Estimates of success rates of remote arbitrary code execution attacks
2012 (English)In: Information Management & Computer Security, ISSN 0968-5227, Vol. 20, no 2, 107-122 p.Article in journal (Refereed) Published
Purpose: The purpose of this paper is to identify the importance of the factors that influence the success rate of remote arbitrary code execution attacks. In other words, attacks which use software vulnerabilities to execute the attacker's own code on targeted machines. Both attacks against servers and attacks against clients are studied. Design/methodology/approach: The success rates of attacks are assessed for 24 scenarios: 16 scenarios for server-side attacks and eight for client-side attacks. The assessment is made through domain experts and is synthesized using Cooke's classical method, an established method for weighting experts' judgments. The variables included in the study were selected based on the literature, a pilot study, and interviews with domain experts. Findings: Depending on the scenario in question, the expected success rate varies between 15 and 67 percent for server-side attacks and between 43 and 67 percent for client-side attacks. Based on these scenarios, the influence of different protective measures is identified. Practical implications: The results of this study offer guidance to decision makers on how to best secure their assets against remote code execution attacks. These results also indicate the overall risk posed by this type of attack. Originality/value: Attacks that use software vulnerabilities to execute code on targeted machines are common and pose a serious risk to most enterprises. However, there are no quantitative data on how difficult such attacks are to execute or on how effective security measures are against them. The paper provides such data using a structured technique to combine expert judgments.
Place, publisher, year, edition, pages
2012. Vol. 20, no 2, 107-122 p.
Buffer overflows, Computer security, Computer software, Data management, Data security, Expert judgment, Information management, Remote code exploits, Software vulnerabilities
Electrical Engineering, Electronic Engineering, Information Engineering
IdentifiersURN: urn:nbn:se:kth:diva-79604DOI: 10.1108/09685221211235625ScopusID: 2-s2.0-84861873854OAI: oai:DiVA.org:kth-79604DiVA: diva2:495611
QC 201208022012-02-092012-02-092012-10-18Bibliographically approved