Vulnerability Analysis as Trustworthiness Evidence in Security Benchmarking: A Case Study on Xen.

2020 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW) Pub Date : 2020-10-01 DOI:10.1109/ISSREW51248.2020.00078

Charles F. Gonçalves, Nuno Antunes

{"title":"Vulnerability Analysis as Trustworthiness Evidence in Security Benchmarking: A Case Study on Xen.","authors":"Charles F. Gonçalves, Nuno Antunes","doi":"10.1109/ISSREW51248.2020.00078","DOIUrl":null,"url":null,"abstract":"Hypervisors govern the resources of virtualized systems and are a crucial component of many cloud solutions. As a critical component, cloud providers should assess the hypervisor’s security to mitigate risk before adoption. Ideally, a benchmark should be applied to compare the security of different systems objectively, but security benchmarking is still an open problem. Notwithstanding, the evaluation of the system’s trustworthiness has been adopted as a promising approach as part of this complex evaluation process. In this work, we present a vulnerability data analysis of the Xen hypervisor. Additionally, we address the problem of how to apply this analysis results as trustworthiness evidence that can be applied in security benchmarks. Our results present an insightful characterization of Xen’s vulnerabilities evaluating their lifespan, distribution, and modeling. We also show that vulnerability data analysis can qualitatively characterize the Xen hypervisor’s trustworthiness and possibly reflect the security development efforts into its codebase.","PeriodicalId":202247,"journal":{"name":"2020 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW)","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2020-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2020 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ISSREW51248.2020.00078","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

Abstract

Hypervisors govern the resources of virtualized systems and are a crucial component of many cloud solutions. As a critical component, cloud providers should assess the hypervisor’s security to mitigate risk before adoption. Ideally, a benchmark should be applied to compare the security of different systems objectively, but security benchmarking is still an open problem. Notwithstanding, the evaluation of the system’s trustworthiness has been adopted as a promising approach as part of this complex evaluation process. In this work, we present a vulnerability data analysis of the Xen hypervisor. Additionally, we address the problem of how to apply this analysis results as trustworthiness evidence that can be applied in security benchmarks. Our results present an insightful characterization of Xen’s vulnerabilities evaluating their lifespan, distribution, and modeling. We also show that vulnerability data analysis can qualitatively characterize the Xen hypervisor’s trustworthiness and possibly reflect the security development efforts into its codebase.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

漏洞分析作为安全基准测试中的可信证据——以Xen为例

管理程序管理虚拟化系统的资源，是许多云解决方案的关键组件。作为一个关键组件，云提供商应该在采用管理程序之前评估其安全性以降低风险。理想情况下，应该应用基准测试来客观地比较不同系统的安全性，但是安全性基准测试仍然是一个开放的问题。尽管如此，作为这一复杂评价过程的一部分，对系统可靠性的评价已被采纳为一种有希望的方法。在这项工作中，我们提出了Xen管理程序的漏洞数据分析。此外，我们还解决了如何将此分析结果作为可用于安全基准测试的可信度证据加以应用的问题。我们的结果对Xen的漏洞进行了深刻的描述，评估了它们的生命周期、分布和建模。我们还表明，漏洞数据分析可以定性地描述Xen管理程序的可信度，并可能将安全开发工作反映到其代码库中。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

2020 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW)

自引率

0.00%

发文量