Vulnerability and Attack Injection

The methodology consists of injecting realistic vulnerabilities in a component exposed to the Internet and subsequently exploiting such vulnerabilities to launch attacks automatically in order to evaluate existing security mechanisms in the entire system.
The purpose of Vulnerability and Attack Injection (VAI), in real systems or prototypes, is to evaluate globally how the system copes with attacks and to assess specific security mechanisms in the target systems.

Description: Vulnerability and Attack Injection was first proposed in [VAI5], where the methodology was presented and applied to SQL injection vulnerabilities in web applications. The method consists in injecting realistic vulnerabilities in a component exposed to the Internet and subsequently exploiting such vulnerabilities to launch attacks automatically in order to evaluate existing security mechanisms in the entire system [VAI1, VAI2]. That is, a component is specifically injected with realistic vulnerabilities to make it possible to evaluate security attributes and mechanisms in the rest of the system, through the attacks that become possible through the injected vulnerabilities. The component where the vulnerabilities are injected (target component) is not part of the target system under evaluation. The injected vulnerabilities are considered realistic because they are derived from the extensive field study on real application vulnerabilities presented in [VAI3], and are injected according to a set of representative restrictions and rules defined in [VAI4]. The whole approach is considered realistic since any application or component  exposed to the Internet) may have vulnerabilities, and even so the possible exploitation of such vulnerabilities to attack the system must be detected and handled adequately.   

The automated attack of an application is a multi-stage procedure that includes: preparation stage, vulnerability injection stage, attack load generation stage, and attack stage. 

The technique can be used for many purposes, including training and evaluating security teams, estimating the total number of vulnerabilities, and evaluating security mechanisms (e.g., IDS, firewalls, etc.) [VAI5].  

  • Injects realistic vulnerabilities
  • Attacks the vulnerabilities based on the characteristics of the vulnerabilities, like an attacker would do
  • Allows testing security mechanisms in place
  • Allows training security teams
  • Needs to access the source code of the application or system
  • Heavily dependent on the programming language of the target application

[VAI1] J. Fonseca, N. Seixas, M. Vieira, and H. Madeira, "Analysis of Field Data on Web Security Vulnerabilities", IEEE Transactions on Dependable and Secure Computing, accepted for publication in 2014.  

[VAI2] J. Fonseca, M. Vieira, and H. Madeira, "Evaluation of Web Security Mechanisms using Vulnerability & Attack Injection", IEEE Transactions on Dependable and Secure Computing, accepted for publication in 2014.  

[VAI3] J. Fonseca and M. Vieira, “Mapping Software Faults with Web Security Vulnerabilities,” Proc. IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2008, June 2008.  

[VAI4] J. Fonseca, M. Vieira, and H. Madeira, “Training Security Assurance Teams using Vulnerability Injection”, Proc. IEEE Pacific Rim Dependable Computing Conference, PRDC 2008, December 2008  

[VAI5] J. Fonseca, M. Vieira and H. Madeira, "Vulnerability & attack injection for web applications," 2009 IEEE/IFIP International Conference on Dependable Systems & Networks, 2009, pp. 93-102, doi: 10.1109/DSN.2009.5270349. 

Method Dimensions
In-the-lab environment
Experimental - Testing
Software
Operation, System testing
Thinking, Acting
Non-Functional - Security
V&V process criteria, SCP criteria
Relations
Contents

There are currently no items in this folder.