Modeling Security Vulnerabilities: A Constraints and Assumptions Perspective

	This Article
	PDF RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/Endnote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Anil Bazaz Articles by James D. Arthur Articles by Joseph G. Tront

2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing (DASC'06)

Modeling Security Vulnerabilities: A Constraints and Assumptions Perspective (PDF)

Indiana University-Purdue University, Indianapolis, USA

September 29-October 01

ISBN: 0-7695-2539-3

	ASCII Text	x
	Anil Bazaz, James D. Arthur, Joseph G. Tront, "Modeling Security Vulnerabilities: A Constraints and Assumptions Perspective," Dependable, Autonomic and Secure Computing, IEEE International Symposium on, pp. 95-102, 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing (DASC'06), 2006.

	BibTex	x
	@article{ 10.1109/DASC.2006.35, author = {Anil Bazaz and James D. Arthur and Joseph G. Tront}, title = {Modeling Security Vulnerabilities: A Constraints and Assumptions Perspective}, journal ={Dependable, Autonomic and Secure Computing, IEEE International Symposium on}, volume = {0}, year = {2006}, isbn = {0-7695-2539-3}, pages = {95-102}, doi = {http://doi.ieeecomputersociety.org/10.1109/DASC.2006.35}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - Dependable, Autonomic and Secure Computing, IEEE International Symposium on TI - Modeling Security Vulnerabilities: A Constraints and Assumptions Perspective SN - 0-7695-2539-3 SP95 EP102 A1 - Anil Bazaz, A1 - James D. Arthur, A1 - Joseph G. Tront, PY - 2006 KW - null VL - 0 JA - Dependable, Autonomic and Secure Computing, IEEE International Symposium on ER -

Anil Bazaz, Microsoft, Inc., USA

James D. Arthur, Virginia Tech, USA

Joseph G. Tront, Virginia Tech, USA

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/DASC.2006.35

Preventing exploits from compromising software applications requires a fundamental understanding of how they are being exploited, and then leveraging that understanding in the formulation of tests that reveal software application vulnerabilities. To advance that understanding this paper first presents a Process/Object Model of Computation that establishes a relationship between software vulnerabilities, an executing process, and computer system resources such as memory, input/output, and cryptographic resources. That relationship promotes the concept that a software application is vulnerable to exploits when it violates (a) constraints imposed by computer system resources or (b) assumptions made about the usage of those resources. Secondly, the Process/Object Model also serves as a foundation for the definition of a Taxonomy of Vulnerabilities. That is, the computer system resources (or objects) identified in the Process/Object Model form the categories and refined subcategories of the taxonomy. Vulnerabilities, which are expressed in the form of constraints and assumptions, are classified within the Taxonomy according to these categories and subcategories. This Taxonomy of Vulnerabilities is novel and distinctively different from other taxonomies found in literature, and is also outlined in this paper.

Citation:

Anil Bazaz, James D. Arthur, Joseph G. Tront, "Modeling Security Vulnerabilities: A Constraints and Assumptions Perspective," dasc, pp.95-102, 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing (DASC'06), 2006

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.