A Policy-Based Vulnerability Analysis Framework

Repeatability is essential to any science—computer science is no exception. However, the area of vulnerability analysis suffers from ambiguous definitions that hinder the repeatability of analysis results. Many researchers have turned to policy-based definitions of a vulnerability in an attempt to alleviate this ambiguity. However, it is rare that security policies are explicitly and precisely defined. As a result, these policy-based approaches merely shift the ambiguity from defining vulnerabilities to defining policies. Other researchers turn to strictly formal models and methods to provide repeatable results, but the practicality of such analysis is limited by the complexity of the environment and the availability of resources. This creates a conflict between repeatability and practicality that is often left unresolved in existing vulnerability analysis methods; an analysis framework either focuses on formal models to provide repeatability, or uses an ad hoc approach to provide practicality. This dissertation addresses this conflict by balancing specific formal and practical objectives to create a vulnerability analysis framework capable of producing repeatable results in realistic environments. This analysis framework relies on three major components: a hierarchy of security policies, a formal model of implementation vulnerabilities, and an implementation vulnerability classification scheme. We address the ambiguity surrounding security policies with a hierarchy that precisely defines security policies at four levels of abstraction. We use this policy hierarchy to provide a formal model of an implementation vulnerability. This model provides the formal foundation for our characteristic-based vulnerability classification scheme, which allows us to examine implementation vulnerabilities at a more practical level of abstraction. We combine these components into a cohesive implementation vulnerability analysis framework that provides insight into both when a system is non-secure, and how to mitigate that non-security.