DocumentCode :
2905796
Title :
Modeling Security Vulnerabilities: A Constraints and Assumptions Perspective
Author :
Bazaz, Anil ; Arthur, James D. ; Tront, Joseph G.
Author_Institution :
Software Protection Platform Team, Microsoft Inc., Redmond, WA
fYear :
2006
fDate :
Sept. 29 2006-Oct. 1 2006
Firstpage :
95
Lastpage :
102
Abstract :
Preventing exploits from compromising software applications requires a fundamental understanding of how they are being exploited, and then leveraging that understanding in the formulation of tests that reveal software application vulnerabilities. To advance that understanding this paper first presents a process/object model of computation that establishes a relationship between software vulnerabilities, an executing process, and computer system resources such as memory, input/output, and cryptographic resources. That relationship promotes the concept that a software application is vulnerable to exploits when it violates (a) constraints imposed by computer system resources or (b) assumptions made about the usage of those resources. Secondly, the process/object model also serves as a foundation for the definition of a taxonomy of vulnerabilities. That is, the computer system resources (or objects) identified in the process/object model form the categories and refined subcategories of the taxonomy. Vulnerabilities, which are expressed in the form of constraints and assumptions, are classified within the taxonomy according to these categories and subcategories. This taxonomy of vulnerabilities is novel and distinctively different from other taxonomies found in literature, and is also outlined in this paper
Keywords :
security of data; software reliability; computer system resources; process-object model of computation; security vulnerability modeling; software vulnerabilities; vulnerabilities taxonomy; Application software; Computational modeling; Computer applications; Computer science; Computer security; Cryptography; Internet; Software protection; Software testing; Taxonomy;
fLanguage :
English
Publisher :
ieee
Conference_Titel :
Dependable, Autonomic and Secure Computing, 2nd IEEE International Symposium on
Conference_Location :
Indianapolis, IN
Print_ISBN :
0-7695-2539-3
Type :
conf
DOI :
10.1109/DASC.2006.35
Filename :
4030871
Link To Document :
بازگشت