VuWaDB: A Vulnerability Workaround Database

VuWaDB: A Vulnerability Workaround Database

Atefeh Khazaei (Yazd University, Yazd, Iran), Mohammad Ghasemzadeh (Yazd University, Yazd, Iran) and Christoph Meinel (Hasso Plattner Institute, Potsdam, Germany)
Copyright: © 2018 |Pages: 11
DOI: 10.4018/IJISP.2018100102

Abstract

This paper introduces VuWaDB, which is a database for vulnerability workarounds. When faced with a newly discovered vulnerability, experts tend to use workarounds in order to mitigate the risks until a patch is issued by the vendor. Currently, the available vulnerability databases suffer from the lack of comprehensive workaround solutions. Furthermore, the presented workarounds are only limited to a few vulnerabilities but also poorly recorded in natural language sentences and plain text format. In order to construct VuWaDB, first, the related information was gathered from a number of well-known vulnerability databases and then extracted, analyzed, and labeled. In this regard, VuWaDB organizes the workarounds in six categories: configuration, modify code, redirect, remove, restrict access and, utility tool. Lastly, it was analyzed from the statistical point of view.
Article Preview
Top

Introduction

Each year a large number of vulnerabilities are being discovered and reported. In the context of computer security, a vulnerability can be defined as a weakness which allows an attacker to threaten system’s confidentiality, availability or integrity.

When faced with a new vulnerability, vendors tend to issue patches or upgrades to fix the issue causing the vulnerability, however, issuing and providing a patch or upgrade often has a considerable delay and during this interval, systems are prone to exploits. In this regard, an effective approach is trying to find a workaround. Workarounds are solutions that mitigate the risk of a vulnerability being exploited, for instance, changing access control or enable filtering (Holm, 2012).

So far, inadequate attention has been paid to provide structured information on workaround solutions. Most available vulnerability databases do not include workaround solutions as a separate information element in their records. Some of these databases include workarounds for only a few numbers of vulnerabilities, and they often list the workarounds as part of the vulnerability’s solution. In this regard, providing comprehensive and structured databases containing workaround solutions with consistent categories can effectively help security experts to build automated systems to deal with new vulnerabilities.

The main contributions of this study are as follows:

  • 1.

    Introducing general categorization for vulnerability workarounds: In the literature, comprehensive categories have not been provided for vulnerability workarounds until now;

  • 2.

    Compiling a vulnerability workaround database (VuWaDB): In this database, there are accurate data that were gathered, analysed and labelled manually from some reliable databases;

  • 3.

    Analysing workaround data trends: The VuWaDB was analysed in regards to time, severity and type of vulnerabilities.

Top

Literature Review

There are various vulnerabilities databases, however, only some of them report available patches and upgrades to deal with vulnerabilities. OSVDB (2018), Security Tracker (2018) and CERT CC Vulnerability Notes (2018) are amongst these databases. Due to their reliability, they are widely used by many researchers; however, they only provide workarounds for only a few numbers of vulnerabilities in their solution fields. In fact, so far few attention has been paid to workarounds in vulnerability databases (Khazaei & Ghasemzadeh, 2016; Khazaei, Ghasemzadeh & Derhami, 2016). Here, for the first time, the main focus is on extracting, investigating and recording vulnerability workarounds (leading to construction of VuWaDB).

In VuWaDB, the workarounds have been categorised. The available vulnerability databases do not include any pervasive workaround categorizations. In fact, although a few of the researchers have already tried to categorise some of the vulnerability solutions, but none of them has considered all of the vulnerability types.

Howard (1997) in his Ph.D. thesis focused on Internet vulnerabilities. He defined two broad categories for corrective actions: Internal actions and External actions. Each of these two main categories consists of sub-categories. Internal actions are those actions performed by the system administrators, for example to restrict, configure, or upgrade hardware or software. These actions make a host or site more secure. External actions are those actions that can be accomplished from outside the organisation such as the actions involving law enforcement or the actions against the intruder. Howard’s work seems to be the first effort towards gathering and categorising corrective actions as part of the vulnerabilities’ solutions. However, his categorization is limited to only internet vulnerabilities.

Complete Article List

Search this Journal:
Reset
Open Access Articles
Volume 14: 4 Issues (2020): 1 Released, 3 Forthcoming
Volume 13: 4 Issues (2019)
Volume 12: 4 Issues (2018)
Volume 11: 4 Issues (2017)
Volume 10: 4 Issues (2016)
Volume 9: 4 Issues (2015)
Volume 8: 4 Issues (2014)
Volume 7: 4 Issues (2013)
Volume 6: 4 Issues (2012)
Volume 5: 4 Issues (2011)
Volume 4: 4 Issues (2010)
Volume 3: 4 Issues (2009)
Volume 2: 4 Issues (2008)
Volume 1: 4 Issues (2007)
View Complete Journal Contents Listing