Familiarity breeds contempt: The honeymoon effect and the role of legacy code in zero-day vulnerabilities

Proceedings - Annual Computer Security Applications Conference, ACSAC

Volumn , Issue , 2010, Pages 251-260

  Clark, Sandy ^a   Frei, Stefan ^b   Blaze, Matt ^a   Smith, Jonathan ^a  

^a UNIVERSITY OF PENNSYLVANIA   (United States)

^b Secunia   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

CODES (SYMBOLS); COMPUTER SOFTWARE SELECTION AND EVALUATION; DEFECTS; LIFE CYCLE; ZERO-DAY ATTACK;

LEGACY CODE; PROPERTY; RELEASE DATE; SECURITY VULNERABILITIES; SOFTWARE DEFECTS; SOFTWARE LIFE CYCLES; SOFTWARE VULNERABILITIES; VULNERABILITY DISCOVERY; VULNERABILITY LIFE CYCLE; ZERO DAY VULNERABILITIES;

APPLICATION PROGRAMS;

EID: 78751477710     PISSN: 10639527     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1920261.1920299     Document Type: Conference Paper

References (35)

1. O.H. Alhamzi and Y.K. Malaiya. Modeling the vulnerability discovery process. In Proceedings of the 16th IEEE International Symposium on Software Reliability Engineering( ISSRE'05), Washington, DC, USA, 2005.
2. William A. Arbaugh, William L. Fithen, and John McHugh. Windows of vulnerability: A case study analysis. Computer, 33(12):52-59, 2000.
3. Al Bessey, Ken Block, Ben Chelf, Andy Chou, Bryan Fulton, Seth Hallem, Charles Henri-Gros, Asya Kamsky, Scott McPeak, and Dawson Engler. A few billion lines of code later: using static analysis to find bugs in the real world. Communications of the ACM, 53(2):66-75, 2010.
4. BlackDuck. Koders.com. http://corp.koders.com/about/, April 2010.
5. Frederick P. Brooks. The Mythical Man-Month: Essays on Software Engineering, 20th Anniversary Edition. Addison-Wesley Professional, August 1995.
6. A. Chou, J. Yang, B. Chelf, S. Hallem, and D. Engler. An empirical study of operating systems errors. In Proceedings, 18th ACM Symposium on Operating Systems Principles, pages 73-82, October 2001.
7. Sandy Clark, Matt Blaze, and Jonathan Smith. Blood in the water: Are there honeymoon effects outside software? In In Proceedings of the 18th Cambridge International Security Protocols Workshop -pending publication. Springer, 2010.
8. Benjamin Cox, David Evans, Adrian Filipi, Jonathan Rowanhill, Wei Hu, Jack Davidson, John Knight, Anh Nguyen-tuong, and Jason Hiser. N-variant systems: A secretless framework for security through diversity. In In Proceedings of the 15th USENIX Security Symposium, pages 105-120, 2006.
9. CVE. Common vulnerabilities and exposures, 2008.
10. Dr Dobbs Journal. Open Source Study Reveals High Level of Code Reuse. http://www.drdobbs.com/open-source/216401796, March 2009.
11. Stefan Frei. Security Econometrics - The Dynamics of (In)Security. Eth zurich, dissertation 18197, ETH Zurich, 2009. ISBN 1-4392-5409-5, ISBN-13: 9781439254097.
12. A.L. Goel and K. Okumoto. A time dependent error detection model for software reliability and other performance measures. IEEE Transactions on Reliability, R-28:206-211, August 1979.
13. Michael Howard and Steve Lipner. The Security Development Lifecycle. Microsoft Press, May 2006.
14. IBM Internet Security Systems - X-Force. X-Force Advisory. http://www.iss.net.
15. iDefense. Vulnerability Contributor Program. http://labs.idefense.com/ vcp.
16. Pankaj Jalote, Brendan Murphy, and Vibhu Saujanya Sharma. Post-release reliability growth in software products. ACM Trans. Softw. Eng. Methodol., 17(4):1-20, 2008.
17. Erland Jonsson and Tomas Olovsson. A quantitative model of the security intrusion process based on attacker behavior. IEEE Trans. Softw. Eng., 23(4):235-245, 1997.
18. M.C. McIlroy. Mass producted software components. Report to Scientific Affairs Division, NATO, October 1968.
19. Microsoft. Internet explorer architecture. http://msdn.microsoft.com/en- us/library/aa741312(VS.85).aspx, 2010.
20. Microsoft Corporation. Microsoft security development lifecycle. http://www.microsoft.com/security/sdl/benefits/measurable.aspx, September 2008.
21. John D. Musa. A theory of software reliability and its application. IEEE Transactions on Security Engineering, SE-1:312-327, September 1975.
22. John D. Musa, Anthony Iannino, and Kasuhira Okumoto. Software Reliability: Measurement, Prediction, Application. McGraw-Hill, 1987.
23. NIST. National Vulnerability Database, 2008.
24. Andy Ozment. Improving vulnerability discovery models. In QoP '07: Proceedings of the 2007 ACM workshop on Quality of protection, pages 6-11, New York, NY, USA, 2007. ACM.
25. Andy Ozment and Stuart E. Schechter. Milk or wine: does software security improve with age? In USENIX-SS'06: Proceedings of the 15th conference on USENIX Security Symposium, Berkeley, CA, USA, 2006. USENIX Association.
26. R.E. Prather. Theory of program testing - an overview. Bell System Technical Journal, 72(10):3073-3105, December 1983.
27. C.V. Ramamoorthy and F.B. Bastani. Software reliability - status and perspectives. IEEE Transactions on Software Engineering, SE-8(4):354-371, July 1982.
28. Sam Ransbotham. An Empirical Analysis of Exploitation Attempts based on Vulnerabilities in Open Source Software. In Workshop on the Economics of Information Security (WEIS), June 2010.
29. Secunia. http://www.secunia.com. Vulnerability Intelligence Provider.
30. Security Focus. Vulnerabilities Database, 2008.
31. SecurityTracker. http://www.SecurityTracker.com. SecurityTracker.
32. TippingPoint. Zero day initiative (zdi). http://www.zerodayinitiative. com/.
33. US-CERT. Vulnerability statistics. http://www.cert.org/stats/ vulnerability\-remediation.html.
34. Vupen. Vupen security. http://www.vupen.com.
35. Chester Wisniewski. Windows 7 vulnerable to 8 out of 10 viruses, 2009. http://www.sophos.com/blogs/chetw/g/2009/11/03/windows-7-vulnerable-8-10- viruses/.