An historical perspective of software vulnerability management

Information Security Technical Report

Volumn 8, Issue 4, 2003, Pages 34-44

  Gray, Andy ^a,b  

^a Icons ^*

^b Open Group Research Institute

Author keywords

[No Author keywords available]

Indexed keywords

C (PROGRAMMING LANGUAGE); COMPUTER NETWORKS; COMPUTER PROGRAMMING; INFORMATION MANAGEMENT; LARGE SCALE SYSTEMS; NONLINEAR SYSTEMS; SEMANTICS; SOFTWARE ENGINEERING;

SOFTWARE VULNERABILITY ASSESSMENT; TAXONOMY;

COMPUTER SOFTWARE;

EID: 1942473600     PISSN: 13634127     EISSN: None     Source Type: Journal    
DOI: 10.1016/S1363-4127(03)00005-0     Document Type: Article

References (31)

1. Aleph One. Smashing the stack for fun and profit. Phrack 49, 14, November 1996. Avaliable from http://www.phrack.com.
2. D. Bell and L. LaPadula, 1975. Secure Computer Systems: Unified Exposition & Multics Interpretation, Technical Report MTIS AD-A023588, MITRE Corp, July 1975.
3. M. Bishop, 1986. Analyzing the Security of an Existing Computer System, 1986 Proceedings of the Fall Joint Computer Conference pp. 1115-1119 (November 1986).
4. M. Bishop, 1995. A Taxonomy of UNIX System and Network Vulnerabilities, Technical Report, Department of Computer Science, University of California at Davis, May 1995.
5. http://www.securityfocus.com/bid/5408/discussion/.
6. J. Cargille and B. P. Miller, 1992. Binary Wrapping: A Technique for Instrumenting Object Code, ACM SIGPLAN Notices, 27(6):17-18, June 1992.
7. E. Cohen, 1977. Information transmission in computational systems, ACM SIGOPS Operating Systems Review, 11(5):133-139, 1977.
8. C. Cowan, 2003. Activity. A note posted to the Sardonix Mailing List, 25 March 2003. http://mail.wirex.com/pipermail/sardonix/2003-March/0153.html.
9. D. Denning, 1976. A Lattice Model of Secure Information Flow, Communications of the ACM, 19(5):236-243, May 1976.
10. D. Denning and P.J. Denning, 1977. Certification of programs for secure information flow, Communications of the ACM, 20 (7) (1977) 504-513.
11. W. Du and A. Mathur, 1998. Vulnerability Testing of Software System Using Fault Injection. Department of Computer Sciences, Purdue University, Coast TR 98-02, 1998 75.
12. W. Du and A. Mathur, 2000. Testing for software vulnerability using environment perturbation, Proceeding of the International Conference on Dependable Systems and Networks (DSN 2000).
13. J. Forrester and B. Miller, 2000. An Empirical Study of the Robustness of Windows NT Applications Using Random Testing, The 4th Usenix Windows System Symposium, Seattle, August 2000.
14. A.K. Ghosh, T. O'Connor and G. McGraw, 1998. An Automated Approach for Identifying Potential Vulnerabilities in Software, Proceedings of the 1998 IEEE Symposium on Security and Privacy.
15. A. Ghosh and T. O'Connor. Analyzing Programs for Vulnerability to Buffer Overrun Attacks, Technical Report, Reliable Software Technologies, January 1998.
16. Yao-Wen Huang, Shih-Kun Huang, Tsung-Po Lin, Chung-Hung Tsai. Web application security assessment by fault injection and behavior monitoring. WWW. 2003;148-159.
17. B. Lampson, 1973. A Note on the Confinement Problem, Communications of the ACM, 16(10):613-615, 1973.
18. C. Landwehr, A. Bull, J. McDermott and W. Choi, 1994. A Taxonomy of Computer Program Security Flaws, with Examples, ACM Computing Surveys 26, no. 3, September 1994.
19. B. Miller, L. Fredricksen and B. So, 1990. An Empirical Study of the Reliability of Unix Utilities, Communications of the ACM, vol.33, no.12, Dec. 1990, pp. 32-44.
20. B. Miller, D. Koski, C. P. Lee, V. Maganty, R. Murthy, A. Natarajan and J. Steidl, 1995. Fuzz Revisited: A Re-examination of the Reliability of UNIX Utilities and Services, Technical Report, Computer Science Department, University of Wisconsin, November 1995.
21. P. G. Neumann, et al. 1976. Software development and proofs of multi-level security, Proc. 2nd International Conference on Software Engineering, pp. 421-428, San Francisco, CA, 1976.
22. Paget C. Exploiting design flaws in the Win32 API for privilege escalation. 2002.
23. J. Rochlis and M. Eichin. With microscope and tweezers: The worm from MIT's perspective, Communications of the ACM, June 1989.
24. J. Rushby, 1995. Formal Methods and their Role in the Certification of Critical Systems, Technical Report CSL-95-1, Computer Science Laboratory, SRI International, March 1995.
25. C. Shannon, 1948. The Mathematical Theory of Communication, The Bell System Technical Journal, vol. 27, pp. 379-423, 1948.
26. http://www.immunitysec.com/spike.html.
27. H. Thompson, J. Whittaker and F. Mottay, 2002. Software Security Vulnerability Testing in Hostile Environments, Proceedings of the 17th ACM Software Applications Conference (ACM-SAC), Madrid, Spain, 2002.
28. B. J. Walker, R. A. Kemmerer and G. J. Popek, 1979. Specification and Verification of the UCLA Unix Security Kernel, Proceedings of the 7th ACM Symposium on Operating Systems Principles (SOSP), pp. 64-65, 1979.
29. H. Wang and C. Wang, 2003. Taxonomy of security considerations and software quality. Communications of the ACM, 46(6): 75-78, 2003.
30. D. Wagner, J. Foster, E. Brewer and A. Aiken, 2000. A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities, Symposium on Network and Distributed Systems Security (NDSS '00), pp. 3-17, San Diego, CA, February 2000.
31. D. Wagner and H. Chen, 2002. MOPS: an infrastructure for examining security properties of software, Technical Report, UCB//CSD-02-1197, UC Berkeley, 2002.