DISI Security Research Group Wiki

User Tools

Site Tools

Trace:
prosved

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
prosved [2024/05/18 19:19] – [Dissemination & events] carlosesteban.budde@unitn.itprosved [2024/11/25 21:16] (current) – [Dissemination & events] carlosesteban.budde@unitn.it
Line 17: Line 17:
   * URL: https://cordis.europa.eu/project/id/101067199   * URL: https://cordis.europa.eu/project/id/101067199
  
 +This website reflects only the author's view and is his sole responsibility. The European Commission's Research Executive Agency is not responsible for any use that may be made of the information it contains.
 ===== Objective and approach ===== ===== Objective and approach =====
  
Line 50: Line 51:
 ==== Quantitative forecasts of security vulnerabilities ==== ==== Quantitative forecasts of security vulnerabilities ====
  
-TDTs (and ATs) offer optimal representations of codebases and their evolution in time, to allow quantitative studies of the propagation of security vulnerabilities---//but they do nothing to effectively quantify these probabilities.//+TDTs (and ATs) offer optimal representations of codebases and their evolution in time, to allow quantitative studies of the propagation of security vulnerabilities---but they do nothing to effectively quantify these probabilities.
 For that, ProSVED poses the following broad research question: For that, ProSVED poses the following broad research question:
  
-> How does the probability of finding a security vulnerability in a software library evolve over time?+//How does the probability of finding a security vulnerability in a software library evolve over time?//
  
 While time-dependence of exploits and vulnerabilities is agreed upon by the practitioners' community---see e.g. [[https://www.first.org/cvss/v3.1/specification-document#Temporal-Metrics|the Temporal Metrics from the CVSS standard]]---the great majority of research has focused on the //detection// of vulnerabilities already known in the code. Some past attempts to generate vulnerability forecasts have used time-series machinery: one of the most modern and tangible outcomes is provided by the Vulnerability Forecasting interest group of FIRST, which is periodically updated to reflect yearly and quarterly projections of CVEs: https://github.com/FIRSTdotorg/Vuln4Cast/blob/main/README.md. While time-dependence of exploits and vulnerabilities is agreed upon by the practitioners' community---see e.g. [[https://www.first.org/cvss/v3.1/specification-document#Temporal-Metrics|the Temporal Metrics from the CVSS standard]]---the great majority of research has focused on the //detection// of vulnerabilities already known in the code. Some past attempts to generate vulnerability forecasts have used time-series machinery: one of the most modern and tangible outcomes is provided by the Vulnerability Forecasting interest group of FIRST, which is periodically updated to reflect yearly and quarterly projections of CVEs: https://github.com/FIRSTdotorg/Vuln4Cast/blob/main/README.md.
Line 66: Line 67:
 To generate more specific forecasts, ProSVED proposes divisions of the learning sets by attributes that are known or suspected to affect security vulnerability occurrence, such as library size, seniority of developers, and functional purpose. To generate more specific forecasts, ProSVED proposes divisions of the learning sets by attributes that are known or suspected to affect security vulnerability occurrence, such as library size, seniority of developers, and functional purpose.
  
-{{:3dplot_joint_pdf_local_snl_lastver.png?300 |Probability of vulnerabilities in libraries with little exposure to the Internet}}+> //From a singled-out set of libraries, ProSVED measures the time elapsed between the release of the source code and the publication of a CVE for it, fitting statistical models to come up with probability density functions (PDFs) for the publication of a CVE since code release.//
  
-From a singled-out set of libraries, ProSVED measures the time elapsed between the release of the source code and the publication of a CVE for it, fitting statistical models to come up with probability density functions (PDFs) for the publication of a CVE since code release.+{{:3dplot_joint_pdf_local_snl_lastver.png?300 |Probability of vulnerabilities in libraries with little exposure to the Internet}}
  
 This provides individual PDFs for specific types of codebases, that can be linked to the nodes that compose a TDT, by determining which type of library each such node represents. This provides individual PDFs for specific types of codebases, that can be linked to the nodes that compose a TDT, by determining which type of library each such node represents.
Line 74: Line 75:
 Depending on the severity of the vulnerability, or more fine-grained information such as the potential attack vector, this can represent a disruptive event that forces the release of urgent patches. Depending on the severity of the vulnerability, or more fine-grained information such as the potential attack vector, this can represent a disruptive event that forces the release of urgent patches.
 Quantifying these probabilities gives companies concrete estimates of the workload needed in the future, thus facilitating security-related decisions. Quantifying these probabilities gives companies concrete estimates of the workload needed in the future, thus facilitating security-related decisions.
 +
 +ProSVED has also studied analytical (or rather, numerical) compositions of the PDFs to spawn the multi-dimensional probabilistic space that describes the fluctuation of vuln. probability as a function of time in dense non-singular intervals. In layman terms, one can see the full landscape of "vulnerability probability" up to a chosen future moment in time. While this suffers from the curse of dimensionality, which renders it impractical to visualize all dependencies of a project, it allows to single out a few codebases---e.g. dependencies of main concern, usual suspects---and study them in greater detail than via TDT analysis, which can only produce punctual aggregated results.
  
 ===== Real-world examples and applications ===== ===== Real-world examples and applications =====
  
-{{ ::reddison_mistake.png?400 |}}+{{::tdt_example_maven.png?500|TDT example from the Java Maven library jira-core}}
  
 +Time Dependency Trees were designed as a lightweight graph structure capable of representing the evolution in time of entire dependency trees.
 +Such representations can be used to compute indices at the level of entire projects or even development environments.
 +For instance, an out-degree count in the nodes can determine the presence of pervasive dependencies, whose exploitation poses a threat to large portions of a project across several versions of libraries.
 +Also, measuring the number of versions of (popular) libraries that were affected by published vulnerabilities is a high-level risk indicator of developing code in a specific ecosystem.
  
 +{{ :reddison_mistake.png?450|Developers' view and hindsight of vulnerabilities in code development chains}}
 +
 +When coupled with the PDFs fitted for the probability of vulnerability disclosure as a function of time, this can be used to find the weak spots in the dependency tree at different time points, and even quantify how much risk is posed by every dependency library.
 +
 +Our studies for the Java/Maven library ''[[https://mvnrepository.com/artifact/com.atlassian.jira/jira-core|jira-core]]'' offer a concrete example of these capabilities. This library implements the source code for the core of [[https://www.atlassian.com/software/jira|the Jira project]], which is one of the most popular bug trackers in the world. The source code of ''jira-core'' depends on many other libraries, such as ''[[https://mvnrepository.com/artifact/com.thoughtworks.xstream/xstream|xstream]]'' for XML serialisation, and all those codebases are periodically updated.
 +
 +**The problem**
 +---
 +From a security perspective, when a new release of ''jira-core'' is being prepared, it makes sense to ask whether the newest version of a dependency such as ''xstream'' should be factored in or not---and the answer is far for trivial, since new code could bring in zero-day vulnerabilities, while older code has been around for a longer time, so it could also be the target of better engineered attacks.
 +Our PDFs offer a quantification of such risks, as the probability of having a new CVE released for the dependency.
 +
 +**What happened**
 +---
 +In particular for this example, the high-severity [[https://nvd.nist.gov/vuln/detail/CVE-2021-39139|CVE-2021-39139]]   released on late August of 2021 affects ''xstream'' version 1.4.17 and earlier, which had been fixed in ''xstream:1.4.18'' released earlier that month.
 +Those specific library instances had been dependencies of ''jira-core'' for months, and the August releases of versions 8.19.0 and 8.19.1 of ''jira-core'' (prior to the disclosure of the vulnerability) decided to keep the old versions of ''xstream''.
 +Hindsight then proved that this was a mistake when CVE-2021-39139 came out, and that factoring in ''xstream:1.4.18'' would have avoided the vulnerability that was faced by the decision to keep using ''xstream:1.4.17''.
 +
 +**The novelty of ProSVED**
 +---
 +In that scenario there is no information on when will the next CVE be released, and which libraries (and which version) will it affect.
 +The TDT+PDF machinery of ProSVED changes that, providing estimate probabilities of the release of a new CVE for each library that a project is using as a dependency.
 +Applied to this example, from the dependencies of ''jira-core'' related to ''xstream'' we find two libraries that pose a large security risk: ''mxparser'' with a 0.0836 chance, and ''xstream'' itself with a 0.070 chance of having a new CVE released in 45 days counting since July 25, 2021.
 +This quantities produced by ProSVED are available to developers //before vulnerabilities like CVE-2021-39139 are released//, and here it indicates that the risk of facing a new vulnerability will be reduced if the developers of ''jira-core'' adopy any new version available for ''mxparser'' or ''xstream'', which matches what eventually happened in that case.
 ====== Scientific publications ====== ====== Scientific publications ======
 ==== Journals ==== ==== Journals ====
-  - :!COSE +  - **//Consolidating cybersecurity in EuropeA case study on job profiles assessment//** 
-  - :!DiB+    - __Authors__Carlos E. Budde, Anni Karinsalo, Silvia Vidor, Jarno Salonen, Fabio Massacci 
 +    - __Journal__: Computers & Security 
 +    - __DOI__: [[https://www.sciencedirect.com/science/article/pii/S0167404822004746?via%3Dihub|10.1016/j.cose.2022.103082]] 
 +    - __Year__: 2023 
 +  - **//Efficient and Generic Algorithms for Quantitative Attack Tree Analysis//** 
 +    - __Authors__Milan Lopuhaä-Zwakenberg, Carlos E. Budde, Mariëlle Stoelinga 
 +    - __Journal__: IEEE Transactions on Dependable and Secure Computing 
 +    - __DOI__: [[https://ieeexplore.ieee.org/document/9925106|10.1109/TDSC.2022.3215752]] 
 +    - __Year__: 2023 
 +  - **//CSEC+ framework assessment dataset: Expert evaluations of cybersecurity skills for job profiles in Europe//** 
 +    - __Authors__: Carlos E. Budde, Anni Karinsalo, Silvia Vidor, Jarno Salonen, Fabio Massacci 
 +    - __Journal__: Data in Brief 
 +    - __DOI__: [[https://www.sciencedirect.com/science/article/pii/S2352340923004043?via%3Dihub|10.1016/j.dib.2023.109285]] 
 +    - __Year__: 2023 
 +  - **//Automated fault tree learning from continuous-valued sensor data: a case study on domestic heaters//** 
 +    - __Authors__: Bart Verkuil, Carlos E. Budde, Doina Bucur 
 +    - __Journal__: International Journal of Prognostics and Health Management 
 +    - __DOI__: [[https://papers.phmsociety.org/index.php/ijphm/article/view/3160|https://doi.org/10.36001/ijphm.2022.v13i2.3160]] 
 +    - __Year__: 2022 
 +  - **//Analysis of non-Markovian repairable fault trees through rare event simulation//** 
 +    - __Authors__: Carlos E. Budde, Pedro R. D’Argenio, Raúl E. Monti, Mariëlle Stoelinga 
 +    - __Journal__: International Journal on Software Tools for Technology Transfer 
 +    - __DOI__: [[https://link.springer.com/article/10.1007/s10009-022-00675-x|10.1007/s10009-022-00675-x]] 
 +    - __Year__2022
 ==== International conferences ==== ==== International conferences ====
-  - :!FIG cybersec +  - **//Digging for Decision TreesA Case Study in Strategy Sampling and Learning//** 
-  - :!??? +    - __Authors__Carlos E. Budde, Pedro R. D'Argenio, Arnd Hartmanns 
 +    - __Conference__: [[https://2024-isola.isola-conference.org/|ISoLA 2024]] 
 +    - __DOI__: (to appear) 
 +    - __Year__: 2024 
 +  - **//Tools at the Frontiers of Quantitative Verification//** 
 +    - __Authors__Roman Andriushchenko, Alexander Bork, Carlos E. Budde et al. 
 +    - __Conference__[[https://tacas.info/toolympics2023.php|TACAS: TOOLympics Challenge 2023]] 
 +    - __DOI__: [[https://link.springer.com/chapter/10.1007/978-3-031-67695-6_4|10.1007/978-3-031-67695-6_4]] 
 +    - __Year__: 2024 
 +  - **//Transient Evaluation of Non-Markovian Models by Stochastic State Classes and Simulation//** 
 +    - __Authors__: Gabriel Dengler, Laura Carnevali, Carlos E. Budde, Enrico Vicario 
 +    - __Conference__: [[https://www.qest-formats.org/papers.html|QEST+FORMATS 2024]] 
 +    - __DOI__: [[https://link.springer.com/chapter/10.1007/978-3-031-68416-6_13|10.1007/978-3-031-68416-6_13]] (and [[https://arxiv.org/abs/2406.16447|the preprint]]) 
 +    - __Year__: 2024
  
 ====== Dissemination & events ====== ====== Dissemination & events ======
  
-{{ :sfscon_best_time_to_update.png?300|SFSCON presentation}}+{{ :sfscon_best_time_to_update.png?300|SFSCON presentation 2023}}
  
 A social objective of ProSVED is to raise awareness of cybersecurity practices in general, and the importance (and feasibility) of forecasting security vulnerabilities in particular. In this sense, ProSVED has been part of the following scientific and industrial dissemination events: A social objective of ProSVED is to raise awareness of cybersecurity practices in general, and the importance (and feasibility) of forecasting security vulnerabilities in particular. In this sense, ProSVED has been part of the following scientific and industrial dissemination events:
  
 +  * **Speck&Tech**: [[https://speckand.tech/2024/10/threat-prediction|Threat prediction]]
 +    * Presentation video: https://www.youtube.com/live/I4o_CH_T-v8?t=3324s
 +    * Presentation slides: https://www.slideshare.net/slideshow/foretell-security-attacks-in-foss-yes-please-but-how/272596860
 +    * //Trento, IT//
 +  * **ProSVED meeting**: [[https://webmagazine.unitn.it/en/evento/disi/121125/prosved-project-closing-event|Final event]]
 +    * Presentation slides: {{ ::talk_prosved_final.pdf  |}}
 +    * //Trento, IT//
 +  * **SMARTITUDE GM'24**: Quantifying risk (impact) of Smart Contracts vulnerabilities
 +    * Presentation slides: {{ ::talk_smartitude_2024.pdf |}}
 +    * //Canazei, IT//
 +  * **PI stories**: [[https://webmagazine.unitn.it/en/evento/drict/120901/third-times-the-charm|Third time's the charm]]
 +    * Presentation slides: {{ ::talk_pi_seminar_2024.pdf |}}
 +    * //Trento, IT//
 +  * **Lorentz Workshop**: [[https://www.lorentzcenter.nl/predictive-maintenance-let-data-maintain-the-model.html|Predictive Maintenance: Let Data Maintain the Model]]
 +    * Presentation slides: {{ ::talk_lorentz_2023.pdf |}}
 +    * //Leiden, NL//
   * **SFSCON**: [[https://www.sfscon.it/|South Tyrol Free Software Conference]]   * **SFSCON**: [[https://www.sfscon.it/|South Tyrol Free Software Conference]]
     * Presentation video: https://vimeo.com/886816725     * Presentation video: https://vimeo.com/886816725
     * Presentation slides: https://www.slideshare.net/slideshow/sfscon23-carlos-esteban-budde-predict-security-attacks-in-foss/264283292?from_search=0     * Presentation slides: https://www.slideshare.net/slideshow/sfscon23-carlos-esteban-budde-predict-security-attacks-in-foss/264283292?from_search=0
     * //Bolzano, IT//     * //Bolzano, IT//
-  * **Lorentz Workshop**: [[https://www.lorentzcenter.nl/predictive-maintenance-let-data-maintain-the-model.html|Predictive Maintenance: Let Data Maintain the Model]] 
-    * Presentation slides: {{ ::talk_lorentz_2023.pdf |}} 
-    * //Leiden, NL// 
-  * **SMARTITUDE**: formal models for security vulnerabilities in Smart Contracts 
-    * Presentation slides: {{ ::talk_smartitude_2023.pdf |}} 
-    * //Salerno, IT// 
   * **Vuln4Cast**: [[https://www.first.org/events/colloquia/cardiff2023/|FIRST group technical colloquium]]   * **Vuln4Cast**: [[https://www.first.org/events/colloquia/cardiff2023/|FIRST group technical colloquium]]
     * Presentation slides:  https://www.first.org/resources/papers/cardiff2023/Vuln4Cast-Budde.-Paramitha.-Massacci.pdf     * Presentation slides:  https://www.first.org/resources/papers/cardiff2023/Vuln4Cast-Budde.-Paramitha.-Massacci.pdf
     * //Cardiff, UK//     * //Cardiff, UK//
 +  * **SMARTITUDE kickoff**: formal models for security vulnerabilities in Smart Contracts
 +    * Presentation slides: {{ ::talk_smartitude_2023.pdf |}}
 +    * //Salerno, IT//
 +  * **Privacy Symposium**: [[https://sites.grenadine.co/sites/iot/en/2022-privacy-symposium-conference/schedule/8529/CyberSec4Europe%20-%20Research%20to%20Innovation%3A%20Common%20Research%20Framework%20on%20Security%20and%20Privacy|Research to Innovation: Common Research Framework on Security and Privacy]]
 +    * Presentation slides: {{ ::talk_psymp_2022.pdf |}}
 +    * //Venice, IT//
 +
 +{{ Speck_and_Tech_meetup.jpg?699 | Speck&Tech meetup 2024 }}
  
 ====== Special thanks ====== ====== Special thanks ======
Line 121: Line 204:
   * D. Di Nucci (Univ. of Salerno, IT)   * D. Di Nucci (Univ. of Salerno, IT)
   * G. Di Tizio (Airbus, FR)   * G. Di Tizio (Airbus, FR)
 +  * El Rulo y su Kepler Kompilator
  
prosved.1716052769.txt.gz · Last modified: by carlosesteban.budde@unitn.it
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki