Here we discuss the methods we used to conduct the empirical study.
To identify the protocol resource exhaustion vulnerabilities from massive vulnerability information in the database, we first automatically filtered vulnerabilities with the following methods: 1. Checking whether the type of vulnerabilities related to resource exhaustion. To automatically decide the type of vulnerabilities, we rely on the Common Weakness Enumeration (CWE) metric. After investing the whole CWE list, we found several CWE types related to resource exhaustion vulnerability (CWE-400, CWE-401, CWE-404, CWE-770, CWE-789, CWE-1050, and CWE-1325). Vulnerabilities with at least one of the above CWE types are selected out. In addition, we checked whether the keyword "exhaust" exists in the description of vulnerabilities to complement some vulnerabilities which are related to resource exhaustion but without CWE type or assigned with wrong CWE type. 2. Checking whether the vulnerabilities exist in the protocol implementation. For this, we checked whether the descriptions of vulnerabilities contain some keywords related to protocol. Specifically, we used "protocol" and the name of several common-used protocol ("http", "mqtt", "ftp", "dicom", "smtp", "rtsp", "ssh", "tls", and "telnet") as keywords.
We combined and applied above two methods on CVE database with vulnerabilities from 2015 to 2022. Finally, we collected 205 vulnerabilities which related to resource exhaustion and exist in protocol implementations. Based on the collected vulnerabilities, we further conducted manual analyzing to identify the type of exhausted resource. The detail results and the scripts will be released later.