An empirical study of tactical vulnerabilities

•A catalog of vulnerability types rooted in the design/implementation of tactics;•An in-depth case study of tactical vulnerabilities in three open source systems;•A detailed discussion of the root causes for tactical vulnerabilities;•Promoting the awareness of vulnerabilities in the adoption of secu...

Full description

Saved in:
Bibliographic Details
Published in:The Journal of systems and software 2019-03, Vol.149, p.263-284
Main Authors: Santos, Joanna C.S., Tarrit, Katy, Sejfia, Adriana, Mirakhorli, Mehdi, Galster, Matthias
Format: Article
Language:English
Subjects:
Architectural weaknesses
Security tactics
Software security architecture
Tactical vulnerabilities
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:•A catalog of vulnerability types rooted in the design/implementation of tactics;•An in-depth case study of tactical vulnerabilities in three open source systems;•A detailed discussion of the root causes for tactical vulnerabilities;•Promoting the awareness of vulnerabilities in the adoption of security tactics. Architectural security tactics (e.g., authorization, authentication) are used to achieve stakeholders’ security requirements. Security tactics allow the system to react, resist, detect and recover from attacks. Flaws in the adoption of these tactics into the system’s architecture, an incorrect implementation of security tactics, or deterioration of tactic implementations over time can introduce severe vulnerabilities that are exploitable by attackers. Therefore, in this work, we present the Common Architectural Weakness Enumeration (CAWE), a catalog of known weaknesses rooted in the design or implementation of security tactics which can result in tactical vulnerabilities. We categorized all known software weaknesses as tactic-related and non-tactic related. This way, our CAWE catalog enumerates common weaknesses in a security architecture that can lead to tactical vulnerabilities. From our CAWE catalog, we found 223 different types of tactical vulnerabilities. In this work, we also used this catalog to study tactical vulnerabilities in three large-scale open source projects: Chromium, PHP, and Thunderbird. In a detailed analysis, we identified the most occurring vulnerability types on these projects. From this study we observed that (i) Improper Input Validation and Improper Access Control were the most occurring vulnerability types in Chromium, PHP and Thunderbird and (ii) “Validate Inputs” and “Authorize Actors” were the security tactics mostly affected by these tactical vulnerabilities. Moreover, in a qualitative analysis of 632 tactical vulnerabilities and their fixes in these systems, we characterized their root causes and investigated the way the original developers of each system fixed these vulnerabilities. From this qualitative analysis, we found 44 distinct root causes that lead to these tactical vulnerabilities. The results of this study not only show how architectural weaknesses in systems have created severe vulnerabilities, but also provide recommendations driven by empirical data for addressing such security problems.
ISSN:0164-1212
1873-1228
DOI:10.1016/j.jss.2018.10.030