Viet Hung Nguyen

Tin Leelavimolsilp, Long Tran-Thanh, Sebastian Stein et al.

Proof-of-Work blockchain, despite its numerous benefits, is still not an entirely secure technology due to the existence of Selfish Mining (SM) strategies that can disrupt the system and its mining economy. While the effect of SM has been studied mostly in a two-miners scenario, it has not been investigated in a more practical context where there are multiple malicious miners individually performing SM. To fill this gap, we carry out an empirical study that separately accounts for different numbers of SM miners (who always perform SM) and strategic miners (who choose either SM or Nakamoto's mining protocol depending on which maximises their individual mining reward). Our result shows that SM is generally more effective as the number of SM miners increases, however its effectiveness does not vary in the presence of a large number of strategic miners. Under specific mining power distributions, we also demonstrate that multiple miners can perform SM and simultaneously gain higher mining rewards than they should. Surprisingly, we also show that the more strategic miners there are, the more robust the systems become. Since blockchain miners should naturally be seen as self-interested strategic miners, our findings encourage blockchain system developers and engineers to attract as many miners as possible to prevent SM and similar behaviour.

Viet Hung Nguyen, Fabio Massacci

A precise vulnerability discovery model (VDM) will provide a useful insight to assess software security, and could be a good prediction instrument for both software vendors and users to understand security trends and plan ahead patching schedule accordingly. Thus far, several models have been proposed and validated. Yet, no systematically independent validation by somebody other than the author exists. Furthermore, there are a number of issues that might bias previous studies in the field. In this work, we fill in the gap by introducing an empirical methodology that systematically evaluates the performance of a VDM in two aspects: quality and predictability. We further apply this methodology to assess existing VDMs. The results show that some models should be rejected outright, while some others might be adequate to capture the discovery process of vulnerabilities. We also consider different usage scenarios of VDMs and find that the simplest linear model is the most appropriate choice in terms of both quality and predictability when browsers are young. Otherwise, logistics-based models are better choices.

Viet Hung Nguyen, Fabio Massacci

NVD is one of the most popular databases used by researchers to conduct empirical research on data sets of vulnerabilities. Our recent analysis on Chrome vulnerability data reported by NVD has revealed an abnormally phenomenon in the data where almost vulnerabilities were originated from the first versions. This inspires our experiment to validate the reliability of the NVD vulnerable version data. In this experiment, we verify for each version of Chrome that NVD claims vulnerable is actually vulnerable. The experiment revealed several errors in the vulnerability data of Chrome. Furthermore, we have also analyzed how these errors might impact the conclusions of an empirical study on foundational vulnerability. Our results show that different conclusions could be obtained due to the data errors.

Viet Hung Nguyen, Fabio Massacci

Having a precise vulnerability discovery model (VDM) would provide a useful quantitative insight to assess software security. Thus far, several models have been proposed with some evidence supporting their goodness-of-fit. In this work we describe an independent validation of the applicability of six existing VDMs in seventeen releases of the three popular browsers Firefox, Google Chrome and Internet Explorer. We have collected five different kinds of data sets based on different definitions of a vulnerability. We introduce two quantitative metrics, goodness-of-fit entropy and goodness-of-fit quality, to analyze the impact of vulnerability data sets to the stability as well as quality of VDMs in the software life cycles. The experiment result shows that the "confirmed-by-vendors' advisories" data sets apparently yields more stable and better results for VDMs. And the performance of the s-shape logistic model (AML) seems to be superior performance in overall. Meanwhile, Anderson thermodynamic model (AT) is indeed not suitable for modeling the vulnerability discovery process. This means that the discovery process of vulnerabilities and normal bugs are different because the interests of people in finding security vulnerabilities are more than finding normal programming bugs.