Information Technology Reference
In-Depth Information
3 Vulnerability Modeling
Vulnerability rates can be modeled extremely accurately for major products. Those
with an extremely small user base can also be modeled, but the results will fluctuate
due to large confidence intervals. What most people miss is that the number of vul-
nerabilities or bugs in software is fixed at release. Once the software has been created,
the number of bugs is a set value. What varies stochastically is the number of bugs
discovered at any time.
This is also simple to model, the variance being based on the number of users (both
benign and malicious) of the software. As this value tends to infinity (a large user-
base), the addition of any further users makes only a marginal variation in the func-
tion. Small user-bases of course have large variations as more people pay attention
(such as the release of software vulnerability).
This is a Cobb-Douglass function [10] with the number of users and the rate of de-
cay as variables. For largely deployed software (such as Microsoft's Office suite or
the Mozilla browser), the function of the number of vulnerabilities for a program
given the size of the program can be approximated as a Poisson decay function.
3.1 Modeling the Discovery of Bugs/Vulnerabilities in Software
The discovery of software bugs can be mapped to the amount of time that has been
used in both actively examining the product as well as the passive search for bugs
(using the software).
The study found that a Cobb Douglass function with α=1.6 and F(x)= c×TLOC +ε
where c and C are constant values with the function G(x) β is constant for a given
number of users or installations and expresses the rate at which users report bugs.
This equation increases to a set limit as the number of users increase. In the case of
widely deployed software installations (such as Microsoft Word or Adobe Acrobat)
and highly frequented Internet sites, this value tends towards G(x)=1 .
3.2 Equations for Bug Discovery
For a static software system under uniform usage the rate of change in, N, the number
of defects discovered is directly proportional to the number of defects in the system,
d
()
()
dt α= (1)
A Static system is defined as one that experiences no new development, only de-
fect repair. Likewise, uniform usage is based on same number of runs/unit time. As
the user-base of the product tends to infinity, this becomes a better assumption.
If we set time T to be any reference epoch, then N satisfies
Nt
Nt
()
()
(
)
Nte α−−
tT
(2)
This means we can observe the accumulated number of defects at time t, A(t),
where
Nt
=
Search WWH ::




Custom Search