Lightweight formal models of software weaknesses

Author

Gandhi, Rajeev ; Siy, Harvey ; Yan Wu

Author_Institution

Coll. of Inf. Sci. & Technol., Univ. of Nebraska at Omaha, Omaha, NE, USA

fYear

2013

fDate

25-25 May 2013

Firstpage

50

Lastpage

56

Abstract

Many vulnerabilities in today´s software products are rehashes of past vulnerabilities. Such rehashes could be a result of software complexity that masks inadvertent loopholes in design and implementation, developer ignorance/disregard for security issues, or use of software in contexts not anticipated for the original specification. While weaknesses and exposures in code are vendor, language, or environment specific, to understand them we need better descriptions that identify their precise characteristics in an unambiguous representation. In this paper, we present a methodology to develop precise and accurate descriptions of common software weaknesses through lightweight formal modeling using Alloy. Natural language descriptions of software weaknesses used for formalization are based on the community developed Common Weakness Enumerations (CWE).

Keywords

DP industry; formal verification; natural languages; safety-critical software; software metrics; Alloy; CWE; community developed common weakness enumerations; developer security issue ignorance; lightweight formal modeling; natural language descriptions; software complexity; software product vulnerabilities; software weaknesses; unambiguous representation; Abstracts; Analytical models; Buffer overflows; Metals; Object oriented modeling; Security; Software; Alloy modeling; CWE; Software weakness;

fLanguage

English

Publisher

ieee

Conference_Titel

Formal Methods in Software Engineering (FormaliSE), 2013 1st FME Workshop on

Conference_Location

San Francisco, CA

Type

conf

DOI

10.1109/FormaliSE.2013.6612277

Filename

6612277