Use of A Taxonomy of Security Faults

Security in computer systems is important so as to ensure reliable operation and to protect the integrity of stored information. Faults in the implementation of critical components can be exploited to breach security and penetrate a system. These faults must be identi ed, detected, and corrected to ensure reliability and safeguard against denial of service, unauthorized modi cation of data, or disclosure of information. We de ne a classi cation of security faults in the Unix operating system. We state the criteria used to categorize the faults and present examples of the di erent fault types. We present the design and implementation details of a prototype database to store vulnerability information collected from di erent sources. The data is organized according to our fault categories. The information in the database can be applied in static audit analysis of systems, intrusion detection, and fault detection. We also identify and describe software testing methods that should be e ective in detecting di erent faults in our classi cation scheme.

[1]  Timothy Alan Budd,et al.  Mutation analysis of program test data , 1980 .

[2]  Eugene H. Spafford,et al.  A PATTERN MATCHING MODEL FOR MISUSE INTRUSION DETECTION , 1994 .

[3]  Sandeep Kumar,et al.  A Software Architecture to Support Misuse Intrusion Detection , 1995 .

[4]  Matt Bishop,et al.  Analyzing the Security of an Existing Computer System , 1986, FJCC.

[5]  Glenford J. Myers,et al.  Art of Software Testing , 1979 .

[6]  R. P. Abbott,et al.  Security Analysis and Enhancements of Computer Operating Systems , 1976 .

[7]  Victor R. Basili,et al.  Evaluating Software Development by Analysis of Changes: Some Data from the Software Engineering Laboratory , 1985, IEEE Transactions on Software Engineering.

[8]  Lee J. White,et al.  A Domain Strategy for Computer Program Testing , 1980, IEEE Transactions on Software Engineering.

[9]  Gerald Popek,et al.  Pattern-Directed Protection Valuation , 1975 .

[10]  Carl E. Landwehr,et al.  A taxonomy of computer program security flaws , 1993, CSUR.

[11]  D. Potier,et al.  Experiments with computer software complexity and reliability , 1982, ICSE '82.

[12]  Michael Merritt,et al.  A Comparison of Some Reliable Test Data Generation Procedures. , 1981 .

[13]  Eugene H. Spafford,et al.  The COPS Security Checker System , 1990, USENIX Summer.

[14]  Sandeep Kumar,et al.  Classification and detection of computer intrusions , 1996 .

[15]  William E. Howden,et al.  Reliability of the Path Analysis Testing Strategy , 1976, IEEE Transactions on Software Engineering.

[16]  R. J. Rubey,et al.  Quantitative aspects of software validation , 1975 .

[17]  Eugene H. Spafford,et al.  Extending mutation testing to find environmental bugs , 1990, Softw. Pract. Exp..

[18]  Brian Marick,et al.  A survey of software fault surveys , 1990 .

[19]  Clive Davidson,et al.  Cyberpunk: Outlaws and hackers on the computer frontier , 1992 .

[20]  Donald E. Knuth,et al.  The errors of tex , 1989, Softw. Pract. Exp..

[21]  Jim Carlstedt,et al.  Protection Errors in Operating Systems: Inconsistency of a Single Data Value over Time , 1975 .

[22]  Simson L. Garfinkel,et al.  Practical UNIX and Internet Security , 1996 .

[23]  D. Farmer,et al.  The Cops Security C H E C Ker System , 1991 .