Differences between revisions 1 and 2
Revision 1 as of 2007-06-07 12:11:00
Size: 2674
Editor: tk28
Comment:
Revision 2 as of 2007-06-21 06:55:53
Size: 2560
Editor: tk28
Comment:
Deletions are marked like this. Additions are marked like this.
Line 10: Line 10:
 || ''' AVAILABILITY: ''' ||<99%> [http://www.ee.oulu.fi/research/ouspg/protos/sota/MSR2002-protos/presentation-part1.pdf [PDF]] Presentation part 1: Background and context, [http://www.ee.oulu.fi/research/ouspg/protos/sota/MSR2002-protos/presentation-part2.pdf [PDF]] Presentation part 2: Testing approach, [http://www.ee.oulu.fi/research/ouspg/protos/sota/MSR2002-protos/presentation-part3.pdf [PDF]] Presentation part 3: Results and vulnerability handling ||  || ''' AVAILABILITY: ''' ||<99%> [attachment:PROTOS_MSR2002_presentation-part1.pdf [PDF]] Presentation part 1: Background and context, [attachment:PROTOS_MSR2002_presentation-part2.pdf [PDF]] Presentation part 2: Testing approach, [attachment:PROTOS_MSR2002_presentation-part3.pdf [PDF]] Presentation part 3: Results and vulnerability handling ||

PROTOS - systematic approach to eliminate software vulnerabilities

ABSTRACT

  • Flaws in information security infest modern software, and pervasive computing has made us and our society vulnerable. Security and safety in software are attributes that cannot be effectively measured or guaranteed, and are thus always based on levels of risk. A focal problem area is software implementation, which may introduce potential for unanticipated and undesired program behaviour. Frequent vulnerability disclosures prompt for practical measures of vulnerability assessment and elimination of at least the most trivial product flaws. The PROTOS project (1999-) has developed a complementary approach to systematically test implementations of protocols in a black-box (i.e. functional) fashion. A novel mini-simulation method using attribute grammar to model both input syntax and software behaviour was proposed. The method was used to test the robustness of real software products ranging from browsers embedded in mobile terminals to classic network infrastructure building blocks. A partial vulnerability disclosure concept, constructive disclosures, was introduced as an alternative to full disclosures and as a safety-net against reoccurring vulnerabilities of a similar kind. 80% of the tested products failed due to exploitable flaws, for most of them several flaws were discovered and eliminated simultaneously. The proposed vulnerability disclosure model was executed in multi-vendor, multi-vulnerability cases involving the flawed software. Complicated vulnerability cases were successfully handled, with positive feedback. These results promote the seeking and refinement of solid engineering practices that will take the vulnerability process beyond an art form.

Publication details and availability

  • TITLE:

    PROTOS - systematic approach to eliminate software vulnerabilities

    PUBLICATION DETAILS:

    Röning, J; Laakso, M; Takanen, A & Kaksonen, R. (2002). "PROTOS - systematic approach to eliminate software vulnerabilities". Invited presentation at Microsoft Research, Seattle, USA. May 6, 2002.

    AVAILABILITY:

    [attachment:PROTOS_MSR2002_presentation-part1.pdf [PDF]] Presentation part 1: Background and context, [attachment:PROTOS_MSR2002_presentation-part2.pdf [PDF]] Presentation part 2: Testing approach, [attachment:PROTOS_MSR2002_presentation-part3.pdf [PDF]] Presentation part 3: Results and vulnerability handling


?CategoryNewSite