The Bug Framework (BF): A Taxonomy For Precise and Accurate Software Bug Descriptions
Abstract:
Autonomous Intelligent Systems (AIS) are built on principles defined in cognitive architectures. One significant contribution to measurement of the security of a system is being able to precisely and accurately characterize the vulnerabilities a system has or doesn’t have. Medical doctors spend years learning a vocabulary to precisely designate muscles, bones, organs, diseases, and conditions to communicate clearly. We have some similar work, such as Software Fault Patterns (SFPs) [1], Common Attack Pattern Enumeration and Classification (CAPEC), semantic templates [2], and the Common Weakness Enumeration (CWE) [3], but none of them are complete or easy to use for many purposes. For instance, CWEs are a considerable community effort, but many of the descriptions are inaccurate, incomplete, inconsistent, or ambiguous with causes and consquences mixed in. In addition, CWEs are coarse-grained with irregular overlap of coverage and even no coverage in the areas of mobile applications and cyberphysical systems. Without a coherent definition of bugs, it is difficult to state, say, that a system is assured free from a certain class of bugs or that a new technique will absolutely detect their presence.
Just as the Global Positioning System (GPS) requires being able to measure time very precisely, allowing for the Doppler effect and general relativity, we are building the Bug Framework (BF) to precisely and accurately define software bugs. We are (1) breaking down existing CWEs, SFPs, semantic templates, etc. into simple “atoms” or components of bugs, (2) organizing them into meaningful structures and identifying assemble rules, and (3) using this to precisely define bug classes reported by assurance tools, explain known vulnerabilities, and guide development of techniques to cover gaps. The framework includes clear definitions and attributes of bug classes, along with related properties, such as sites, causes, and consequences.
This presents our latest work in three classes of software bugs: buffer overflow (BOF), injection (INJ), and interaction frequency control (IFC). For each class, we show the relation between their proximate and secondary causes, their attributes, and their consequences. For instance, BF reveals that buffer overflows have exactly two proximate causes: data exceeds array (either the programmer made the array too small or tried to use too much data) or wrong index/pointer out of range. We also provide several examples of applying our “measurement basis” to explain public vulnerabilities, such as heartbleed.
Information structured in the fashion of the Bug Framework (BF) will enable user to more easily determine if two tools find the same sets of bugs, or if they find different, complementary sets. These definitions can serve as a coherent system of units of measurement, enabling more accurate determinations of security.
References:
[1] Nikolai Mansourov and Djenana Campara, “System Assurance: Beyond Detecting Vulnerabilities”, pp 175-186, 2011, Morgan Kaufmann – Elsevier.
[2] Yan Wu, Robin A. Gandhi, and Harvey Siy, “Using semantic templates to study vulnerabilities recorded in large software repositories,” in Proc. 2010 ICSE Workshop on Software Engineering for Secure Systems, (SESS ’10). New York, NY, 2010, pp. 22–28. [Online]. Available: http://doi.acm.org/10.1145/1809100.1809104.
[3] The MITRE Corporation, CWE, Common Weakness Enumeration, http://cwe.mitre.org/
Bio:
Paul E. Black has nearly 20 years of industrial experience in areas such as developing software for IC design and verification, assuring software quality, and managing business data processing. He is now a Computer Scientist for the U.S. National Institute of Standards and
Technology (NIST) near Washington, D.C. The web site he began and edits, the on-line Dictionary of Algorithms and Data Structures, (http://www.nist.gov/dads/) is accessed almost 20,000 times a day from all over the world. He is a member of the Software Quality Group in the Systems and Software Division of the Information Technology Laboratory at NIST.
Dr. Black earned a B.S. in Physics and Mathematics in 1973 and an M.S. in Computer Science in 1983. He began his Ph.D. at UC Berkeley, then transferred to Brigham Young University where he graduated in 1998. Dr. Black has been active in the formal methods research community, and has served as a reviewer for DAC (Design Automation Conference) for several years. He has taught classes at Brigham Young University and Johns Hopkins University. Dr. Black has published in the areas of static analysis, software testing, software configuration control, networks and queuing analysis, formal methods, software verification, quantum computing, and computer forensics. He is a member of ACM and IEEE Computer Society and a senior member of IEEE.