07 FEB 2018

Software vulnerability: causes, risks and classification

Today, software is integrated into everyday life, as part of the devices and systems that we use all the time: computers, smartphones, systems in cars, control of home appliances, etc.

Software can be described as complex systems designed and developed by different programmers. The creation of a software is done by writing a code. Usually, programmers make errors (we call them ‘bugs’) in writing the code: these errors are the root of software vulnerabilities, because it is through the errors that an access door is created. This is how software is exposed to vulnerabilities.

The first rule of programming says that “It is always the fault of the programmer”.

Two studies conducted in 1973 and 1984 found that, of the total errors reported:

  • 95% were caused by programmers;
  • 2% caused by the system software (the compiler and the operating system);
  • 2% caused by other software;
  • 1% caused by the hardware.

A vulnerability, therefore is a defect in the “construction” of the software that can be legitimately or deviously exploited to change the normal behavior of the system, in order to obtain access to the system. This activity is known as exploiting.

Vulnerabilities, therefore, offer a possible point of access to devices and systems for legitimate activities, such as a check for resolution, or illicit, such as an attack.

Despite the knowledge and awareness of the vulnerabilities which exist, there is a very strong trend on the rise, of the number of vulnerabilities reported, for this reason software security has become an important field of research and business.

The presence of vulnerabilities in software production makes it necessary to have tools and activities that can help programmers to detect or avoid errors in code development. In addition to reviewing codes, the job of expert programmers and/or specific software, vulnerability assessment and Penetration tests can be done, which are similar to the activities of a potential hacker.


Software vulnerabilities, some examples

How many software vulnerabilities are there, and what are they? There are different types of vulnerabilities, which are reported as they are discovered. Let’s see look at some of the types which have been recognized and classified:

Buffer overflow: this is a runtime error, that is it happens while the program is running – when in a buffer of a fixed size, someone writes data that is larger than the size of the buffer. This could result in a malfunction of the system because new data could corrupt that of other buffers or processes.

Format string bug: this occurs when data sent by an input string is interpreted as a legitimate command by the application.

Software vulnerabilities, examples of an ‘Exploit’

When a software can be attacked due to a vulnerability, we have an “Exploit”.

Buffer overflow exploit: this can be used to inject malicious code in order to execute the injected code and take control of the system.

Format string exploit: an attacker could execute code, read data structure (stack) or cause a segmentation error in the running application, causing new behaviors that could compromise system security or stability.

Elaborated by Lucia D’Adamo, in collaboration with Andrea Petriglia, supervised by Marco Pirrone