prosved
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
prosved [2024/05/18 19:19] – [Dissemination & events] carlosesteban.budde@unitn.it | prosved [2024/11/25 21:16] (current) – [Dissemination & events] carlosesteban.budde@unitn.it | ||
---|---|---|---|
Line 17: | Line 17: | ||
* URL: https:// | * URL: https:// | ||
+ | This website reflects only the author' | ||
===== Objective and approach ===== | ===== Objective and approach ===== | ||
Line 50: | Line 51: | ||
==== Quantitative forecasts of security vulnerabilities ==== | ==== Quantitative forecasts of security vulnerabilities ==== | ||
- | TDTs (and ATs) offer optimal representations of codebases and their evolution in time, to allow quantitative studies of the propagation of security vulnerabilities---//but they do nothing to effectively quantify these probabilities.// | + | TDTs (and ATs) offer optimal representations of codebases and their evolution in time, to allow quantitative studies of the propagation of security vulnerabilities---but they do nothing to effectively quantify these probabilities. |
For that, ProSVED poses the following broad research question: | For that, ProSVED poses the following broad research question: | ||
- | > How does the probability of finding a security vulnerability in a software library evolve over time? | + | > //How does the probability of finding a security vulnerability in a software library evolve over time?// |
While time-dependence of exploits and vulnerabilities is agreed upon by the practitioners' | While time-dependence of exploits and vulnerabilities is agreed upon by the practitioners' | ||
Line 66: | Line 67: | ||
To generate more specific forecasts, ProSVED proposes divisions of the learning sets by attributes that are known or suspected to affect security vulnerability occurrence, such as library size, seniority of developers, and functional purpose. | To generate more specific forecasts, ProSVED proposes divisions of the learning sets by attributes that are known or suspected to affect security vulnerability occurrence, such as library size, seniority of developers, and functional purpose. | ||
- | {{: | + | > //From a singled-out set of libraries, ProSVED measures the time elapsed between the release of the source code and the publication of a CVE for it, fitting statistical models |
- | From a singled-out set of libraries, ProSVED measures the time elapsed between the release of the source code and the publication of a CVE for it, fitting statistical models | + | {{: |
This provides individual PDFs for specific types of codebases, that can be linked to the nodes that compose a TDT, by determining which type of library each such node represents. | This provides individual PDFs for specific types of codebases, that can be linked to the nodes that compose a TDT, by determining which type of library each such node represents. | ||
Line 74: | Line 75: | ||
Depending on the severity of the vulnerability, | Depending on the severity of the vulnerability, | ||
Quantifying these probabilities gives companies concrete estimates of the workload needed in the future, thus facilitating security-related decisions. | Quantifying these probabilities gives companies concrete estimates of the workload needed in the future, thus facilitating security-related decisions. | ||
+ | |||
+ | ProSVED has also studied analytical (or rather, numerical) compositions of the PDFs to spawn the multi-dimensional probabilistic space that describes the fluctuation of vuln. probability as a function of time in dense non-singular intervals. In layman terms, one can see the full landscape of " | ||
===== Real-world examples and applications ===== | ===== Real-world examples and applications ===== | ||
- | {{ ::reddison_mistake.png?400 |}} | + | {{::tdt_example_maven.png?500|TDT example from the Java Maven library jira-core}} |
+ | Time Dependency Trees were designed as a lightweight graph structure capable of representing the evolution in time of entire dependency trees. | ||
+ | Such representations can be used to compute indices at the level of entire projects or even development environments. | ||
+ | For instance, an out-degree count in the nodes can determine the presence of pervasive dependencies, | ||
+ | Also, measuring the number of versions of (popular) libraries that were affected by published vulnerabilities is a high-level risk indicator of developing code in a specific ecosystem. | ||
+ | {{ : | ||
+ | |||
+ | When coupled with the PDFs fitted for the probability of vulnerability disclosure as a function of time, this can be used to find the weak spots in the dependency tree at different time points, and even quantify how much risk is posed by every dependency library. | ||
+ | |||
+ | Our studies for the Java/Maven library '' | ||
+ | |||
+ | **The problem** | ||
+ | --- | ||
+ | From a security perspective, | ||
+ | Our PDFs offer a quantification of such risks, as the probability of having a new CVE released for the dependency. | ||
+ | |||
+ | **What happened** | ||
+ | --- | ||
+ | In particular for this example, the high-severity [[https:// | ||
+ | Those specific library instances had been dependencies of '' | ||
+ | Hindsight then proved that this was a mistake when CVE-2021-39139 came out, and that factoring in '' | ||
+ | |||
+ | **The novelty of ProSVED** | ||
+ | --- | ||
+ | In that scenario there is no information on when will the next CVE be released, and which libraries (and which version) will it affect. | ||
+ | The TDT+PDF machinery of ProSVED changes that, providing estimate probabilities of the release of a new CVE for each library that a project is using as a dependency. | ||
+ | Applied to this example, from the dependencies of '' | ||
+ | This quantities produced by ProSVED are available to developers //before vulnerabilities like CVE-2021-39139 are released//, and here it indicates that the risk of facing a new vulnerability will be reduced if the developers of '' | ||
====== Scientific publications ====== | ====== Scientific publications ====== | ||
==== Journals ==== | ==== Journals ==== | ||
- | - :!: COSE | + | - **// |
- | - :!: DiB | + | - __Authors__: Carlos E. Budde, Anni Karinsalo, Silvia Vidor, Jarno Salonen, Fabio Massacci |
+ | - __Journal__: | ||
+ | - __DOI__: [[https:// | ||
+ | - __Year__: 2023 | ||
+ | - **// | ||
+ | - __Authors__: Milan Lopuhaä-Zwakenberg, | ||
+ | - __Journal__: | ||
+ | - __DOI__: [[https:// | ||
+ | - __Year__: 2023 | ||
+ | - **//CSEC+ framework assessment dataset: Expert evaluations of cybersecurity skills for job profiles in Europe// | ||
+ | - __Authors__: | ||
+ | - __Journal__: | ||
+ | - __DOI__: [[https:// | ||
+ | - __Year__: 2023 | ||
+ | - **// | ||
+ | - __Authors__: | ||
+ | - __Journal__: | ||
+ | - __DOI__: [[https:// | ||
+ | - __Year__: 2022 | ||
+ | - **// | ||
+ | - __Authors__: | ||
+ | - __Journal__: | ||
+ | - __DOI__: [[https:// | ||
+ | - __Year__: 2022 | ||
==== International conferences ==== | ==== International conferences ==== | ||
- | - :!: FIG cybersec | + | - **//Digging for Decision Trees: A Case Study in Strategy Sampling and Learning// |
- | - :!: ??? | + | - __Authors__: Carlos E. Budde, Pedro R. D' |
+ | - __Conference__: | ||
+ | - __DOI__: (to appear) | ||
+ | - __Year__: 2024 | ||
+ | - **//Tools at the Frontiers of Quantitative Verification// | ||
+ | - __Authors__: Roman Andriushchenko, | ||
+ | - __Conference__: [[https:// | ||
+ | - __DOI__: [[https:// | ||
+ | - __Year__: 2024 | ||
+ | - **// | ||
+ | - __Authors__: | ||
+ | - __Conference__: | ||
+ | - __DOI__: [[https:// | ||
+ | - __Year__: 2024 | ||
====== Dissemination & events ====== | ====== Dissemination & events ====== | ||
- | {{ : | + | {{ : |
A social objective of ProSVED is to raise awareness of cybersecurity practices in general, and the importance (and feasibility) of forecasting security vulnerabilities in particular. In this sense, ProSVED has been part of the following scientific and industrial dissemination events: | A social objective of ProSVED is to raise awareness of cybersecurity practices in general, and the importance (and feasibility) of forecasting security vulnerabilities in particular. In this sense, ProSVED has been part of the following scientific and industrial dissemination events: | ||
+ | * **Speck& | ||
+ | * Presentation video: https:// | ||
+ | * Presentation slides: https:// | ||
+ | * //Trento, IT// | ||
+ | * **ProSVED meeting**: [[https:// | ||
+ | * Presentation slides: {{ :: | ||
+ | * //Trento, IT// | ||
+ | * **SMARTITUDE GM' | ||
+ | * Presentation slides: {{ :: | ||
+ | * //Canazei, IT// | ||
+ | * **PI stories**: [[https:// | ||
+ | * Presentation slides: {{ :: | ||
+ | * //Trento, IT// | ||
+ | * **Lorentz Workshop**: [[https:// | ||
+ | * Presentation slides: {{ :: | ||
+ | * //Leiden, NL// | ||
* **SFSCON**: [[https:// | * **SFSCON**: [[https:// | ||
* Presentation video: https:// | * Presentation video: https:// | ||
* Presentation slides: https:// | * Presentation slides: https:// | ||
* //Bolzano, IT// | * //Bolzano, IT// | ||
- | * **Lorentz Workshop**: [[https:// | ||
- | * Presentation slides: {{ :: | ||
- | * //Leiden, NL// | ||
- | * **SMARTITUDE**: | ||
- | * Presentation slides: {{ :: | ||
- | * //Salerno, IT// | ||
* **Vuln4Cast**: | * **Vuln4Cast**: | ||
* Presentation slides: | * Presentation slides: | ||
* //Cardiff, UK// | * //Cardiff, UK// | ||
+ | * **SMARTITUDE kickoff**: formal models for security vulnerabilities in Smart Contracts | ||
+ | * Presentation slides: {{ :: | ||
+ | * //Salerno, IT// | ||
+ | * **Privacy Symposium**: | ||
+ | * Presentation slides: {{ :: | ||
+ | * //Venice, IT// | ||
+ | |||
+ | {{ Speck_and_Tech_meetup.jpg? | ||
====== Special thanks ====== | ====== Special thanks ====== | ||
Line 121: | Line 204: | ||
* D. Di Nucci (Univ. of Salerno, IT) | * D. Di Nucci (Univ. of Salerno, IT) | ||
* G. Di Tizio (Airbus, FR) | * G. Di Tizio (Airbus, FR) | ||
+ | * El Rulo y su Kepler Kompilator | ||
prosved.1716052769.txt.gz · Last modified: by carlosesteban.budde@unitn.it