English

M-STAR: A Modular, Evidence-based Software Trustworthiness Framework

Cryptography and Security 2018-01-18 v1

Abstract

Despite years of intensive research in the field of software vulnerabilities discovery, exploits are becoming ever more common. Consequently, it is more necessary than ever to choose software configurations that minimize systems' exposure surface to these threats. In order to support users in assessing the security risks induced by their software configurations and in making informed decisions, we introduce M-STAR, a Modular Software Trustworthiness ARchitecture and framework for probabilistically assessing the trustworthiness of software systems, based on evidence, such as their vulnerability history and source code properties. Integral to M-STAR is a software trustworthiness model, consistent with the concept of computational trust. Computational trust models are rooted in Bayesian probability and Dempster-Shafer Belief theory, offering mathematical soundness and expressiveness to our framework. To evaluate our framework, we instantiate M-STAR for Debian Linux packages, and investigate real-world deployment scenarios. In our experiments with real-world data, M-STAR could assess the relative trustworthiness of complete software configurations with an error of less than 10%. Due to its modular design, our proposed framework is agile, as it can incorporate future advances in the field of code analysis and vulnerability prediction. Our results point out that M-STAR can be a valuable tool for system administrators, regular users and developers, helping them assess and manage risks associated with their software configurations.

Keywords

Cite

@article{arxiv.1801.05764,
  title  = {M-STAR: A Modular, Evidence-based Software Trustworthiness Framework},
  author = {Nikolaos Alexopoulos and Sheikh Mahbub Habib and Steffen Schulz and Max Mühlhäuser},
  journal= {arXiv preprint arXiv:1801.05764},
  year   = {2018}
}

Comments

18 pages, 13 figures

R2 v1 2026-06-22T23:48:03.026Z