Software Vulnerability Analysis
Tech report number
COAST TR 98-09
The consequences of a class of system failures, commonly known as software vulnerabilities, violate security policies. They can cause the loss of information and reduce the value or usefulness of the system. An increased understanding of the nature of vulnerabilities, their manifestations, and the mechanisms that can be used to eliminate and prevent them can be achieved by the development of a unified definition of software vulnerabilities, the development of a framework for the creation of taxonomies for vulnerabilites, and the application of learning, visualization, and statistical tools on a representative collection of software vulnerabilities. This dissertation provides a unifying definition of software vulnerability based on the notion that it is securty policies that define what is allowable or desirable in a system. It also includes a framework for the development of classifications and taxonomies for software vulnerabilities. This dissertation presents a classification of software vulnerabilities that focuses n the assumptions that programmers make regarding the environment in which their application will be executed and that frequently do not hold during the execution of the program. This dissertation concludes by showing that the unifying definition of software vulnerability, the framweork for the development of classifications, and the application of learning and visulization tools can be used to improve security.
COAST TR 98-09
Department of Computer Sciences, Purdue University
1. Introduction 2. Notation and Teminology 3. Related Work 4. Development of New Taxonomic Characters 5. Experimental Analysis of Software Vulnerabilities 6. A Priori Classifications of Software Vulnerabilities 7. Summary, Conclusions, and Future Directions
A hard-copy of this is in the CERIAS Library