Thousands of vulnerabilities are reported on a monthly basis to security
repositories, such as the National Vulnerability Database. Among these
vulnerabilities, software misconfiguration is one of the top 10 security risks
for web applications. With this large influx of vulnerability reports, software
fingerprinting has become a highly desired capability to discover distinctive
and efficient signatures and recognize reportedly vulnerable software
implementations. Due to the exponential worst-case complexity of fingerprint
matching, designing more efficient methods for fingerprinting becomes highly
desirable, especially for variability-intensive systems where optional features
add another exponential factor to its analysis. This position paper presents
our vision of a framework that lifts model learning and family-based analysis
principles to software fingerprinting. In this framework, we propose unifying
databases of signatures into a featured finite state machine and using presence
conditions to specify whether and in which circumstances a given input-output
trace is observed. We believe feature-based signatures can aid performance
improvements by reducing the size of fingerprints under analysis.Comment: Paper published in the Proceedings A Journey from Process Algebra via
Timed Automata to Model Learning: Essays Dedicated to Frits Vaandrager on the
Occasion of His 60th Birthday 202
