Security vulnerabilities: Discovery, prediction, effect, and mitigation

Security vulnerabilities pose a real threat to computing systems ranging from personal computers to mobile devices and critical systems. Quantification and prediction of vulnerabilities allows us to compare systems, orient and plan to mitigate vulnerabilities, and design reliable and secure systems. In this dissertation, the software Vulnerability Discovery Models (VDMs) are studied and it is illustrated that they cannot provide accurate vulnerability prediction even with large amount of historical vulnerability data. We then propose and study a scheme that incorporates software properties such as compliance with secure coding rules and code complexity measures to provide vulnerability prediction without reliance on historical data. The new scheme is evaluated by testing it on real-world software applications and comparing it with existing VDMs. The new scheme applies to C/C++ applications. In addition, the study is extended by developing and evaluating a scheme to measure and quantify the impact of protocol vulnerabilities. In this framework, simulation is used to analyze various protocol configurations and provide recommendations for secure configurations of Virtual Private Networks (VPNs). The evaluation results illustrate that the new schemes can accurately quantify software and protocol vulnerabilities.