论文信息 - Formal modeling of vulnerability

Formal modeling of vulnerability

One concept underlies the entire realm of computer security — vulnerability. Without vulnerability, there is neither security nor the need for it. Surprisingly, the term vulnerability remains ill defined. We developed and adopted a working definition: A vulnerability is an unplanned system feature that an intruder may exploit, if he/she can establish certain preconditions, to achieve particular impacts on that system that violate its security policy. Our goal was to represent vulnerability in a formal sense and to learn from that representation. We set out to answer the question, “Is it possible to construct a formal model of the domain of computer security vulnerabilities that is sufficiently robust to uncover meaningful relationships among multiple vulnerabilities that were not already recognized?” We model security-related facts in simple propositional logic, construct a graph of temporal dependencies among vulnerabilities, and analyze the resulting graph visualization.

William L. Fithen | Shawn V. Hernan | Paul F. O'Rourke | David A. Shinberg

[1] E. W. Adams,et al. Archaeological Typology and Practical Reality: A Dialectical Approach to Artifact Classification and Sorting , 1991 .