[ISN] CSU team crushes computer bugs

From: InfoSec News (alerts@private)
Date: Tue Jul 11 2006 - 01:09:21 PDT


ChristineMcManus [at] coloradoan.com 
July 10, 2006

Defending the world from hackers and their billion-dollar crashes, a 
computer science team at Colorado State University has come up with a 
model to prevent headline-catching software bugs.

Even the Department of Homeland Security and Microsoft are looking to the 
CSU model.

Computer science Professor Yashwant K. Malaiya is taking advantage of the 
fact that hackers target software when it is at its peak in the market. 
Both new and old software that are not used by as many people are less at 
risk for hacking.

Malaiya and doctoral student Omar Alhazmi developed a model to predict 
software vulnerabilities with greater accuracy than ever before. The model 
helps software development companies and online financial institutions 
project how many software developers they will need, in order to protect 
and patch their products.

It is impossible to implement an operating system like Windows XP or 
Linux, or Web servers such as Apache or Microsoft IIS or Web browsers free 
from vulnerabilities, Malaiya said.

"We can predict how many vulnerabilities may occur, but not exactly which 
ones, or where or what will be hacked," Malaiya said. "Our hope is that 
vulnerability gets patched before it gets exploited."

The Department of Homeland Security has a specific branch to handle 
computer security called the Computer Emergency Readiness Team. CERT 
analysts published a book titled "Secure Coding in C and C++" with their 
similar systematic studies of vulnerabilities to software.

Malaiya's is available to the general public online. The model is useful 
to two groups: software developers and online financial institutions.

"We are happy to see our model has worked so well," Malaiya said. "As we 
collect more data, we're finding it works better than we had initially 

The Alhazmi-Malaiya Logistic model predicted that very little 
vulnerability would be found in Red Hat Linux 6.2, and the number has 
stayed unchanged at 117, according to a release from CSU.

The model predicted that the number of vulnerabilities of Windows 2000 
would range from 294 to 410. At the time of the prediction the number was 
at 172; it is now at 250, and vulnerabilities still are being found.

The model predicted that Windows XP vulnerabilities would grow rapidly. In 
January 2005 there were 88; now there are 173.

There is a major cost savings associated with the model. Any one of 5,200 
vulnerabilities found by the Department of Homeland Security in 2005 has 
the potential to change the market capitalization to the tune of $860 
million. Many hackers are based outside the U.S.

"I'm sure Microsoft is following our work. I have former students who work 
for Microsoft," Malaiya said. "Our results are in the public domain."

While the model may some day be commercialized, it is now up for grabs to 
fight hackers.

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Tue Jul 11 2006 - 01:31:34 PDT