A software flaw taxonomy: Aiming tools at security

SESS 2005 - Proceedings of the 2005 Workshop on Software Engineering for Secure Systems - Building Trustworthy Applications

Volumn , Issue , 2005, Pages

  Weber, Sam ^a   Karger, Paul A ^a   Paradkar, Amit ^a  

^a IBM T J WATSON RESEARCH CENTER   (United States)

Author keywords

Argument validation; Buffer overflows asynchronous attacks; Security flaws; Security taxonomies; Static analysis; Testing

Indexed keywords

APPLICATION PROGRAMS; MODEL CHECKING; SOFTWARE ENGINEERING; TAXONOMIES; TESTING;

ANALYSIS AND MODELING; ARGUMENT VALIDATION; BUFFER OVERFLOWS; INCIDENT REPORTS; SECURITY FLAWS; SECURITY PROBLEMS; SECURITY THREATS; SOFTWARE SECURITY;

STATIC ANALYSIS;

EID: 84978945056     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (34)

1. R. P. Abbott, J. S. Chin, J. E. Donnelley, W. L. Konigsford, S. Tukubo, and D. A. Webb. Security analysis and enhancements of computer operating systems. NBSIR 76-1041, The RISOS Project, Lawrence Livermore Laboratory, Livermore, CA, USA, Apr. 1976. Published by the Institute for Computer Sciences and Technology, National Bureau of Standards, Washington, DC, USA.
2. Aleph One. Smashing the stack for fun and profit. Phrack, 7(49), 8 November 1996. URL: http://www.phrack.org/show.php?p=49&a=14.
3. E. A. Anderson. Demonstration of the subversion threat: Facing a critical responsibility in the defense of cyberspace. Master's thesis, Naval Postgraduate School, Mar. 2002.
4. E. A. Anderson, C. E. Irvine, and R. R. Schell. Subversion as a threat in information warfare. Journal of Information Warfare, 3:51-64, 2004.
5. J. P. Anderson. Computer security technology planning study. Technical Report ESD-TR-73-51, Vols. I and II, James P. Anderson and Co., Fort Washington, PA, USA, HQ Electronic Systems Division, Hanscom AFB, MA, USA, Oct. 1972. URL: http://csrc.nist.gov/publications/history/ande72.pdf.
6. K. Ashcraft and D. Engler. Using programmer-written compiler extensions to catch security holes, May 2002. In IEEE Symposium on Security and Privacy, Oakland, California.
7. T. Aslam. A taxonomy of security faults in the UNIX operating system. Master's thesis, Purdue University, Aug. 1995.
8. T. Aslam, I. Krsul, and E. H. Spafford. Use of a taxonomy of security faults. In Proc. 19th NIST-NCSC National Information Systems Security Conference, pages 551-560, 1996.
9. R. Bisbey and D. Hollingworth. Protection analysis: Final report. Technical Report ISI/SR-78-13, Information Sciences Institute, University of Southern California, Marina del Rey, CA, May 1978. URL: http://csrc.nist.gov/publications/history/bisb78.pdf.
10. M. Bishop and D. Bailey. A critical analysis of vulnerability taxonomies. Technical Report CSE-96-11, Department of Computer Science at the University of California at Davis, Sept. 1996.
11. F. P. Brooks, Jr. The Mythical Man-Month. Addison-Wesley, Reading, MA, 1975.
12. M. G. Carter, S. B. Lipner, and P. A. Karger. Protecting data & information: A workshop in computer & data security. Technical Report EY-AX00080-SM-001, Digital Equipment Corporation, Maynard, MA, 1982.
13. Changeable constants. The RISKS Digest: Forum On Risks To The Public In Computers And Related Systems, 16(38), 2 September 1994. URL: http://catless.ncl.ac.uk/Risks/16.38.html.
14. H. Chen and D. Wagner. MOPS: an infrastructure for examining security properties of software. In Proceedings of the 9th ACM Conference on Computer and Communications Security, pages 235-244, Washington, DC, Nov. 18-22, 2002.
15. B. Hebbard, P. Grosso, T. Baldridge, C. Chan, D. Fishman, P. Coshgarian, T. Hilton, J. Hoshen, K. Hoult, G. Huntley, M. Stolarchuk, and L. Warner. A penetration analysis of the michigan terminal system. Operating Systems Review, 14(1):7-20, Jan. 1980.
16. J. D. Howard. An Analysis Of Security Incidents On The Internet 1989-1995. PhD thesis, Carnegie Mellon University, Apr. 1997.
17. M. Howard and D. LeBlanc. Writing Secure Code. Microsoft Press, Redmond, WA, third edition, 2003.
18. P. A. Karger. Network security: Threats and solutions. In The Internet and Telecommunications: Architectures, Technologies, and Business Developments, pages 127-133. International Engineering Consortium, Chicago, IL, 1998.
19. P. A. Karger and R. R. Schell. Multics security evaluation: Vulnerability analysis. Technical Report ESD-TR-74-193, Vol. II, HQ Electronic Systems Division, Hanscom AFB, MA, USA, June 1974. URL: http://csrc.nist.gov/publications/history/karg74.pdf.
20. P. A. Karger and J. C. Wray. Storage channels in disk arm optimization. In Proceedings of the 1991 IEEE Computer Society Symposium on Research in Security and Privacy, pages 52-61, Oakland, CA, 20-22 May 1991.
21. P. A. Karger, M. E. Zurko, D. W. Bonin, A. H. Mason, and C. E. Kahn. A retrospective on the VAX VMM security kernel. IEEE Transactions on Software Engineering, 17(11):1147-1165, Nov. 1991.
22. L. Lack. Using the bootstrap to build an adaptable and compact subversion artifice. Master's thesis, Naval Postgraduate School, June 2003.
23. C. E. Landwehr, A. R. Bull, J. P. McDermott, and W. S. Choi. A taxonomy of computer program security flaws. ACM Computer Surveys, 26(3):211-254, Sept. 1994.
24. U. Lindquist and E. Jonsson. How to systematically classify computer security intrusions. In Proceedings of the IEEE Symposium on Security and Privacy, pages 154-163, 1997.
25. J. Murray. An exfiltration subversion demonstration. Master's thesis, Naval Postgraduate School, June 2003.
26. T. Reed. At the Abyss : An Insider's History of the Cold War. Presidio Press, New York, 2004.
27. SANS. The twenty most critical internet security vulnerabilities (version 5.0). web publication: http://www.sans.org/top20, Oct. 2004.
28. M. Schaefer, B. Gold, R. Linde, and J. Scheid. Program confinement in KVM/370. In Proceedings of the 1977 ACM Annual Conference, pages 404-410, Seattle, WA, 16-19 Oct. 1977.
29. M. D. Schroeder and J. H. Saltzer. A hardware architecture for implementing protection rings. Commun. ACM, 15(3):157-170, Mar. 1972.
30. The Open Web Application Security Project. The ten most critical web application security vulnerabilities. Web publication: www.owasp.org, Jan. 2004.
31. United States Department of Defense. Software assurance: mitigating software risks in the dod it and national security systems. Technical report, DoD OASD(NII) forwarded to Committee on National Security Systems (CNSS), Oct. 2004.
32. M. Ward. The hidden dangers of documents: Dot.life - how technology changes us. BBC News - World Edition, 18 August 2003. URL: http://news.bbc.co.uk/2/hi/technology/3154479.stm.
33. G. Weiss. Duping the soviets: The farewell dossier. Studies in Intelligence, 39(5), 1996. URL: http://www.odci.gov/csi/studies/96unclass/ farewell.htm.
34. X. Zhang, A. Edwards, and T. Jaeger. Using cqual for static analysis of authorization hook placement. In Proceedings of the USENIX Security Symposium, Aug. 2002.