A Model for Secure and Mutually Beneficial Software Vulnerability Sharing

Alexander Davidson; Gregory Fenn; Carlos Cid

doi:10.1145/2994539.2994547

A Model for Secure and Mutually Beneficial Software Vulnerability Sharing

Alexander Davidson, Gregory Fenn, Carlos Cid

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

324 Downloads (Pure)

Abstract

In this work we propose a model for conducting efficient and mutually beneficial information sharing between two competing entities, focusing specifically on software vulnerability sharing. We extend the two-stage game-theoretic model proposed by Khouzani et al. [18] for bug sharing, addressing two key features: we allow security information to be associated with different categories and severities, but also remove a large proportion of player homogeneity assumptions the previous work makes. We then analyse how these added degrees of realism affect the trading dynamics of the game. Secondly, we develop a new private set operation (PSO) protocol that enables the removal of the trusted mediation requirement. The PSO functionality allows for bilateral trading between the two entities up to a mutually agreed threshold on the value of information shared, keeping all other input information secret. The protocol scales linearly with set sizes and we give an implementation that establishes the practicality of the design for varying input parameters. The resulting model and protocol provide a framework for practical and secure information sharing between competing entities.

Original language	English
Title of host publication	WISCS '16 Proceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security
Publisher	ACM
Pages	3-14
Number of pages	12
ISBN (Print)	978-1-4503-4565-1
DOIs	https://doi.org/10.1145/2994539.2994547
Publication status	Published - 24 Oct 2016
Event	WISCS 2016 - 3rd ACM Workshop on Information Sharing and Collaborative Security - Vienna, Austria Duration: 24 Oct 2016 → 24 Oct 2016

Workshop

Workshop	WISCS 2016 - 3rd ACM Workshop on Information Sharing and Collaborative Security
Country/Territory	Austria
City	Vienna
Period	24/10/16 → 24/10/16

Access to Document

10.1145/2994539.2994547

Accepted ManuscriptAccepted author manuscript, 529 KB

http://dl.acm.org/citation.cfm?id=2994547&CFID=697013565&CFTOKEN=70635150

Centre for Doctoral Training in Cyber Security
Cid, C., Crampton, J., Martin, K. M. & Paterson, K.
Eng & Phys Sci Res Council EPSRC
1/04/13 → 31/12/19
Project: Research

Cite this

@inproceedings{85f73821cc7e4d6aa7bff44f7cf5e062,

title = "A Model for Secure and Mutually Beneficial Software Vulnerability Sharing",

abstract = "In this work we propose a model for conducting efficient and mutually beneficial information sharing between two competing entities, focusing specifically on software vulnerability sharing. We extend the two-stage game-theoretic model proposed by Khouzani et al. [18] for bug sharing, addressing two key features: we allow security information to be associated with different categories and severities, but also remove a large proportion of player homogeneity assumptions the previous work makes. We then analyse how these added degrees of realism affect the trading dynamics of the game. Secondly, we develop a new private set operation (PSO) protocol that enables the removal of the trusted mediation requirement. The PSO functionality allows for bilateral trading between the two entities up to a mutually agreed threshold on the value of information shared, keeping all other input information secret. The protocol scales linearly with set sizes and we give an implementation that establishes the practicality of the design for varying input parameters. The resulting model and protocol provide a framework for practical and secure information sharing between competing entities.",

author = "Alexander Davidson and Gregory Fenn and Carlos Cid",

year = "2016",

month = oct,

day = "24",

doi = "10.1145/2994539.2994547",

language = "English",

isbn = "978-1-4503-4565-1",

pages = "3--14",

booktitle = "WISCS '16 Proceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security",

publisher = "ACM",

note = "WISCS 2016 - 3rd ACM Workshop on Information Sharing and Collaborative Security ; Conference date: 24-10-2016 Through 24-10-2016",

}

Davidson, A, Fenn, G & Cid, C 2016, A Model for Secure and Mutually Beneficial Software Vulnerability Sharing. in WISCS '16 Proceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security. ACM, pp. 3-14, WISCS 2016 - 3rd ACM Workshop on Information Sharing and Collaborative Security, Vienna, Austria, 24/10/16. https://doi.org/10.1145/2994539.2994547

TY - GEN

T1 - A Model for Secure and Mutually Beneficial Software Vulnerability Sharing

AU - Davidson, Alexander

AU - Fenn, Gregory

AU - Cid, Carlos

PY - 2016/10/24

Y1 - 2016/10/24

N2 - In this work we propose a model for conducting efficient and mutually beneficial information sharing between two competing entities, focusing specifically on software vulnerability sharing. We extend the two-stage game-theoretic model proposed by Khouzani et al. [18] for bug sharing, addressing two key features: we allow security information to be associated with different categories and severities, but also remove a large proportion of player homogeneity assumptions the previous work makes. We then analyse how these added degrees of realism affect the trading dynamics of the game. Secondly, we develop a new private set operation (PSO) protocol that enables the removal of the trusted mediation requirement. The PSO functionality allows for bilateral trading between the two entities up to a mutually agreed threshold on the value of information shared, keeping all other input information secret. The protocol scales linearly with set sizes and we give an implementation that establishes the practicality of the design for varying input parameters. The resulting model and protocol provide a framework for practical and secure information sharing between competing entities.

AB - In this work we propose a model for conducting efficient and mutually beneficial information sharing between two competing entities, focusing specifically on software vulnerability sharing. We extend the two-stage game-theoretic model proposed by Khouzani et al. [18] for bug sharing, addressing two key features: we allow security information to be associated with different categories and severities, but also remove a large proportion of player homogeneity assumptions the previous work makes. We then analyse how these added degrees of realism affect the trading dynamics of the game. Secondly, we develop a new private set operation (PSO) protocol that enables the removal of the trusted mediation requirement. The PSO functionality allows for bilateral trading between the two entities up to a mutually agreed threshold on the value of information shared, keeping all other input information secret. The protocol scales linearly with set sizes and we give an implementation that establishes the practicality of the design for varying input parameters. The resulting model and protocol provide a framework for practical and secure information sharing between competing entities.

U2 - 10.1145/2994539.2994547

DO - 10.1145/2994539.2994547

M3 - Conference contribution

SN - 978-1-4503-4565-1

SP - 3

EP - 14

BT - WISCS '16 Proceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security

PB - ACM

T2 - WISCS 2016 - 3rd ACM Workshop on Information Sharing and Collaborative Security

Y2 - 24 October 2016 through 24 October 2016

ER -

A Model for Secure and Mutually Beneficial Software Vulnerability Sharing

Abstract

Workshop

Access to Document

Projects

Centre for Doctoral Training in Cyber Security

Cite this