摘要
The fast adaptation of Cloud computing has led to an increase in novel information technology threats. The targets of these new threats range from large scale distributed system, such as the Large Hadron Collider by the CERN, to industrial (water, power, electricity, oil, gas, etc.) distributed systems, i.e. SCADA systems. The use of automated tools for vulnerability assessment is quite attractive, but while these tools can find common problems in a program’s source code, they miss a significant number of critical and complex vulnerabilities. In addition, middleware systems frequently base their security on mechanisms such as authentication, authorization, and delegation. While these mechanisms have been studied in depth and can control key resources, they are not enough to assure that all application’s resources are safe. Therefore, security of distributed systems have been placed under the watchful eye of security practitioners in government, academia, and industry. To tackle the problem of assessing the security of critical middleware systems, we propose a new automated vulnerability assessment approach, called Attack Vector Analyzer (AvA), which is able to automatically hint at which middleware components should be assessed and why. AvA is based on automating part of the First Principles Vulnerability Assessment, an analyst-centric (manual) methodology that has been used successfully to evaluate many production middleware systems. AvA’s results are language-independent, provide a comprehensive assessment attack vector in the middleware, and it is based on the Common Weakness Enumeration (CWE) system, a widely-use labeling of security weaknesses. Our results are contrasted against a previous manual vulnerability assessment of the CrossBroker grid resource manager, and corroborate which middleware components should be assessed and why.