Research on Building Exploitable Vulnerability Database for Cloud-Native App

Abstract

Due to issues such as static unverifiability and lack of effective application in vulnerability databases. This paper proposes a method of building Exploitable Vulnerability Database for Cloud-Native App (CNA). In this paper, a new machine-oriented structured vulnerability intelligence format is designed to store vulnerability information to automate the processing of vulnerability information. A large number of cloud-native application vulnerabilities have been tested and a modularized test process has been proposed as a form of prototype that automatically builds a Deliberated Vulnerable Environment (DVE) in a pipelined manner using the DevOps toolchain. This prototype system can directly access the vulnerability database to build vulnerability intelligence and extract key information from it. The affected software versions from the vulnerability intelligence are used to fetch all vulnerable software base images by version comparison. A CNA image containing the desired vulnerability can be generated from the base image with post-installation configurations. A Vulnerability Auto-Validation Framework is used to verify whether it is exploitable or not. After this process, a CNA image with the DVE, is automatically pushed to an image registry. This DVE image can be widely used in different cases, such as sandbox, honeypot, cyber range, etc. Experiments have been conducted to demonstrate that it can build and deliver DVE images from the proposed vulnerability intelligence. This paper uses real vulnerabilities in National Vulnerability Database (NVD) to experiment on the prototype system. The experiment uses the machine-oriented structured vulnerability intelligence designed in this paper as the prototype system input, and successfully releases the DVE image when the vulnerability intelligence is accurate. What's more, the building process and result of the DVE image can be inspected and visualized through CI/CD pipeline so that to increase the confidence of the veracity of the vulnerability intelligence.