On Vulnerabilities, Constraints and Assumptions

TL;DR

This paper introduces a novel taxonomy of software vulnerabilities based on a theoretical model that links vulnerabilities to violations of system constraints and assumptions, aiding in security verification and validation.

Contribution

It develops a new taxonomy grounded in a theoretical computing model that classifies vulnerabilities by system resources and their constraints, offering a distinct approach from existing taxonomies.

Findings

Provides a comprehensive classification scheme for vulnerabilities.

Establishes a theoretical basis connecting vulnerabilities to resource constraints.

Differentiates from existing taxonomies through its resource-based approach.

Abstract

This report presents a taxonomy of vulnerabilities created as a part of an effort to develop a framework for deriving verification and validation strategies to assess software security. This taxonomy is grounded in a theoretical model of computing, which establishes the relationship between vulnerabilities, software applications and the computer system resources. This relationship illustrates that a software application is exploited by violating constraints imposed by computer system resources and assumptions made about their usage. In other words, a vulnerability exists in the software application if it allows violation of these constraints and assumptions. The taxonomy classifies these constraints and assumptions. The model also serves as a basis for the classification scheme the taxonomy uses, in which the computer system resources such as, memory, input/output, and cryptographic resources serve as categories and subcategories. Vulnerabilities, which are expressed in the form of constraints and assumptions, are classified according to these categories and subcategories. This taxonomy is both novel and distinctively different from other taxonomies found in the literature.