To read this content please select one of the options below:

Estimates of success rates of remote arbitrary code execution attacks

Teodor Sommestad (Industrial Information and Control Systems, KTH Royal Institute of Technology, Stockholm, Sweden)
Hannes Holm (Industrial Information and Control Systems, KTH Royal Institute of Technology, Stockholm, Sweden)
Mathias Ekstedt (Industrial Information and Control Systems, KTH Royal Institute of Technology, Stockholm, Sweden)

Information Management & Computer Security

ISSN: 0968-5227

Article publication date: 1 June 2012

521

Abstract

Purpose

The purpose of this paper is to identify the importance of the factors that influence the success rate of remote arbitrary code execution attacks. In other words, attacks which use software vulnerabilities to execute the attacker's own code on targeted machines. Both attacks against servers and attacks against clients are studied.

Design/methodology/approach

The success rates of attacks are assessed for 24 scenarios: 16 scenarios for server‐side attacks and eight for client‐side attacks. The assessment is made through domain experts and is synthesized using Cooke's classical method, an established method for weighting experts' judgments. The variables included in the study were selected based on the literature, a pilot study, and interviews with domain experts.

Findings

Depending on the scenario in question, the expected success rate varies between 15 and 67 percent for server‐side attacks and between 43 and 67 percent for client‐side attacks. Based on these scenarios, the influence of different protective measures is identified.

Practical implications

The results of this study offer guidance to decision makers on how to best secure their assets against remote code execution attacks. These results also indicate the overall risk posed by this type of attack.

Originality/value

Attacks that use software vulnerabilities to execute code on targeted machines are common and pose a serious risk to most enterprises. However, there are no quantitative data on how difficult such attacks are to execute or on how effective security measures are against them. The paper provides such data using a structured technique to combine expert judgments.

Keywords

Citation

Sommestad, T., Holm, H. and Ekstedt, M. (2012), "Estimates of success rates of remote arbitrary code execution attacks", Information Management & Computer Security, Vol. 20 No. 2, pp. 107-122. https://doi.org/10.1108/09685221211235625

Publisher

:

Emerald Group Publishing Limited

Copyright © 2012, Emerald Group Publishing Limited

Related articles