Další formáty:
BibTeX
LaTeX
RIS
@article{2418937,
author = {Janovský, Adam and Jančár, Ján and Švenda, Petr and Chmielewski, Lukasz Michal and Michalík, Jiří and Matyáš, Václav},
article_number = {143},
doi = {http://dx.doi.org/10.1016/j.cose.2024.103895},
keywords = {Security certification; Common Criteria; Vulnerability assessment; Data analysis; Smartcards},
language = {eng},
issn = {0167-4048},
journal = {Computers & Security},
title = {sec-certs: Examining the security certification practice for better vulnerability mitigation},
url = {https://www.sciencedirect.com/science/article/pii/S0167404824001974},
volume = {2024},
year = {2024}
}
TY - JOUR
ID - 2418937
AU - Janovský, Adam - Jančár, Ján - Švenda, Petr - Chmielewski, Lukasz Michal - Michalík, Jiří - Matyáš, Václav
PY - 2024
TI - sec-certs: Examining the security certification practice for better vulnerability mitigation
JF - Computers & Security
VL - 2024
IS - 143
SP - 1-13
EP - 1-13
SN - 01674048
KW - Security certification
KW - Common Criteria
KW - Vulnerability assessment
KW - Data analysis
KW - Smartcards
UR - https://www.sciencedirect.com/science/article/pii/S0167404824001974
N2 - Products certified under security certification frameworks such as Common Criteria undergo significant scrutiny during the costly certification process. Yet, critical vulnerabilities, including private key recovery (ROCA, Minerva, TPM-Fail...), get discovered in certified products with high assurance levels. Furthermore, assessing which certified products are impacted by such vulnerabilities is complicated due to the large amount of unstructured certification-related data and unclear relationships between the certified products. To address these problems, we conducted a large-scale automated analysis of Common Criteria certificates. We trained unsupervised models to learn which vulnerabilities from NIST’s National Vulnerability Database impact existing certified products and how certified products reference each other. Our tooling automates the analysis of tens of thousands of certification-related documents, extracting machine-readable features where manual analysis is unattainable. Further, we identify the security requirements that are associated with products being affected by fewer and less severe vulnerabilities. This indicates which aspects of certification correlate with higher security. We demonstrate how our tool can be used for better vulnerability mitigation on four case studies of known, high-profile vulnerabilities. All tools and continuously updated results are available at https://sec-certs.org.
ER -
JANOVSKÝ, Adam, Ján JANČÁR, Petr ŠVENDA, Lukasz Michal CHMIELEWSKI, Jiří MICHALÍK a Václav MATYÁŠ. sec-certs: Examining the security certification practice for better vulnerability mitigation. \textit{Computers \&{} Security}. 2024, roč.~2024, č.~143, s.~1-13. ISSN~0167-4048. Dostupné z: https://dx.doi.org/10.1016/j.cose.2024.103895.
|
