skip to main content

Explore Research Products in the NSF-PAR

Title: The CVE Wayback Machine: Measuring Coordinated Disclosure from Exploits against Two Years of Zero-Days
Software security depends on coordinated vulnerability disclosure (CVD) from researchers, a process that the community has continually sought to measure and improve. Yet, CVD practices are only as effective as the data that informs them. In this paper, we use DScope, a cloud-based interactive Internet telescope, to build statistical models of vulnerability lifecycles, bridging the data gap in over 20 years of CVD research. By analyzing application-layer Internet scanning traffic over two years, we identify real-world exploitation timelines for 63 threats. We bring this data together with six additional datasets to build a complete birth-to-death model of these vulnerabilities, the most complete analysis of vulnerability lifecycles to date. Our analysis reaches three key recommendations: (1) CVD across diverse vendors shows lower effectiveness than previously thought, (2) intrusion detection systems are underutilized to provide protection for critical vulnerabilities, and (3) existing data sources of CVD can be augmented by novel approaches to Internet measurement. In this way, our vantage point offers new opportunities to improve the CVD process, achieving a safer software ecosystem in practice.  more » « less
Award ID(s):
2320882
NSF-PAR ID:
10496964
Author(s) / Creator(s):
; ;
Publisher / Repository:
IMC '23: Proceedings of the 2023 ACM on Internet Measurement Conference
Date Published:
Page Range / eLocation ID:
36-2522
Subject(s) / Keyword(s):
["Security and privacy","Vulnerability management","Networks","Network Measurement","Coordinated Vulnerability Disclosure","Internet Telescopes","Honeypots","Known Exploited Vulnerabilities","Intrusion Detection Systems"]
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. ; ; ( , ACM)
    Software security depends on coordinated vulnerability disclosure (CVD) from researchers, a process that the community has continually sought to measure and improve. Yet, CVD practices are only as effective as the data that informs them. In this paper, we use DScope, a cloud-based interactive Internet telescope, to build statistical models of vulnerability lifecycles, bridging the data gap in over 20 years of CVD research. By analyzing application-layer Internet scanning traffic over two years, we identify real-world exploitation timelines for 63 threats. We bring this data together with six additional datasets to build a complete birth-to-death model of these vulnerabilities, the most complete analysis of vulnerability lifecycles to date. Our analysis reaches three key recommendations: (1) CVD across diverse vendors shows lower effectiveness than previously thought, (2) intrusion detection systems are underutilized to provide protection for critical vulnerabilities, and (3) existing data sources of CVD can be augmented by novel approaches to Internet measurement. In this way, our vantage point offers new opportunities to improve the CVD process, achieving a safer software ecosystem in practice. 
    more » « less
  2. ; ; ; ; ; ; ; ( , JMIR Research Protocols)
    null (Ed.)
    Background Cardiovascular disease (CVD) disparities are a particularly devastating manifestation of health inequity. Despite advancements in prevention and treatment, CVD is still the leading cause of death in the United States. Additionally, research indicates that African American (AA) and other ethnic-minority populations are affected by CVD at earlier ages than white Americans. Given that AAs are the fastest-growing population of smartphone owners and users, mobile health (mHealth) technologies offer the unparalleled potential to prevent or improve self-management of chronic disease among this population. Objective To address the unmet need for culturally tailored primordial prevention CVD–focused mHealth interventions, the MOYO app was cocreated with the involvement of young people from this priority community. The overall project aims to develop and evaluate the effectiveness of a novel smartphone app designed to reduce CVD risk factors among urban-AAs, 18-29 years of age. Methods The theoretical underpinning will combine the principles of community-based participatory research and the agile software development framework. The primary outcome goals of the study will be to determine the usability, acceptability, and functionality of the MOYO app, and to build a cloud-based data collection infrastructure suitable for digital epidemiology in a disparity population. Changes in health-related parameters over a 24-week period as determined by both passive (eg, physical activity levels, sleep duration, social networking) and active (eg, use of mood measures, surveys, uploading pictures of meals and blood pressure readings) measures will be the secondary outcome. Participants will be recruited from a majority AA “large city” school district, 2 historically black colleges or universities, and 1 urban undergraduate college. Following baseline screening for inclusion (administered in person), participants will receive the beta version of the MOYO app. Participants will be monitored during a 24-week pilot period. Analyses of varying data including social network dynamics, standard metrics of activity, percentage of time away from a given radius of home, circadian rhythm metrics, and proxies for sleep will be performed. Together with external variables (eg, weather, pollution, and socioeconomic indicators such as food access), these metrics will be used to train machine-learning frameworks to regress them on the self-reported quality of life indicators. Results This 5-year study (2015-2020) is currently in the implementation phase. We believe that MOYO can build upon findings of classical epidemiology and longitudinal studies like the Jackson Heart Study by adding greater granularity to our knowledge of the exposures and behaviors that affect health and disease, and creating a channel for outreach capable of launching interventions, clinical trials, and enhancements of health literacy. Conclusions The results of this pilot will provide valuable information about community cocreation of mHealth programs, efficacious design features, and essential infrastructure for digital epidemiology among young AA adults. International Registered Report Identifier (IRRID) DERR1-10.2196/16699 
    more » « less
  3. ; ; ; ( , International Conference on Security and Privacy in Communication Systems)
    Vulnerabilities have a detrimental effect on end-users and enterprises, both direct and indirect; including loss of private data, intellectual property, the competitive edge, performance, etc. Despite the growing software industry and a push towards a digital economy, enterprises are increasingly considering security as an added cost, which makes it necessary for those enterprises to see a tangible incentive in adopting security. Furthermore, despite data breach laws that are in place, prior studies have suggested that only 4% of reported data breach incidents have resulted in litigation in federal courts, showing the limited legal ramifications of security breaches and vulnerabilities. In this paper, we study the hidden cost of software vulnerabilities reported in the National Vulnerability Database (NVD) through stock price analysis. Towards this goal, we perform a high-fidelity data augmentation to ensure data reliability and to estimate vulnerability disclosure dates as a baseline for estimating the implication of software vulnerabilities. We further build a model for stock price prediction using the NARX Neural Network model to estimate the effect of vulnerability disclosure on the stock price. Compared to prior work, which relies on linear regression models, our approach is shown to provide better accuracy. Our analysis also shows that the effect of vulnerabilities on vendors varies, and greatly depends on the specific software industry. Whereas some industries are shown statistically to be affected negatively by the release of software vulnerabilities, even when those vulnerabilities are not broadly covered by the media, some others were not affected at all. 
    more » « less
  4. ; ( , 2019 IEEE Computer Society Signature Conference on Computers, Software and Applications (COMPSAC 2019))
    Over the past decades, the major objectives of computer design have been to improve performance and to reduce cost, energy consumption, and size, while security has remained a secondary concern. Meanwhile, malicious attacks have rapidly grown as the number of Internet-connected devices, ranging from personal smart embedded systems to large cloud servers, have been increasing. Traditional antivirus software cannot keep up with the increasing incidence of these attacks, especially for exploits targeting hardware design vulnerabilities. For example, as DRAM process technology scales down, it becomes easier for DRAM cells to electrically interact with each other. For instance, in Rowhammer attacks, it is possible to corrupt data in nearby rows by reading the same row in DRAM. As Rowhammer exploits a computer hardware weakness, no software patch can completely fix the problem. Similarly, there is no efficient software mitigation to the recently reported attack Spectre. The attack exploits microarchitectural design vulnerabilities to leak protected data through side channels. In general, completely fixing hardware-level vulnerabilities would require a redesign of the hardware which cannot be backported. In this paper, we demonstrate that by monitoring deviations in microarchitectural events such as cache misses, branch mispredictions from existing CPU performance counters, hardware-level attacks such as Rowhammer and Spectre can be efficiently detected during runtime with promising accuracy and reasonable performance overhead using various machine learning classifiers. 
    more » « less
  5. ; ; ; ( , ACM Transactions on Software Engineering and Methodology)
    Penetration testing is a key practice toward engineering secure software. Malicious actors have many tactics at their disposal, and software engineers need to know what tactics attackers will prioritize in the first few hours of an attack. Projects like MITRE ATT&CK™ provide knowledge, but how do people actually deploy this knowledge in real situations? A penetration testing competition provides a realistic, controlled environment with which to measure and compare the efficacy of attackers. In this work, we examine the details of vulnerability discovery and attacker behavior with the goal of improving existing vulnerability assessment processes using data from the 2019 Collegiate Penetration Testing Competition (CPTC). We constructed 98 timelines of vulnerability discovery and exploits for 37 unique vulnerabilities discovered by 10 teams of penetration testers. We grouped related vulnerabilities together by mapping to Common Weakness Enumerations and MITRE ATT&CK™. We found that (1) vulnerabilities related to improper resource control (e.g., session fixation) are discovered faster and more often, as well as exploited faster, than vulnerabilities related to improper access control (e.g., weak password requirements), (2) there is a clear process followed by penetration testers of discovery/collection to lateral movement/pre-attack. Our methodology facilitates quicker analysis of vulnerabilities in future CPTC events. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email