ABSTRACT
While the software development community has put a significant effort to capture the artifacts related to a discovered vulnerability in organized repositories, much of this information is not amenable to meaningful analysis and requires a deep and manual inspection. In the software assurance community a body of knowledge that provides an enumeration of common weaknesses has been developed, but it is not readily usable for the study of vulnerabilities in specific projects and user environments. We propose organizing the information in project repositories around semantic templates. In this paper, we present preliminary results of an experiment conducted to evaluate the effectiveness of using semantic templates as an aid to studying software vulnerabilities.
- Abbott, R. P., Chin, J. S. et al. The RISOS Project. Lawrence Livermore Lab TR NBSIR-76-1041,1976.Google Scholar
- Aslam. Y. A Taxonomy of Security Faults in the UNIX Operating System. Purdue University, August 1995.Google Scholar
- Bisbey, R. and Hollingworth, D. Protection Analysis: Final Report. ARPA ORDER NO. 2223, ISI/SR-78-13 May 1978.Google Scholar
- Bishop, M. A Taxonomy of UNIX System and Network Vulnerabilities. UC Davis, CSE-95-10, May 1995.Google Scholar
- CVE - Common Vulnerabilities and Exposures. http://cve.mitre.org.Google Scholar
- CWE - Common Weakness Enumeration Version 1.6. 29 Oct. 2009. The MITRE Corporation. http://cwe.mitre.org/.Google Scholar
- Gandhi, R. A. Siy, H., and Wu, Y. Studying Software Vulnerabilities. CrossTalk, September/October 2010.Google Scholar
- Gandhi, R. A. Studying Software Vulnerabilities (companion Website). http://faculty.ist.unomaha.edu/rgandhi/st/Google Scholar
- Howard, M, LeBlanc, D., Viega. J. 19 Deadly Sins of Software Security Programming Flaws and How to Fix Them, 2005. Google ScholarDigital Library
- Judd, C., et al. Research Methods in Social Relations. 1991.Google Scholar
- Landwehr, C., et al. A Taxonomy of Computer Program Security Flaws with Examples. ACM Computing Surveys 26, 3, Sept., 1994 Google ScholarDigital Library
- National Vulnerability Database. http://nvd.nist.gov/Google Scholar
- Shapiro, S. et al. An analysis of variance test for normality, 1965.Google Scholar
- The Apache HTTP Server Project. http://httpd.apache.orgGoogle Scholar
- The Ten Most Critical Web Application Security Vulnerabilities. The Open Web Application Security Project (OWASP), 2007.Google Scholar
- Web Application Security Consortium 2005.Google Scholar
- Weber, S. et al. A Software Flaw Taxonomy: Aiming Tools at Security. (SESS'05) St. Louis, Missouri, June 2005. Google ScholarDigital Library
- Wu,Y., Gandhi, R. A., and Siy, H. Using Semantic Templates to Study Vulnerabilities Recorded in Large Software Repositories. In Proc. 6th Intl. Workshop on Software Engineering for Secure Systems (SESS'10), South Africa, Cape Town. 2010. Google ScholarDigital Library
Index Terms
- Empirical results on the study of software vulnerabilities (NIER track)
Recommendations
Using semantic templates to study vulnerabilities recorded in large software repositories
SESS '10: Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure SystemsSoftware repositories are rich sources of information about vulnerabilities that occur during a product's lifecycle. Although available, such information is scattered across numerous databases. Furthermore, in large software repositories, a single ...
An Analysis Model of Buffer Overflow Vulnerability Based on FSM
ICGDA '19: Proceedings of the 2019 2nd International Conference on Geoinformatics and Data AnalysisBuffer overflow vulnerabilities have been the most common form of software vulnerabilities. It is very difficult and time consuming to detect possible types of vulnerabilities from a program. This paper proposes an analysis model of buffer overflow ...
Pinpointing Vulnerabilities
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications SecurityMemory-based vulnerabilities are a major source of attack vectors. They allow attackers to gain unauthorized access to computers and their data. Previous research has made significant progress in detecting attacks. However, developers still need to ...
Comments