Input/Output Check Bugs Taxonomy: Injection Errors in Spotlight

2021 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW) Pub Date : 2021-10-01 DOI:10.1109/ISSREW53611.2021.00052

Irena Bojanova, C. E. Galhardo, Sara Moshtari

{"title":"Input/Output Check Bugs Taxonomy: Injection Errors in Spotlight","authors":"Irena Bojanova, C. E. Galhardo, Sara Moshtari","doi":"10.1109/ISSREW53611.2021.00052","DOIUrl":null,"url":null,"abstract":"In this work, we present an orthogonal classification of input/output check bugs, allowing precise structured descriptions of related software vulnerabilities. We utilize the Bugs Framework (BF) approach to define two language-independent classes that cover all possible kinds of data check bugs. We also identify all types of injection errors, as they are always directly caused by input/output data validation bugs. In BF each class is a taxonomic category of a weakness type defined by sets of operations, cause→consequence relations, and attributes. A BF description of a bug or a weakness is an instance of a taxonomic BF class with one operation, one cause, one consequence, and their attributes. Any vulnerability then can be described as a chain of such instances and their consequence-cause transitions. With our newly developed Data Validation Bugs and Data Verification Bugs classes, we confirm that BF is a classification system that extends the Common Weakness Enumeration (CWE). It allows clear communication about software bugs and weaknesses, providing a structured way to precisely describe real-world vulnerabilities.","PeriodicalId":385392,"journal":{"name":"2021 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW)","volume":"118 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2021 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ISSREW53611.2021.00052","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 4

Abstract

In this work, we present an orthogonal classification of input/output check bugs, allowing precise structured descriptions of related software vulnerabilities. We utilize the Bugs Framework (BF) approach to define two language-independent classes that cover all possible kinds of data check bugs. We also identify all types of injection errors, as they are always directly caused by input/output data validation bugs. In BF each class is a taxonomic category of a weakness type defined by sets of operations, cause→consequence relations, and attributes. A BF description of a bug or a weakness is an instance of a taxonomic BF class with one operation, one cause, one consequence, and their attributes. Any vulnerability then can be described as a chain of such instances and their consequence-cause transitions. With our newly developed Data Validation Bugs and Data Verification Bugs classes, we confirm that BF is a classification system that extends the Common Weakness Enumeration (CWE). It allows clear communication about software bugs and weaknesses, providing a structured way to precisely describe real-world vulnerabilities.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

输入/输出检查错误分类:聚光灯下的注入错误

在这项工作中，我们提出了输入/输出检查错误的正交分类，允许对相关软件漏洞进行精确的结构化描述。我们利用bug框架(Bugs Framework, BF)方法定义了两个独立于语言的类，它们涵盖了所有可能的数据检查bug。我们还识别所有类型的注入错误，因为它们总是由输入/输出数据验证错误直接引起的。在BF中，每个类都是一个弱点类型的分类范畴，由一组操作、因果关系和属性定义。错误或弱点的BF描述是一个分类BF类的实例，它具有一个操作、一个原因、一个结果及其属性。然后，任何漏洞都可以被描述为这样的实例链及其因果转换。通过我们新开发的数据验证错误和数据验证错误类，我们确认BF是一个扩展了共同弱点枚举(CWE)的分类系统。它允许对软件缺陷和弱点进行清晰的沟通，提供了一种结构化的方法来精确描述现实世界的漏洞。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

2021 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW)

自引率

0.00%

发文量