SIGSOFT Software Engineering Notes
Page 1
July 2009 Volume 34 Number 4
Impact of Inheritance on Vulnerability Propagation at Design Phase A. Agrawal, R. A. Khan DIT, Babashaeb Bhimrao Ambedkar University, Lucknow, India
[email protected],
[email protected] ABSTRACT The design phase of software development provides the foundation for secure software. Reducing vulnerability at this phase minimizes rework in subsequent development phases. Currently, no efficient measure or method is available to reduce this vulnerability. In order to address this problem, we have proposed an algorithm to measure vulnerability propagation for an object-oriented design that calculates the Attribute Vulnerability Ratio (AVR).
Keywords: Measurement, Software Security, Design, Inheritance, Class Hierarchy, Object Oriented Design, vulnerability. 1. INTRODUCTION Conventional approaches on security focus primarily on computer system and network security [10]. But, occurrences of different security related incidents have proved that application security is not enough to fight against attacks. Researchers agree that vulnerabilities left in the software development process are responsible for successful security attacks [16]. P. Torr. realizes that reducing vulnerabilities early in the development life cycle can reduce considerable effort for later phases [9]. Recommended changes and modifications at design phase may easily be adapted. Also, vulnerabilities introduced in the phase manifest themselves with the ongoing development life cycle [14]. But absence of any efficient tool or mechanism to handle the vulnerabilities at this phase [15] has made the process time and resource consuming, as well as error prone [17]. Most surprisingly, almost negligible work has been done to address security issues at this phase of object oriented software [20]. G. McGraw strongly believes that any security mechanism, no matter how strict it seems, can harbor vulnerabilities [15]. In this scenario, it is essential to asses the software vulnerabilities at design phase. Mitigating vulnerabilities at this phase costs much less [18]. But unfortunately, both qualitative and quantitative methodologies to assess vulnerabilities at early stage of software development life cycle are still missing [19]. Researchers and practitioners are repeatedly advocating for the possibility of integrating vulnerability assessment during the design [21]. The fact motivated the authors to develop an efficient measure for object oriented design vulnerability. The rest of the paper is organized as follows: Next section discusses some existing approaches in the area and motivation. Section 3 presents some pertinent terminologies to be used during estimation. An algorithm to calculate Vulnerability Propagation (VP) along with the steps for calculating Attribute Vulnerability Ratio (AVR) are also been introduced in the same section. Section 4 executes an example implementing the approach for calculation of Attribute Vulnerability Ratio (AVR). Section 5 discusses inter-
http://doi.acm.org/10.1145/1543405.1543411
pretation and section 6 presents some advantages and limitations of the approach. Paper concludes at section 7. 2. MOTIVATION AND DISCUSSION Vulnerabilities are weaknesses in a system which can be exploited at any point of time and lead to undesired consequences. Since the attackers do not create security holes at their own, they just exploit the vulnerabilities in the software [23].Various Vulnerability Discovery Models (VDM) [1, 2], metrics [3] and tools [4-7] are in use to track, estimate and eliminate vulnerabilities. Unfortunately, the models, metrics and tools available can only be used at later stage of software development life cycle, sometimes after deployment [24]. This is the reason, vulnerabilities are reduced too late. As a result, incorporating design decisions increases rework. Some of the experts made considerable efforts to incorporate quality assessment in design phase [22]. The concept may be extended to make an effort to assess vulnerabilities at early stage, exclusively in design phase. Minimizing vulnerabilities at design phase may enhance security of software product. Furthermore, early identification and reduction in vulnerabilities reduces rework and cost. Some developments are noticed for minimizing vulnerabilities in design phase [8-9]. These approaches are either subjective or vague in nature. One of the most cited examples under this category is Microsoft’s Threat Modeling process. The process is purely subjective, and is not able to estimate security intoto. In the process, entry points are decided for each component of software, and for each entry point trust levels are established i.e. privileges are enforced. For the purpose, to verify whether a user is authorized for a particular privilege, password might be imposed. This is a good practice but since variable which processes passwords is at the surface of the software it is prone to attack. In order to make the variable secure, some security mechanism might be implemented in the process. But, it is an inevitable fact that no security mechanism can provide complete security. The approach, the process is using, is just a part of defense [15]. Some critical observations made on Microsoft’s Threat Modeling process are listed as follows: • In today’s environment where there is a complex inter relationship between data, it is possible for the attackers to fetch details of the variable( processing password) through other components which are related to the variable or using the copy of the same. • The process does not tell whether the resulting design is vulnerable or not. • Two vulnerable designs can not be compared using the process. • It is also not clear, up to what level the design is not vulner-
DOI: 10.1145/1543405.1543411
SIGSOFT Software Engineering Notes
Page 2
able. Microsoft’s Threat Modeling Process uses security mechanisms to filter threat in order to minimize vulnerability exploitation, assuming that the target is vulnerable. In order to secure design, an external mechanism is being used. There appears a need to deduce a mechanism to minimize vulnerabilities of software design using its design constructs. Microsoft’s Threat Modeling Process provides protection to vulnerability exploitation. It would be better to develop immunity in the design itself to make it non-attack prone without implementing any external mechanism. We have made an effort in the same direction. 3. THE APPROACH The approach for computing Attribute Vulnerability Ratio(AVR) of an object oriented design tries to focus on the objectives made in section 2.The approach is based on the fact that inter relationship among data tends to resolve vulnerability difficult. The problem becomes worst when inheritance comes into the picture. Inheritance is used to increase reusability of design and code and hence to reduce effort for software development. But at the same time, it is also responsible for spreading vulnerability from one class to another, because of its transitive nature [11]. If a design supports Inheritance then all of the methods and variables defined for the parent class automatically become available for all of its subclasses, as well as for any subclass of these classes recursively down the hierarchy [12].
July 2009 Volume 34 Number 4
Ad = {ad1 , ad2 , ad3,………..ack} Where, i and k are some finite numbers. The similar holds for methods also. Vulnerable attributes An attribute may be called vulnerable if it provides entry points for external application, processes confidential information, involves in internal network communication or allows user authentication and control etc [27]. Definition3: An attribute a € A of a class C is vulnerable if it is prone to attack. Vulnerability propagation In general, propagation means flow of something from one place to another. It is a well established fact that increasing availability of a vulnerable attribute by any means propagates the vulnerability by that means [13]. Definition4: In object oriented design perspective, vulnerability propagation of a vulnerable attribute is defined as spreading vulnerability from one class to another through a vulnerable attribute [14]. Parent vulnerable class A Class C is called as parent vulnerable class if at least one vulnerable attribute is their in its own set of attributes.
3.1 Terminology and Representation Following terminology and representations are used in the approach:
Definition5: A class Cv is a parent vulnerable class if there exists at least one vulnerable attribute a such that a € Ac.
Inheritance graph
A class Cv is called as derived vulnerable class if at least one of its derived attribute is vulnerable.
An Inheritance Hierarchy can be considered as Directed Acyclic Graph (DAG) called an Inheritance Graph. In Inheritance Graph, each class of the Inheritance Hierarchy represents a vertex and each inheritance link represents an edge in the corresponding Directed Acyclic Graph (DAG). Definition1: Inheritance graph of a class hierarchy of n classes is a connected, directed, acyclic graph H = (V, E) such that V= {C1, C2, C3, C4………Cn}, and E = {Ci → Cj, where i, j are arbitrary numbers and i, j € {1,2,3,4….}} Class A class C can be represented as a collection of finite sets of attributes and methods. Definition 2: If A is a set of attributes and M is a set of methods then class C can be represented as: C= (A, M) Set A again contains two types of sets; a set of own attributes Ac of C and set of attributes Ad derived from its parent class.
Derived vulnerable class
Definition6: A class Cv is a derived vulnerable class if there exists at least one vulnerable attribute a such that a € Ad. Vulnerable tree and vulnerable set Vulnerability Propagation of a vulnerable attribute is represented in two ways; Vulnerable Tree and Vulnerable Set. A vulnerable tree is a Connected Directed Acyclic Graph (DAG) derived from Inheritance Hierarchy having parent vulnerable class as the root and derived vulnerable classes as its descendents. A Vulnerable Set is a collection of its parent vulnerable class and the classes having the attribute as its derived attribute. Definition7: A Vulnerable Tree (VT) corresponding to a vulnerable attribute av is a DAG whose root vertex is parent vulnerable class of av and descendents of the root are the classes having av as their derived attribute. Definition8: A Vulnerable Set (VS) corresponding to a vulnerable tree of attribute av is defined as: VS = {all classes present in the vulnerable tree}
A = {Ac, Ad} where Ac = {ac1, ac2, ac3 ……. aci}, and
http://doi.acm.org/10.1145/1543405.1543411
DOI: 10.1145/1543405.1543411
SIGSOFT Software Engineering Notes
Page 3
3.2 Computing Vulnerability Propagation of a Vulnerable Attribute The algorithm for computing Vulnerability Propagation of an attribute uses the fact that transitive nature of Inheritance is a major cause of propagation of a vulnerable attribute from one class to another. Again, if a class inherits a parent vulnerable class but it does not use the vulnerable attribute of its parent class then it can not be considered as a vulnerable class. 3.2.1 Algorithm The algorithm for calculating Vulnerability Propagation (VP) of an attribute uses the idea of Breadth First Search (BFS) algorithm. It takes as input identified a parent vulnerable class vul, its corresponding Inheritance graph H, and a vulnerable attribute atr € Avul. For Inheritance graph and a distinguished vulnerable vertex vul, algorithm explores the edges of H to obtain every vertex that is reachable from vul and for which atr is there as its derived attribute. The algorithm produces vulnerable tree corresponding to vulnerable vertex vul and at the same time counts all vertices of the tree to show vulnerability propagation of atr. To verify the progress, the algorithm shows status of each vertex as unknown, known and traversed. Initially the vertex is unknown; it becomes known when it is discovered. Later, it becomes traversed when all of its adjacent vertices having atr as their derived attribute become known. The algorithm assumes that Inheritance graph H = (V, E) is represented using adjacency list. It maintains several additional data structures with each vertex in Inheritance graphs. The status of each vertex u € V is stored in the variable status [u], predecessor of u is stored in the variable p [u], array DA[u] is used to store derived attributes of u from its parent vertex. The algorithm uses a FIFO queue, Q which manages a set of all known vertices. The algorithm is described as: VP (H, vul, atr) 1.
status[u] ← unknown
3.
p[u] ← Nil
The working of algorithm VP(H, vu, atr) is as follows: In the for loop from step 1 to 3, status variable of each vertex of the Inheritance Graph H is set as unknown and parent p as Nil. In step 4, parent of vertex vul is set to Nil as now it has become root vertex. Step 5 set VP_ atr as 0 (to reflect that initially, Vulnerability Propagation of atr is 0).Step 6 sets status of vul as known and step 7 puts vul in Q. The while loop from step 8 to 17 iterates till Q is not empty. Each time, head of the Q is assigned to a variable u. Status of all vertices v adjacent to u is checked and atr is searched in the array DA corresponding to each v. If the check is successful i.e. true, then status of v is set as known and parent p is u( if the status variable is unknown) and these adjacent vertices are inserted into Q. The Q is now dequeued so the next vertex in Q may occupy the head position. Status of u is set as traversed to indicate that all of its adjacent vertices have been explored. Finally, VP_atr is incremented by 1 to show increment in the Vulnerability Propagation. 3.3 Attribute Vulnerability Ratio (AVR) of Object Oriented Design The ratio of total number of vulnerable classes to the overall classes in the design is termed as Attribute Vulnerability Ratio (AVR).Total number of vulnerable classes can be obtained by the vulnerability propagation of each vulnerable attribute in design. Since Vulnerability Propagation of an attribute is the set of classes having the attribute either as its own attribute or as its derived attribute, there may be some classes which are present in the vulnerability Propagation sets of more than one attribute. So, cardinality of the union of the Vulnerability Propagation of all vulnerable attribute will give the overall vulnerable classes in the design and will avoid repetition of classes.
Step1: Find out Vulnerability Propagation of each vulnerable attribute in class hierarchies of object oriented design through algorithm VP. Step 2: Represent vulnerable trees of each vulnerable attribute to the corresponding vulnerable set through definition 8.
4.
p[vul] ← Nil
5.
VP_atr = 0
6.
status [vul] ← known
7.
Q ← vul
8.
While Q ≠ Ø
9.
do u ← head (Q)
10.
For each v € adj [u] do if status[v] = unknown & atr €
12.
Then status[v] ← known
13.
p [v] ← u
14.
Enqueue (Q, v)
15.
dequeue (Q)
16.
status [u] ← traversed
17.
3.2.2 Working
3.3.1 Steps for calculating Attribute Vulnerability Ratio
for each vertex u € V (H) - vul
2.
11.
July 2009 Volume 34 Number 4
Step 3: Make Union of vulnerable sets obtained from step 2. Step 4: Find out total number of vulnerable classes by calculating cardinality of the set obtained from step 3. Step 5: Divide cardinality obtained from step 4 by number of classes in the design which will yield Attribute Vulnerability Ratio.
DA[v]
VP_atr = VP_atr +1
http://doi.acm.org/10.1145/1543405.1543411
Mathematically, let us assume that there are n number of vulnerable attributes in an object oriented design and their corresponding vulnerability propagations are the sets VS1, VS2, VS3……VSn(from steps 1 and step 2). Then, No. of vulnerable classes in design = | VS1U VS2…..U VSn| (step 3 and step 4) and step 5 will yield AVR.i.e., AVR = | VS1 U VS2…..U VSn| / M
…..(1)
Where, M is the total number of classes in the design.
DOI: 10.1145/1543405.1543411
SIGSOFT Software Engineering Notes
Page 4
July 2009 Volume 34 Number 4
4. AN EXAMPLE FOR CALCULATING ATTRIBUTE VULNERABILITY RATIO Proposed algorithm VP has been implemented using a toy example to calculate vulnerability propagation of an attribute. Using calculated vulnerability propagation, Attribute Vulnerability Ratio (AVR) has been computed for the same example. There are three inheritance graphs H[1], H[2] and H[3] in a given object oriented design as shown in figure-1. Total number of classes in the design is 21. Now, steps for calculating Attribute Vulnerability Ratio can be followed as: Step1: Find out Vulnerability Propagation of each vulnerable attribute in class hierarchies of object oriented design through algorithm VP.
C1
C2
C9
C3
C4
C11
C10
C16
C17
C18
C6
C5
C15
C8
C12
C13
C7
C20 C19 C21
C14
H[1]
H[3]
H[2]
Figure-1: Inheritance Graphs and Vulnerable Vertices
C9
C2
The grayed vertices C2, C9, C10, and C19 represent parent vulnerable vertices. Since for finding the Vulnerable Tree corresponding to a parent vulnerable vertex, the algorithm checks DA of only those vertices which are descendents of the parent vulnerable vertex. The only thing we need is the list of attributes of parent vulnerable vertices and derived attributes of its descendents. For Inheritance Graph H[1], the attribute list is given as:
C4
C10
C12
C6
C19
C12
C14
2(a)
OAC2= {a, b, c, d} where a is vulnerable attribute.
2(b)
2(c)
2(d)
Figure-2: Output of Algorithm: Vulnerable trees
DAC4 = {a, b} DAC5 = {c, d} DAC6 = {a, b, c} DAC7 = {b, c, d} Using the proposed algorithm VP, the vulnerable tree corresponding to attribute a of C2 is given in figure 2(a). For Inheritance Graph H[2], the attribute list is given as: OAC9= {e, f, g} where g is a vulnerable attribute. OAC10= {h, i} where h is a vulnerable attribute. DAC12= {e, f, g, h}
Step 2: Represent vulnerable trees of each vulnerable attribute to the corresponding vulnerable set through definition 8. Let, Vulnerable Sets corresponding to vulnerable attributes a, g, h, k are VS (a), VS (g), VS (h), and VS (k) then VS (a)= { C2, C4, C6}, VS (g) = { C9, C12, C14}, VS (h) = { C10, C12 }, and VS (k) = { C19} Step 3: Make Union of vulnerable sets obtained from step 2. Let U= VS (a) U VS (g) U VS (h) U VS (k) then U = {C2, C4, C6, C9, C10, C12, C14, C19}
DAC13 = {e}
Step 4: Find out total number of vulnerable classes by calculating cardinality of Union Set obtained from step 3.
DAC14 = {g}
Let C= |{C2, C4, C6, C9, C10,C12, C14, C19}| = 8
Using the proposed algorithm VP, the vulnerable trees corresponding to attribute g of C9 and attribute h of C10 are given in figure2(b) and 2(c) respectively.
Step 5: Divide cardinality obtained from step 4 by number of classes in the design which will yield Attribute Vulnerability Ratio. Attribute Vulnerability Ratio = 8/21= .38
For Inheritance Graph H [3], the attribute list is given as: OAC19= {j, k} where k is a vulnerable attribute. Since C19 has no descendents so its attribute k will not be able to propagate vulnerability further and the algorithm VP will just return C19 as the root vertex (as in figure2(d)).
5. INTERPRETATION If N is the total number of vulnerable attribute in design such that N>0, the numerator in equation (1) would lie between N and M. i.e. N≤ | VS1 U VS2 U VS3…..U VSn | ≤ M
………(2)
Using above inequality, the value of AVR of a design will always be greater than 0 and less than or equal to1. i.e.
0
