A Survey on Software Vulnerability Exploitability Assessment

Sarah Elder,Rayhanur Rahman,Gage Fringer,Kunal Kapoor,Laurie Williams
DOI: https://doi.org/10.1145/3648610
IF: 16.6
2024-03-20
ACM Computing Surveys
Abstract:Knowing the exploitability and severity of software vulnerabilities helps practitioners prioritize vulnerability mitigation efforts. Researchers have proposed and evaluated many different exploitability assessment methods. The goal of this research is to assist practitioners and researchers in understanding existing methods for assessing vulnerability exploitability through a survey of exploitability assessment literature. We identify three exploitability assessment approaches: assessments based on original, manual CVSS, automated Deterministic assessments, and automated Probabilistic assessments. Other than the original CVSS, the two most common subcategories are Deterministic, Program-State-Based, and Probabilistic Learning Model (LM) Assessments.
computer science, theory & methods
What problem does this paper attempt to address?
### Problems the paper attempts to solve The paper "A Survey on Software Vulnerability Exploitability Assessment" aims to solve the problems of understanding and applying software vulnerability exploitability assessment methods. Specifically, the goal of the paper is to help practitioners and researchers understand these assessment methods by reviewing the existing literature on vulnerability exploitability assessment. The following are the main objectives and background of the paper: 1. **Problem background**: - The number of software vulnerabilities reported annually has been increasing continuously. Since 2016, the number of vulnerabilities reported annually in the US National Vulnerability Database (NVD) has been on the rise. - Due to the large number of vulnerabilities that need to be dealt with, developers and security experts need to prioritize the most urgent security risks. - Understanding and assessing the exploitability of vulnerabilities is a key component of risk - based vulnerability prioritization. 2. **Research objectives**: - **Review existing methods**: By reviewing the literature, help practitioners and researchers understand the existing vulnerability exploitability assessment methods. - **Classify assessment methods**: Identify and classify different vulnerability exploitability assessment methods, including manual assessment based on the original CVSS, deterministic automated assessment, and probabilistic automated assessment. - **Analyze method characteristics**: Analyze the characteristics of these assessment methods to show their similarities and differences. 3. **Research questions**: - **RQ**: How to assess the exploitability of software vulnerabilities? ### Main contributions - **Literature list**: Provide a list of academic literature on software vulnerability exploitability assessment. - **Method characteristic analysis**: Analyze the characteristics of software vulnerability exploitability assessment methods and show the similarities and differences between different methods. ### Methodology - **Literature collection**: Use a two - stage process to collect relevant papers, including keyword search and snowballing. - **First stage**: Use the active learning tool FAST2 for keyword search and initially screen out 160 papers. - **Second stage**: Collect cited and citing papers through snowballing and finally screen out 76 papers. - **Classification and organization**: Classify the papers according to research categories and further refine keywords and categories to compare and contrast different vulnerability assessment methods. ### Conclusion By reviewing the existing vulnerability exploitability assessment methods, the paper provides practitioners and researchers with a comprehensive understanding and reference, which helps them select and apply appropriate assessment methods in practical applications.