A software flaw taxonomy: aiming tools at security

Although proposals were made three decades ago to build static analysis tools to either assist software security evaluations or to find security flaws, it is only recently that static analysis and model checking technology has reached the point where such tooling has become feasible. In order to target their technology on a rational basis, it would be useful for tool-builders to have available a taxonomy of software security flaws organizing the problem space. Unfortunately, the only existing suitable taxonomies are sadly out-of-date, and do not adequately represent security flaws that are found in modern software.In our work, we have coalesced previous efforts to categorize security problems as well as incident reports in order to create a security flaw taxonomy. We correlate this taxonomy with available information about current high-priority security threats, and make observations regarding the results. We suggest that this taxonomy is suitable for tool developers and to outline possible areas of future research.

[1]  Dennis Hollingworth,et al.  Protection Analysis: Final Report , 1978 .

[2]  Jr. Frederick P. Brooks,et al.  The mythical man-month (anniversary ed.) , 1995 .

[3]  David A. Wagner,et al.  MOPS: an infrastructure for examining security properties of software , 2002, CCS '02.

[4]  Jerome H. Saltzer,et al.  A hardware architecture for implementing protection rings , 1972, CACM.

[5]  Matt Bishop,et al.  A Critical Analysis of Vulnerability Taxonomies , 1996 .

[6]  Mary Ellen Zurko,et al.  A Retrospective on the VAX VMM Security Kernel , 1991, IEEE Trans. Software Eng..

[7]  Marvin Schaefer,et al.  Program confinement in KVM/370 , 1977, ACM '77.

[8]  Lindsey A. Lack Using the bootstrap concept to build an adaptable and compact subversion artifice , 2003 .

[9]  Fred P. Brooks,et al.  The Mythical Man-Month , 1975, Reliable Software.

[10]  Paul A. Karger,et al.  Storage channels in disk arm optimization , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[11]  Thomas C. Reed At the Abyss: An Insider's History of the Cold War , 2004 .

[12]  Cynthia E. Irvine,et al.  Subversion as a Threat in Information Warfare , 2004 .

[13]  P. A. Karger,et al.  Multics security evaluation: vulnerability analysis , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[14]  Erland Jonsson,et al.  How to systematically classify computer security intrusions , 1997, S&P 1997.

[15]  Michael D. Schroeder,et al.  A Hardware Architecture for Implementing Protection Rings (Abstract). , 1971, Symposium on Operating Systems Principles.

[16]  Dawson R. Engler,et al.  Using programmer-written compiler extensions to catch security holes , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[17]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[18]  D. Fishman,et al.  A penetration analysis of the Michigan Terminal System , 1980, OPSR.

[19]  Erland Jonsson,et al.  How to systematically classify computer security intrusions , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[20]  R. P. Abbott,et al.  Security Analysis and Enhancements of Computer Operating Systems , 1976 .

[21]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[22]  Trent Jaeger,et al.  Using CQUAL for Static Analysis of Authorization Hook Placement , 2002, USENIX Security Symposium.

[23]  Jessica L. Murray An exfiltration subversion demonstration , 2003 .

[24]  John D. Howard,et al.  An analysis of security incidents on the Internet 1989-1995 , 1998 .

[25]  Eugene H. Spafford,et al.  Use of A Taxonomy of Security Faults , 1996 .

[26]  Carl E. Landwehr,et al.  A taxonomy of computer program security flaws , 1993, CSUR.

[27]  E. Anderson,et al.  A Demonstration of the subversion threat : facing a critical responsibility in the defense of cyberspace , 2002 .