Assessing Vulnerabilities in Apache and IIS HTTP Servers Sung-Whan Woo Colorado State University Fort Collins, CO 80523 woo@cs.colostate.edu Omar H. Alhazmi Colorado State University Fort Collins, CO 80523 omar@cs.colostate.edu Yashwant K. Malaiya Colorado State University Fort Collins, CO 80523 malaiya@cs.colostate.edu ABSTRACT We examine the feasibility of quantitatively characterizing the vulnerabilities in the two major HTTP servers. In particular, we investigate the applicability of quantitative empirical models to the vulnerabilities discovery process for these servers. Such models can allow us to predict the number of vulnerabilities that may potentially be present in a server but may not yet have been found. The data on vulnerabilities found in the two servers is mined and analyzed. We explore the applicability of a time- based and an effort-based vulnerability discovery model. The effort-based model requires the use of the current market-share of a server. Both models have been successfully used for vulnerabilities in the major operating systems. Our results show that both vulnerabilities discovery models fit the data for the HTTP servers well. We also examine two separate classification schemes for server vulnerabilities, one based on the source of error and the other based on severity, and then explore the applicability of the quantitative methods to individual classes. General Terms Security, Measurement Keywords Vulnerabilities, risk evaluation, quantitative security modeling, HTTP servers. 1. INTRODUCTION There has been considerable discussion of server security in recent years. However, much of this has been qualitative, often focused on detection and prevention of individual vulnerabilities. Quantitative data is sometimes cited, but without any significant critical analysis. Methods need to be developed to allow security related risks to be evaluated quantitatively in a systematic manner. A study by Ford et al. has made a side-by-side comparison between various general servers and the number of vulnerabilities and severity. This study concluded that there is a need to develop some tools for estimating the risks posed by vulnerabilities [12]. Two of the major software components of the Internet are an HTTP (Hyper Text Transfer Protocol) server (also termed a web server) and the browser, which serves as the client. Both of these components were first introduced in 1991 by Tim Berners-Lee of CERN. They have now become indispensable parts of both organizational and personal interactions. The early web servers provided information using static HTML pages. The web server now provides dynamic and interactive services between the server and client using database queries, executable script, etc. The web server is able to support functions such as serving streaming media, mail, etc. An HTTP server has thus emerged as a focal point for the Internet. In this paper we examine the vulnerabilities in the two most widely-used HTTP servers, the Apache server, introduced in 1995, and the Microsoft IIS (Internet Information Services) server, originally supplied as part of the NT operating systems in 1995-96. While Apache has a much larger overall market share, roughly 70%, IIS may have a higher share of the corporate websites. The market share for other servers is very small and thus they are not examined here. IIS is the only HTTP server that is not open-source. Both Apache and IIS are generally comparable in features. IIS runs only under the Windows operating systems, whereas Apache supports all the major operating systems. The security of systems connected to the Internet depends on several components of the system. These include the operating systems, the HTTP servers and the browsers. Some of the major security compromises arise because of vulnerabilities in the HTTP servers. A vulnerability is defined as “a defect which enables an attacker to bypass security measures” [27]. The vulnerabilities found are disclosed by the finders using some of the common reporting mechanisms available in the field. The databases for the vulnerabilities are maintained by organizations such as National Vulnerabilities Database [22], MITRE [19], Bugzilla [6], BugTraq [28] etc., as well as the developers of the software. The exploitations of some of the server vulnerabilities are well known. The Code Red worm [20], which exploited a vulnerability in IIS (described in Microsoft Security Bulletin MS01-033, June 18, 2001), appeared on July 13, 2001, and soon spread world-wide in unpatched systems. All the computing systems connected to the network are subject to some security risk. While there have been many studies attempting to identify causes of vulnerabilities and potential counter-measures, the development of systematic quantitative methods to characterize security has begun only recently. There has been considerable debate comparing the security attributes of open source and commercial software [5]. However, for a careful interpretation of the data, rigorous quantitative modeling methods are needed. The likelihood of a system being compromised depends on the probability that a newly discovered vulnerability will be exploited. Thus, the risk is better represented by the not yet discovered vulnerabilities and the vulnerabilities discovery rate rather than by the vulnerabilities that have been discovered in the past and remedied by patches. Possible approaches for a quantitative perspective of exploitation trends are discussed in [10], [13]. Probabilistic examinations of intrusions have been presented by several researchers [11][18]. In [24], Rescorla has studied vulnerabilities in open source servers. The vulnerabilities discovery process in operating systems has just recently been 1