SHORT PAPER International Journal of Recent Trends in Engineering, Vol 2, No. 3, November 2009
An Algorithm to Measure Attribute Vulnerability Ratio of an Object Oriented Design A. Agrawal1 and R.A. Khan2 DIT, B.B.A. University, Lucknow, India Email:
[email protected],
[email protected]
Abstract—In order to minimize vulnerabilities and achieve target level security, quantification of security is necessary. Unfortunately, quantitative estimation of security in design phase is largely missing. Given the need and significance of such a mechanism, an effort has been made by the authors of the paper to deduce a methodology to find out the impact of Inheritance on vulnerability propagation in object oriented design (OOD). An algorithm to measure Attribute Vulnerability Ratio (AVR) of an OOD is developed. The proposed approach is implemented using a case study of Automated Teller Machine (ATM) to illustrate the applicability of the approach.
the availability of vulnerable attributes in order to minimize design vulnerability. The definitions and representations used in the approach have been given in [8]. A. The Algorithm Calculation of Attribute Vulnerability Ratio (AVR) of a design requires calculation of Vulnerability Propagation due to each vulnerable attribute vul_atr and hence parent class Ci in Inheritance hierarchies present in the design, where Ci is some class. Then, union of Vulnerability Propagation due to each vulnerable attribute will give overall Vulnerability Propagation in design. Now, dividing overall vulnerability propagation by number of classes in design will produce AVR. If there are n vulnerable attributes and VP1, VP2…….VPn are vulnerability propagation set due to these attributes then,
Index Terms— Design Phase, Inheritance, Vulnerability Propagation, Algorithm, Attribute Vulnerability Ratio
I. INTRODUCTION Various incidents on security breach have revealed that vulnerabilities left in the software during development process are responsible for successful attacks [1, 2]. Security experts have strong opinion that reducing vulnerabilities early in the software development life cycle (SDLC) can reduce considerable effort in later phases [1, 3]. Around 50 percent of the security flaws uncovered during Microsoft’s security push in 2002 were closely related to design level problems [4]. But absence of any efficient tool or mechanism to handle the vulnerabilities at this phase [1] has made the process time consuming, resource consuming, and error prone [6]. Successful efforts on incorporating quality early in design phase [7] motivated the authors to integrate security well in advance during development life cycle to develop an efficient measure for OOD vulnerability. Rest of the paper is organized as: Next section presents an approach to calculate Attribute Vulnerability Ratio (AVR). Section 3 discusses case study of ATM for examining the applicability of the approach. Section 4 presents advantages and limitations. Paper concludes at section 5.
AVR= |V P1U VP2 ….U VPn| / D
Where, D is the total number of classes in an OOD. The algorithm for calculating AVR for an OOD is described as: AVR (VUL [1...M], IG [N]) 1. vul_set = Ø 2. for [i =1; i≤ M; i++] 3. vul_set = VUL[i] 4. for [i =1; i≤ M; i++] 5. vul ← Head (VUL) 6. for (j=1 to N) 7. if vul € IG[j] 8. then for each vul_atr € atr_list [vul] 9. call VP (IG[j], vul) //nodes of vulnerable tree with no repetition// 10. vul_set← merge vul_set and vul_prop 11. exit; 12. dequeue(VUL) //counting number of elements of vul_set// 13. count← count(vul_set) 14. AVR= count / D Where VP (H[j], vul) is defined as follows: VP (IG[j], vul) 1. for each vertex u € V (IG[j]) – vul 2. then do p[u] ← Nil 3. p[vul] ← Nil 4. vul_prop= Ø 5. Q ← vul 6. While Q ≠ Ø 7. do u ← head (Q) 8. for each v € adj [u] 9. do if vul_atr € atr_list[v] then do
II. THE APPROACH Availability of anything vulnerable increases its likelihood to be exploited. If a design supports Inheritance then all of the methods and attributes defined for the parent class automatically become available for all of its subclasses [5]. But, if a class is a descendant of a parent vulnerable class, but it does not use vulnerable attribute of the former, then later can not be considered as a vulnerable class. The focus of the study is to minimize
61 © 2009 ACADEMY PUBLISHER
…..(1)
SHORT PAPER International Journal of Recent Trends in Engineering, Vol 2, No. 3, November 2009 10. 11. 12. 13. 14.
p[v] ←u if v is not present in vul_prop then vul_prop ← v enqueue (Q, v) else //merging adjacent lists without repetition// adj_list [u] ←adj_list [v] + adj_list
Case- 3c: If both of B and C do not use vulnerable attribute then D will be made child of A (figure-5).
B. Working The algorithm becomes complicated when a class inherits vulnerable class but does not use the vulnerable attribute but its descendents use the same. Such cases are discussed below: Case-1: If a class inherits a parent vulnerable class but do not use its vulnerable attribute then it will no more be considered the child of parent vulnerable class (figure-1).
A
A
vul
vul
D D
Figure-5: Illustration of Case-3c
III. CASE STUDY The approach is implemented using case study of ATM [9].An Inheritance Graph generated from the Inheritance Hierarchy of the ATM is shown in figure-6a. The design hierarchy of ATM contains 22 classes. Class message is identified as a parent vulnerable class because of the presence of vulnerable attribute pin. Pin is considered as a vulnerable attribute because it provides entry point for the user by checking whether a user is authentic or not; it works as a communication interface/ channel between user and ATM ; an attacker will have to somehow compromise pin in order to know the details of others account and hence perform the illegal actions as transfer, withdraw, inquiry etc. Algorithm Implementation Inputs to the algorithm AVR are class message and Inheritance Graph (IG) of the class hierarchy. Initially, Vul_set= {message}, after implementation algorithm produces two outputs namely Vulnerable Tree, having class message as root node, and a Vulnerable Set (Vul_set), having all vulnerable vertices of the hierarchy. Vul_set = {message, transaction, session, withdrawal, transfer, deposit, enquiry}. The flow of vulnerability propagation of pin is shown through vulnerable tree produced by the algorithm. Vulnerable trees are displayed in two ways in the figure 6b and figure 6c. Figure-6b shows a tree containing all classes which may be expected to be vulnerable because of inheriting a vulnerable class. The classes attached to the parent vulnerable class through broken links show that they just inherit the parent vulnerable class but do not use vulnerable attribute pin. Figure 6c shows a vulnerable tree VT pin. Descendents of message are the classes which use pin.
Figure-1: Illustration of Case-1
Case-2: If a class inheriting a parent vulnerable class do not use its vulnerable attribute but its child do so then the child will be made child of parent vulnerable class (figure-2). A
A
vul
B C C
Figure-2: Illustration of Case-2
Case-3: the case deals with multiple inheritances. A class inherits two classes (suppose D). Its parent classes in turn inherit a parent vulnerable class. If D uses vulnerable attribute then three sub-cases may arise: Case-3a: If one of B or C (suppose B) do not use vulnerable attribute then B will no more be parent of D (figure-3). A
A
vul
vul
C
C
B
A. Attribute Vulnerability Ratio (AVR) Total count (vul_set) = 7 Number of classes in the design hierarchy= 22 Then, AVR (design ATM ) = 7/ 22= 0.31
E
E
Figure-3: Illustration of Case-3a
Case-3b: If both of B and C uses vulnerable attribute then there will be no change in the structure (figure-4).
vul
C
B
B. Contextual Interpretation If n (≥0) is the total number of vulnerable attributes in a design then the numerator in (1) would lie between 0 and D. i.e. 0≤ |V P1U VP2 ….U VPn| ≤D Using above inequality, the value of AVR of a design will always be greater than 0 and less than or equal to1.
A
A vul
D
C
B D
0
