Title :
Lightweight formal models of software weaknesses
Author :
Gandhi, Rajeev ; Siy, Harvey ; Yan Wu
Author_Institution :
Coll. of Inf. Sci. & Technol., Univ. of Nebraska at Omaha, Omaha, NE, USA
Abstract :
Many vulnerabilities in today´s software products are rehashes of past vulnerabilities. Such rehashes could be a result of software complexity that masks inadvertent loopholes in design and implementation, developer ignorance/disregard for security issues, or use of software in contexts not anticipated for the original specification. While weaknesses and exposures in code are vendor, language, or environment specific, to understand them we need better descriptions that identify their precise characteristics in an unambiguous representation. In this paper, we present a methodology to develop precise and accurate descriptions of common software weaknesses through lightweight formal modeling using Alloy. Natural language descriptions of software weaknesses used for formalization are based on the community developed Common Weakness Enumerations (CWE).
Keywords :
DP industry; formal verification; natural languages; safety-critical software; software metrics; Alloy; CWE; community developed common weakness enumerations; developer security issue ignorance; lightweight formal modeling; natural language descriptions; software complexity; software product vulnerabilities; software weaknesses; unambiguous representation; Abstracts; Analytical models; Buffer overflows; Metals; Object oriented modeling; Security; Software; Alloy modeling; CWE; Software weakness;
Conference_Titel :
Formal Methods in Software Engineering (FormaliSE), 2013 1st FME Workshop on
Conference_Location :
San Francisco, CA
DOI :
10.1109/FormaliSE.2013.6612277
