面向SaaS云平台的安全漏洞评分方法研究

doi:10.11959/j.issn.1000-436x.2016166

摘要/Abstract

摘要：

对不同的第三方提供的云服务进行漏洞评分是一项充满挑战的任务。针对一些基于云平台的重要因素，例如业务环境（业务间的依赖关系等），提出了一种新的安全框架VScorer，用于对基于不同需求的云服务进行漏洞评分。通过对VScorer输入具体的业务场景和安全需求，云服务商可以在满足安全需求的基础上获得一个漏洞排名。根据漏洞排名列表，云服务提供商可以修补最关键的漏洞。在此基础上开发了VScorer的原型，并且证实它比现有最具有代表性的安全漏洞评分系统CVSS表现得更为出色。

关键词: SaaS, 云服务, 漏洞评分系统, CVSS

Abstract:

There are full of challenges to score vulnerabilities of cloud services developed by different third-party pro-viders.Although there have been a few systems for scoring vulnerabilities (e.g.,CVSS) of many existing software,most of them are unable to be leveraged to score vulnerabilities in cloud services,because they fail to consider some important factors located in the clouds such as business context (i.e.,dependency relationships between services).VScorer,a novel security frame work to score vulnerabilities in various cloud services were presented based on different given require-ments.By inputting concrete business context and security requirement into VScorer,cloud provider can get a ranking list of vulnerabilities in the business based on the given security requirement.Following the ranking list,cloud provider was able to patch the most critical vulnerabilities first.A prototype was developed and VScorer can be demonstrazed to work better than current representative vulnerability scoring system CVSS.

Key words: SaaS, cloud service, vulnerability scoring system, CVSS

李舟,唐聪,胡建斌,陈钟. 面向SaaS云平台的安全漏洞评分方法研究[J]. 通信学报, 2016, 37(8): 157-166.

Zhou LI,Cong TANG,Jian-bin HU,Zhong CHEN. Vulnerabilities scoring approach for cloud SaaS[J]. Journal on Communications, 2016, 37(8): 157-166.

图/表 14

图1

图2

图3

图4

图5

表1

表2

表3

图6

表4

表5

表6

图7

图8

参考文献 18

[1]	RISTENPART T , TROMER E , SHACHAM H , et al. Hey,you,get off of my cloud:exploring information leakage in third-party compute clouds[C]// ACM Conference on Computer and Communications Se-curity. c2009:199-212.
[2]	BELLOVIN S . On the brittleness of software and the infeasibility of security metrics[J]. IEEE Security and Privacy, 2006,4(4): 96-.
[3]	BOZORGI M , SAUL L , SAVAGE , et al. Beyond heuristics:learning to classify vulnerabilities and predict exploits[C]// ACM Sigkdd Inter-national Conference on Knowledge Discovery ＆ Data Mining. ACM, c2010:105-114.
[4]	IBM. IBM Internet Security Systems X-Force 2008 Trend and Risk Report[R]. White paper, 2009.
[5]	A complete guide to the common vulnerability scoring system[S].
[6]	OWASP Top Ten[EB/OL]. , 2003.
[7]	SANS Top-20 Security Risks[EB/OL]. , 2009.
[8]	CHEN X , ZHANG M , MAO Z , et al. Automating network application dependency discovery:Experiences,limitations,and new solu-tions[C]// Usenix Symposium on Operating Systems Design ＆ Im-plementation. c2008:117-130.
[9]	ENSEL C . A scalable approach to automated service dependency modeling in heterogeneous environments[C]// IEEE International En-terprise Distributed Object Computing Conference. c2001:128-139.
[10]	DOUGHERTY C . Vulnerability metric[EB/OL]. , c2008,07,24.
[11]	SAWILLA R OU X . Identifying critical attack assets in depend-ency attack graphs[C]// European Symposium on Computer Secu-rity-esorics. c2008:18-34.
[12]	OSVDB . The open source vulnerability database[S].
[13]	CVE Editorial Board. Common vulnerabilities and exposures:the standard for information security vulnerability names[S].
[14]	GYONGYI Z , GARCIA H , PEDERSEN J . GARCIA H,PEDERSEN J.Combating web spam with trustrank[C]// Thirtieth International Conference on Very Large Data Bases. c2010:576-587.
[15]	CHRISTOS T . Software for Cloud[S].
[16]	SCARFONE K MELL P . An analysis of cvss version 2 vulnerabil-ity scoring[C]// FDTC 2013. International Symposium on Empirical Software Engi-neering ＆ Measurement c2009:516-525.
[17]	FRUHWIRTH C MANNISTO T . Improving cvss-based vulnerability prioritization and response with context information[C]// ESEM. International Symposium on Empirical Software Engi-neering ＆ Measurement c2009:535-544.
[18]	MOORE D SHANNON C CLAFFY K . A case study on the spread and victims of an Internet worm[C]// ESEM. Internet Measurement Workshop c2002:273-284.

漏洞	可利用性	威胁级别
CVE-2007-1747	0.801	2.0
CVE-2008-3648	0.45	2.0
CVE-2006-6077	0.304 5	3.0
CVE-2008-5410	0.702	2.0
CVE-2008-0231	0.34	1.0
CVE-2008-0600	0.54	3.0

式(2)	式(4)	CVSS
CVE-2008-5410	CVE-2008-5410	CVE-2008-0600
CVE-2008-0600	CVE-2008-0600	CVE-2006-6077
CVE-2007-1747	CVE-2007-1747	CVE-2007-1747
CVE-2008-3648	CVE-2006-6077	CVE-2008-5410
CVE-2006-6077	CVE-2008-3648	CVE-2008-3648
CVE-2008-0231	CVE-2008-0231	CVE-2008-0231

漏洞	可利用性	威胁级别
V-2009-4447	0.7	3.0
V-2009-3508	0.5	2.5
V-2006-6077	0.7	4.0
V-2007-6410	0.6	3.5
V-2008-3631	0.5	2.5

式(2)	式(4)	CVSS
V-2009-3508	V-2006-6077	V-2006-6077
V-2007-6410	V-2009-3508	V-2007-6410
V-2006-6077	V-2007-6410	V-2009-4447
V-2009-4447	V-2009-4447	V-2009-3508
V-2008-3631	V-2008-3631	V-2008-3631

漏洞	可利用性	威胁级别
V-2010-4307	0.71	3.0
V-2009-2208	0.53	2.5
V-2010-9337	0.212	2.0
V-2009-9010	0.103	2.5
V-2009-1031	0.503	2.5
V-2009-2675	0.52	2.5