A taxonomy of Computer Program Security Flaws

ACM Computing Surveys (CSUR)

Volumn 26, Issue 3, 1994, Pages 211-254

  Landwehr, Carl E ^a   Bull, Alan R ^a   McDermott, John P ^a   Choi, William S ^a  

^a NAVAL RESEARCH LABORATORY   (United States)

Author keywords

error defect classification; security flaw; taxonomy

Indexed keywords

CODING ERRORS; COMPUTER SOFTWARE; COMPUTER SYSTEM RECOVERY; DATA HANDLING; SOFTWARE ENGINEERING; STATISTICAL TESTS;

ACCESS CONTROL; COMPUTER PROGRAM SECURITY FLAWS; DEFECT CLASSIFICATION; INVASIVE SOFTWARE;

SECURITY OF DATA;

EID: 0028514027     PISSN: 03600300     EISSN: 15577341     Source Type: Journal    
DOI: 10.1145/185403.185412     Document Type: Article

References (31)

1. ABBOTT, R. P., CHIN, J. S., DONNELLEY, J. E., KONIGSFORD, W. L., TOKUBO, S., AND WEBB, D. A. 1976. Security analysis and enhancements of computer operating systems. NBSIR 76-1041, National Bureau of Standards, ICST, Washington, D.C.
2. ANDERSON, J. P. 1972. Computer security technology planning study. ESD-TR-73-51, vols. I and II. NTIS AD758206, Hanscom Field, Bedford, Mass.
3. BISBEY R., II AND HOLLINGWORTH, D. 1978. Protection analysis project final report. ISI/RR-78-13, DTIC AD A056816, USC/Information Sciences Inst., 1978.
4. BREHMER, C. L. AND CARL, J. R. 1993. Incorporating IEEE Standard 1044 into your anomaly tracking process. CrossTalk, J. Def. Softw. Eng. 6, 1 (Jan.), 9-16.
5. CHILLAREGE, R., BHANDARI, I. S., CHAAR, J. K., HALLIDAY, M. J., MOEBUS, D. S., RAY, B. K., AND WONG, M.-Y. 1992. Orthogonal defect classification-a concept for in-process measurements. IEEE Trans. Softw. Eng. 18, 11 (Nov.), 943-956.
6. COHEN, F. 1984. Computer viruses: Theory and experiments. In the 7th DoD/NBS Computer Security Conference. 240-263.
7. DEPARTMENT OF DEFENSE. 1985. Trusted computer system evaluation criteria. DoD 5200.28-STD, U.S. Dept. of Defense, Washington, D.C.
8. DENNING, D. E. 1982. Cryptography and Data Security. Addison-Wesley, Reading, Mass.
9. DENNING, P. J. 1988. Computer viruses. Am. Sci. 76 (May-June), 236-238.
10. ELMER-DEWITT, P. 1988. Invasion of the data snatchers. TIME Mag. (Sept. 26), 62-67.
11. FERBRACHE, D. 1992. A Pathology of Computer Viruses. Springer-Verlag, New York.
12. FLORAC, W. A. 1992. Software quality measurement: A framework for counting problems and defects. CMU/SEI-92-TR-22, Software Engineering Inst. Pittsburgh, Pa.
13. GASSER, M. 1988. Building a Secure Computer System. Van Nostrand Reinhold, New York.
14. IEEE COMPUTER SOCIETY 1990. Standard glossary of software engineering terminology. ANSI/IEEE Standard 610.12-1990 IEEE Press, New York.
15. LAMPSON, B. W. 1973. A note on the confinement problem. Commun. ACM 16, 10 (Oct.), 613-615.
16. LANDWEHR, C. E. 1983. The best available technologies for computer security. IEEE Comput. 16, 7 (July), 86-100.
17. LANDWEHR, C. E. 1981. Formal models for computer security. ACM Comput. Surv. 13, 3 (Sept.), 247-278.
18. LAPRIE, J. C., ED. 1992. Dependability. Basic Concepts and Terminology. Springer-Verlag Series in Dependable Computing and Fault-Tolerant Systems, vol. 6, Springer-Verlag, New York.
19. LEVESON, N. AND TURNER, C. S. 1992. An investigation of the Therac-25 accidents. UCI TR-92-108, Information and Computer Science Dept., Univ. of California, Irvine, Ca.
20. LINDE, R. R. 1975. Operating system penetration. In the AFIPS National Computer Conference. AFIPS, Arlington, Va., 361-368.
21. MCDERMOTT, J. P. 1988. A technique for removing an important class of Trojan horses from high order languages. In Proceedings of the 11th National Computer Security Conference. NBS/NCSC, Gaithersburg, Md., 114-117.
22. NEUMANN, P. G. 1978. Computer security evaluation. In the 1978 National Computer Conference, AFIPS Conference Proceedings 47. AFIPS, Arlington, Va., 1087-1095.
23. PETROSKI, H. 1992. To Engineer is Human: The Role of Failure in Successful Design. Vintage Books, New York.
24. PFLEEGER, C. P. 1989. Security in Computing. Prentice-Hall, Englewood Cliffs, N.J.
25. ROCHLIS, J. A. AND EICHEN, M W. 1989. With microscope and tweezers: The worm from MIT's perspective. Commun. ACM 32, 6 (June), 689-699.
26. SCHELL, R. R. 1979. Computer security: The Achilles heel of the electronic Air Force? Air Univ. Rev. 30, 2 (Jan.-Feb.), 16-33.
27. SCHOCH, J. F. AND HUPP, J. A. 1982. The “worm” programs-early experience with a distributed computation. Commun. ACM 25, 3 (Mar.), 172-180.
28. SPAFFORD, E. H. 1989. Crisis and aftermath. Commun. ACM 32, 6 (June), 678-687.
29. SULLIVAN, M. R. AND CHILLAREGE, R. 1992. A comparison of software defects in database management systems and operating systems. In Proceedings of the 22nd International Symposium on Fault-Tolerant Computer Systems IEEE Computer Society, Boston, Mass., (FTCS-22) (July).
30. THOMPSON, K. 1984. Reflections on trusting trust. Commun. ACM 27, 8 (Aug.), 761-763.
31. WEISS, D. M. AND BASILI, V. R. 1985. Evaluating software development by analysis of changes: Some data from the Software Engineering Laboratory. IEEE Trans. Softw Eng. SE-11, 2 (Feb.), 157-168.