Article Preview
TopIntroduction
Each year a large number of vulnerabilities are being discovered and reported. In the context of computer security, a vulnerability can be defined as a weakness which allows an attacker to threaten system’s confidentiality, availability or integrity.
When faced with a new vulnerability, vendors tend to issue patches or upgrades to fix the issue causing the vulnerability, however, issuing and providing a patch or upgrade often has a considerable delay and during this interval, systems are prone to exploits. In this regard, an effective approach is trying to find a workaround. Workarounds are solutions that mitigate the risk of a vulnerability being exploited, for instance, changing access control or enable filtering (Holm, 2012).
So far, inadequate attention has been paid to provide structured information on workaround solutions. Most available vulnerability databases do not include workaround solutions as a separate information element in their records. Some of these databases include workarounds for only a few numbers of vulnerabilities, and they often list the workarounds as part of the vulnerability’s solution. In this regard, providing comprehensive and structured databases containing workaround solutions with consistent categories can effectively help security experts to build automated systems to deal with new vulnerabilities.
The main contributions of this study are as follows:
- 1.
Introducing general categorization for vulnerability workarounds: In the literature, comprehensive categories have not been provided for vulnerability workarounds until now;
- 2.
Compiling a vulnerability workaround database (VuWaDB): In this database, there are accurate data that were gathered, analysed and labelled manually from some reliable databases;
- 3.
Analysing workaround data trends: The VuWaDB was analysed in regards to time, severity and type of vulnerabilities.
TopLiterature Review
There are various vulnerabilities databases, however, only some of them report available patches and upgrades to deal with vulnerabilities. OSVDB (2018), Security Tracker (2018) and CERT CC Vulnerability Notes (2018) are amongst these databases. Due to their reliability, they are widely used by many researchers; however, they only provide workarounds for only a few numbers of vulnerabilities in their solution fields. In fact, so far few attention has been paid to workarounds in vulnerability databases (Khazaei & Ghasemzadeh, 2016; Khazaei, Ghasemzadeh & Derhami, 2016). Here, for the first time, the main focus is on extracting, investigating and recording vulnerability workarounds (leading to construction of VuWaDB).
In VuWaDB, the workarounds have been categorised. The available vulnerability databases do not include any pervasive workaround categorizations. In fact, although a few of the researchers have already tried to categorise some of the vulnerability solutions, but none of them has considered all of the vulnerability types.
Howard (1997) in his Ph.D. thesis focused on Internet vulnerabilities. He defined two broad categories for corrective actions: Internal actions and External actions. Each of these two main categories consists of sub-categories. Internal actions are those actions performed by the system administrators, for example to restrict, configure, or upgrade hardware or software. These actions make a host or site more secure. External actions are those actions that can be accomplished from outside the organisation such as the actions involving law enforcement or the actions against the intruder. Howard’s work seems to be the first effort towards gathering and categorising corrective actions as part of the vulnerabilities’ solutions. However, his categorization is limited to only internet vulnerabilities.