Literaturnachweis - Detailanzeige
| Autor/in | Zhao, Mingyi |
|---|---|
| Titel | Discovering and Mitigating Software Vulnerabilities through Large-Scale Collaboration |
| Quelle | (2016), (149 Seiten)
PDF als Volltext Ph.D. Dissertation, The Pennsylvania State University |
| Sprache | englisch |
| Dokumenttyp | gedruckt; online; Monographie |
| ISBN | 978-1-3696-2628-5 |
| Schlagwörter | Hochschulschrift; Dissertation; Computer Software; Information Security; Computer Security; Cooperation; Program Effectiveness; Risk Management; Costs; Models; Vandalism; Crime; Privacy; Crime Prevention |
| Abstract | In today's rapidly digitizing society, people place their trust in a wide range of digital services and systems that deliver latest news, process financial transactions, store sensitive information, etc. However, this trust does not have a solid foundation, because software code that supports this digital world has security vulnerabilities. These vulnerabilities are the root causes of many security incidents, ranging from massive user information leakages, to the damage of industrial control systems. Security professionals have been working hard to eliminate software vulnerabilities with mainly two approaches. The first approach is to protect software programs from unknown attacks at production run-time. The second approach is to continuously review and test a software product even after release, in order to find and fix vulnerabilities before attackers can exploit them. However, both approaches are limited by the capability and resource available to an individual program instance or a single organization. This dissertation proposes and evaluates novel approaches for discovering and mitigating software vulnerabilities based on large-scale collaborations, which overcome the limitations of an individual party. We first look at how software program instances can autonomously collaborate with each other to defend against zero-day attacks. We propose a new security defense called collaborative run-time protection, which distributes the high overhead of security monitoring to a set of software instances, and coordinates the instances so that together they can cover the potential vulnerability space. Once an instance detects a zero-day vulnerability, it quickly shares a codeless patch with other instances so that the whole group becomes immune to the threat. We implement a prototype system called HeapCRP, which protects C/C++ programs from heap memory bugs. Our evaluation shows that HeapCRP is effective against real world vulnerabilities, with low cost. We next explore the rapidly growing vulnerability discovery ecosystem emerging from the collaboration between organizations and the global white hat hacker community. Our study shows that this collaboration has yielded tens of thousands of vulnerabilities being discovered and fixed in the past several years, for a wide range of organizations, including many famous Internet companies, financial institutions, and even government agencies. We further provide evidence showing that white hats' scrutiny makes finding new vulnerabilities increasingly difficult, indicating improved security for these organizations. However, we also identified several frictions that raise the cost and risk of such collaboration. Therefore, we further propose new models and policies to scale the promise of this collaboration to a larger number of organizations and white hats. We first propose a new hacker allocation mechanism to reduce the number of duplicated reports. Next, we evaluate existing bug bounty policies that aim to control the quality of submission from hackers, and propose a new policy that has several advantages over existing ones. [The dissertation citations contained here are published with the permission of ProQuest LLC. Further reproduction is prohibited without permission. Copies of dissertations may be obtained by Telephone (800) 1-800-521-0600. Web page: http://www.proquest.com/en-US/products/dissertations/individuals.shtml.] (As Provided). |
| Anmerkungen | ProQuest LLC. 789 East Eisenhower Parkway, P.O. Box 1346, Ann Arbor, MI 48106. Tel: 800-521-0600; Web site: http://www.proquest.com/en-US/products/dissertations/individuals.shtml |
| Erfasst von | ERIC (Education Resources Information Center), Washington, DC |
| Update | 2020/1/01 |
Literaturbeschaffung und Bestandsnachweise in Bibliotheken prüfen
Permalink als QR-Code
Inhalt auf sozialen Plattformen teilen (nur vorhanden, wenn Javascript eingeschaltet ist)
Teile diese Seite:
