Computer Science ›› 2016, Vol. 43 ›› Issue (5): 76-79.doi: 10.11896/j.issn.1002-137X.2016.05.014

Previous Articles     Next Articles

Novel Taxonomy of Security Weakness in Source Code Based on Three-dimension Tree Model

ZHANG Yan, LI Zhou-jun, DONG Guo-wei and MA Dian-fu   

  • Online:2018-12-01 Published:2018-12-01

Abstract: We presented a novel taxonomy of security weakness in source code based on three-dimension tree model,which synthetically considers the three aspects:the causes of the defect,the results and its form of expression.Case studies show that compared with CWE and Fortify,the taxonomy in this paper is more accurate and detailed.This paper is not only helpful to establish a kind of relatively complete source code defect classification system,but also very signi-ficant in practice to refine the rules of the security weakness detection.

Key words: Three-dimension tree model,Source code,Security weakness,Taxonomy

[1] Mei Hong,Wang Qian-xiang,Zhang lu,et al.Software Analy-sis:A Road Map[J].Chinese Journal of Compters,2009,32(9):1697-1710(in Chinese) 梅宏,王千祥,张路,等.软件分析技术进展[J].计算机学报,2009,32(9):1697-1710
[2] Piessens F.A Taxonomy of Causes of Software Vulnerabilities in Internet Software[C]∥Proceedings of the 13th International Symposium on Software Reliability Engineering(ISSR’02).2002:47-52
[3] Aslam T.A Taxonomy of Security Faults in the Unix Operating System[R].Technique Report TR-95-09,Department of Computer Science,Purdue University,West Lafayette,USA,1995
[4] Jiwnani K,Zelkowitz M.Susceptibility Matrix:A New Aid to Software Auditing[J].IEEE Security and Privacy,2004,2(2):16-21
[5] Landwehr C E,Bull A R,McDermott J P.A Taxonomy of Computer Program Security Flaws with Examples[J].ACM Computing Surveys,1994,26(3):211-254
[6] Weber S,Karger P A,Paradkar A.A Software Flaw Taxonomy:Aiming Tools at Security[C]∥Proceedings of the 2005 Software Engineering for Secure Systems(SESS’05).2005:274-281
[7] Tsipenyuk K,Chess B,McGraw G.Seven Pernicious Kingdoms[J].A Taxonomy of Software Security Errors.IEEE Security & Privacy,2005,3(6):81-84
[8] Power R.Current and Future Danger:A CSI Primer on Compu-ter Crime & Information Warfare[M].Computer Security Institute,1998
[9] Krsul I,Spafford E,Tripunitara M.Computer VulnerabilityAnalysis[R].Technique Report TR-47909-1398,Department of Computer Science,Purdue University,West Lafayette,USA,1998
[10] Wenliang D,Mathur A P.Categorization of Software Errors that Lead to Security Breaches[C]∥Proceedings of the 21st National Information Systems Security Conference.1998:603-612
[11] Bishop M.A Taxonomy of Unix System and Network Vulnerabilities[R].Technical Report CSE-95-8,Dept.of Computer Scie-nce,University of California at Davis,Davis,1995
[12] Cohen F B.Information System Attacks:A Preliminary Classification Scheme[J].Computers and Security,1997,16(1):26-49
[13] Howared J D.An Analysis of Security Incidents on the Internet 1989-1995[R].Pittsburgh,USA:Carnegie Mellon University,1997
[14] Killourhy K S,Maxion R A,Tan K M.A Defense-centric Ta-xonomy Based on Attack Manifestations[C]∥2004 InternationalConference on Dependable Systems and Networks.IEEE,2004:102-111
[15] Hansman S,Hunt R.A Taxonomy of Network and ComputerAttack[J].Computers and Security,2005,24(1):31-43
[16] DeMillo R A,Mathur A P.A Grammar-based Fault Classification Scheme and Its Application to the Classification of the Errors of Tex[R].Technique Report,Department of Computer Scie-nce,Purdue University,West Lafayette,USA,1995
[17] Bazaz A,Arthur J D.Towards a taxonomy of vulnerabilities[C]∥Proceedings of the 40th Annual Hawaii International Conference on System Sciences.IEEE,2007:163
[18] CWE.http://cwe.mitre.org
[19] Fortify Software.http://www.fortify.com
[20] Huang Ming,Zeng Qing-kai.Research on Classification Attri-butes of Software Vulnerability[J].Computer Engineering,2010,36(1):184-186(in Chinese) 黄明,曾庆凯.软件脆弱性分类属性研究[J].计算机工程,2010,36(1):184-186

No related articles found!
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!