these errors might impact the conclusions of an empirical study on foundational vulnerability. Our results show that different conclusions could be obtained due to the data errors.
Frédéric Tronel - One of the best experts on this subject based on the ideXlab platform.
-
RAID - Automatic Software Instrumentation for the Detection of Non-control-data Attacks
Lecture Notes in Computer Science, 2009Co-Authors: Jonathan-christofer Demay, Eric Totel, Frédéric TronelAbstract:To detect intrusions resulting of an attack that corrupted data items used by a program to perform its computation, we propose an approach that automatically instruments programs to control a data-based behavior model during their execution. We build our model by discovering the sets of data the system calls depend on and which constraints these sets must verify at runtime. We have implemented our approach using a static analysis framework called Frama-C and we present the results of experimentations on a Vulnerable Version of OpenSSH .
Jonathan-christofer Demay - One of the best experts on this subject based on the ideXlab platform.
-
RAID - Automatic Software Instrumentation for the Detection of Non-control-data Attacks
Lecture Notes in Computer Science, 2009Co-Authors: Jonathan-christofer Demay, Eric Totel, Frédéric TronelAbstract:To detect intrusions resulting of an attack that corrupted data items used by a program to perform its computation, we propose an approach that automatically instruments programs to control a data-based behavior model during their execution. We build our model by discovering the sets of data the system calls depend on and which constraints these sets must verify at runtime. We have implemented our approach using a static analysis framework called Frama-C and we present the results of experimentations on a Vulnerable Version of OpenSSH .
Antonino Sabetta - One of the best experts on this subject based on the ideXlab platform.
-
ICSME - Impact assessment for vulnerabilities in open-source software libraries
2015 IEEE International Conference on Software Maintenance and Evolution (ICSME), 2015Co-Authors: Henrik Plate, Serena Elisa Ponta, Antonino SabettaAbstract:Software applications integrate more and more open-source software (OSS) to benefit from code reuse. As a drawback, each vulnerability discovered in bundled OSS may potentially affect the application that includes it. Upon the disclosure of every new vulnerability, the application vendor has to assess whether such vulnerability is exploitable in the particular usage context of the applications, and needs to determine whether customers require an urgent patch containing a non-Vulnerable Version of the OSS. Unfortunately, current decision making relies mostly on natural-language vulnerability descriptions and expert knowledge, and is therefore difficult, time-consuming, and error-prone. This paper proposes a novel approach to support the impact assessment based on the analysis of code changes introduced by security fixes. We describe our approach using an illustrative example and perform a comparison with both proprietary and open-source state-of-the-art solutions. Finally we report on our experience with a sample application and two industrial development projects.
