A New Security Sensitivity Measurement for Software Variables

As software security becomes increasingly crucial in modern software system, security-oriented software development will become a vital component towards a secure system. Therefore, how to effectively analyze and measure the software security vulnerability during the software development process emerges as an essential problem. In this paper, we propose a new security sensitivity metric for software variables. Unlike the conventional black-box-based approaches, our metric targets at a fine granularity - the variable level. Model checking is applied to check whether any security property is violated when a program variable is influenced by the attack impacts. The security vulnerability of the variable is then calculated as its overall capability of maintaining security properties under malicious external attacks. A case study on stack-based buffer overflow property shows the effectiveness of our measurement in identifying and evaluating the security criticality of different variables in the software.