[我研究] A Software Flaw Taxonomy: Aiming Tools At Security

本文探讨了安全缺陷(flaw)的分类体系,介绍了flaw与漏洞(vulnerability)之间的关系,并通过实例展示了如何利用flaw分类来提高软件安全性。

Sam Weber, Paul A. Karger, Amit Paradkar@IBM watson

Software Engineering for Secure Systems – Building Trustworthy Applications (SESS’05)

主要工作:

security flaw taxonomy - an ordered system that indicates natural relationships of security flaws

术语区分:

vulnerabilities - a hostile entity can successfully violate a system’s security

attacks - the tool or technique with which an attacker will attempt to detect and exploit a vulnerability.

Flaw和vulnerability的关系:

A flaw is a defect in a system which can result in a security violation

Every vulnerability must be due to at least one flaw, but it is possible for a flaw not to cause any vulnerability: the flaw might be masked by another part of the system. Additionally, different flaws
might result in the same vulnerability.

Flaw taxonomies与code inspection tool designer相关

vulnerability -> always exploitable

Related work - flaw taxonomies:

RISOS project [1] - OS Flaws

Protection Analysis project [9]

Landwehr [23] - 从三个维度进行分类

1、genesis - 如何被引入

1.1 intentional

1.1.1 malicious

1.1.2 non-malicious

1.2 inadvertent

2、time of introduction - 在开发流程中的哪个阶段产生

3、location - 在哪个component里面

作者认为分类方法应该是目标驱动的。

Flaw Taxonomy

相关的应用

Chen and Wagner [14] - Unix Security Model

Zhang, Edwards and Jaeger [34] - discover improper placement of authorization calls in the Linux kernel

1

9

14

23

34

转载于:https://www.cnblogs.com/wanzhiyuan/archive/2011/08/18/2143980.html

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值