Saudi Cultural Missions Theses & Dissertations
Permanent URI for this communityhttps://drepo.sdl.edu.sa/handle/20.500.14154/10
Browse
2 results
Search Results
Item Restricted Improving vulnerability description using natural language generation(Saudi Digital Library, 2023-10-25) Althebeiti, Hattan; Mohaisen, DavidSoftware plays an integral role in powering numerous everyday computing gadgets. As our reliance on software continues to grow, so does the prevalence of software vulnerabilities, with significant implications for organizations and users. As such, documenting vulnerabilities and tracking their development becomes crucial. Vulnerability databases addressed this issue by storing a record with various attributes for each discovered vulnerability. However, their contents suffer several drawbacks, which we address in our work. In this dissertation, we investigate the weaknesses associated with vulnerability descriptions in public repositories and alleviate such weaknesses through Natural Language Processing (NLP) approaches. The first contribution examines vulnerability descriptions in those databases and approaches to improve them. We propose a new automated method leveraging external sources to enrich the scope and context of a vulnerability description. Moreover, we exploit fine-tuned pretrained language models for normalizing the resulting description. The second contribution investigates the need for uniform and normalized structure in vulnerability descriptions. We address this need by breaking the description of a vulnerability into multiple constituents and developing a multi-task model to create a new uniform and normalized summary that maintains the necessary attributes of the vulnerability using the extracted features while ensuring a consistent vulnerability description. Our method proved effective in generating new summaries with the same structure across a collection of various vulnerability descriptions and types. Our final contribution investigates the feasibility of assigning the Common Weakness Enumeration (CWE) attribute to a vulnerability based on its description. CWE offers a comprehensive framework that categorizes similar exposures into classes, representing the types of exploitation associated with such vulnerabilities. Our approach utilizing pre-trained language models is shown to outperform Large Language Model (LLM) for this task. Overall, this dissertation provides various technical approaches exploiting advances in NLP to improve publicly available vulnerability databases.10 0Item Restricted Improving Insecure Deserialization Discovery in Web Applications(Saudi Digital Library, 2023-10-25) Almuaddi, Ahmed; Djenouri, DjamelInsecure deserialization vulnerability has posed a persistent threat to backend systems and web applications since 2004, exposing devastating exploits such as remote code execution and privilege escalation. A significant challenge for testing for this vulnerability is the reliability of feed-back obtained from the tested target which made detecting the vulnerability difficult. This project aims to address this issue by introducing a novel method to provide a viable feedback mechanism that should show success or failure of attack and thus, improve the accuracy of testing. Our pro-posed tool addresses the lack of reliability issue by applying the blind approach on testing insecure deserialization. This mechanism removes the need for readable feedback from the target and instead relies on the behaviour of the target to determine the success or failure of the approach. This pro-vides a much more precise assessment of attack success or failure, thus improving the overall relia-bility of vulnerability detection. This was observable in my tests where the tool provided the out-come of the test. The tool also performed internal port scanning, which could be a serious vulnera-bility. In conclusion, the feedback mechanism introduced in this project shows the severity of Inse-cure deserialization, as well as the opportunity to automate the scanning process. Keywords: Serialization; RMI; RCE; CVE; OWASP; NIST; NVD; SQL; Gadgets; Bytestream; Magic Method; Transformers.12 0