Understanding Software Security Vulnerabilities in Cloud Server Systems

2022 IEEE International Conference on Cloud Engineering (IC2E) Pub Date : 2022-09-01 DOI:10.1109/IC2E55432.2022.00033

Olufogorehan Tunde-Onadele, Yuhang Lin, Xiaohui Gu, Jingzhu He

{"title":"Understanding Software Security Vulnerabilities in Cloud Server Systems","authors":"Olufogorehan Tunde-Onadele, Yuhang Lin, Xiaohui Gu, Jingzhu He","doi":"10.1109/IC2E55432.2022.00033","DOIUrl":null,"url":null,"abstract":"Cloud systems have been widely adopted by many real world production applications. Thus, security vulnerabilities in those cloud systems can cause serious widespread impact. Although previous intrusion detection systems can detect security attacks, understanding the underlying software defects that cause those security vulnerabilities is little studied. In this paper, we conduct a systematic study over 110 software security vulnera-bilities in 13 popular cloud server systems. To understand the underlying vulnerabilities, we answer the following questions: 1) what are the root causes of those security vulnerabilities? 2) what threat impact do those vulnerable code have? 3) how do developers patch those vulnerable code? Our results show that the vulnerable code of the studied security vulnerabilities comprise five common categories: 1) improper execution restrictions, 2) improper permission checks, 3) improper resource path-name checks, 4) improper sensitive data handling, and 5) improper synchronization handling. We further extract principal vulnerable code patterns from those common vulnerability categories.","PeriodicalId":415781,"journal":{"name":"2022 IEEE International Conference on Cloud Engineering (IC2E)","volume":"23 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2022 IEEE International Conference on Cloud Engineering (IC2E)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IC2E55432.2022.00033","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

Abstract

Cloud systems have been widely adopted by many real world production applications. Thus, security vulnerabilities in those cloud systems can cause serious widespread impact. Although previous intrusion detection systems can detect security attacks, understanding the underlying software defects that cause those security vulnerabilities is little studied. In this paper, we conduct a systematic study over 110 software security vulnera-bilities in 13 popular cloud server systems. To understand the underlying vulnerabilities, we answer the following questions: 1) what are the root causes of those security vulnerabilities? 2) what threat impact do those vulnerable code have? 3) how do developers patch those vulnerable code? Our results show that the vulnerable code of the studied security vulnerabilities comprise five common categories: 1) improper execution restrictions, 2) improper permission checks, 3) improper resource path-name checks, 4) improper sensitive data handling, and 5) improper synchronization handling. We further extract principal vulnerable code patterns from those common vulnerability categories.

查看原文本刊更多论文

了解云服务器系统中的软件安全漏洞

云系统已被许多现实世界的生产应用程序广泛采用。因此，这些云系统中的安全漏洞可能会造成严重的广泛影响。尽管以前的入侵检测系统可以检测到安全攻击，但对导致这些安全漏洞的底层软件缺陷的理解却很少得到研究。本文对13种流行的云服务器系统中的110多个软件安全漏洞进行了系统研究。为了理解潜在的漏洞，我们回答以下问题:1)这些安全漏洞的根本原因是什么?2)这些易受攻击的代码有什么威胁影响?3)开发者如何修补这些易受攻击的代码?我们的研究结果表明，所研究的安全漏洞的脆弱代码包括5类常见的漏洞:1)执行限制不当，2)权限检查不当，3)资源路径名检查不当，4)敏感数据处理不当，5)同步处理不当。我们进一步从这些常见的漏洞类别中提取主要的漏洞代码模式。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2022 IEEE International Conference on Cloud Engineering (IC2E)

自引率

0.00%

发文量