A taxonomy of computer program security flaws

Landwehr, Carl E.; Bull, Alan R.; McDermott, John; Choi, William

doi:10.1145/185403.185412

Cited by 333 publications

(159 citation statements)

References 11 publications

Supporting

Mentioning

143

Contrasting

Unclassified

Order By: Relevance

“…Malicious logic faults, that encompass development faults (#5,#6) such as Trojan horses, logic or timing bombs, and trapdoors, as well as operational faults (#25) such as viruses, worms, or zombies. Definitions for these faults [Landwehr et al 1994, Powell & Stroud 2003] are given in figure 3.5.…”

Section: On Malicious Faultsmentioning

confidence: 99%

Basic concepts and taxonomy of dependable and secure computing

Avižienis

Laprie

Randell

et al. 2004

IEEE Trans.Dependable and Secure Comput.

4,102

2,435

View full text Add to dashboard Cite

show abstract

Section: On Malicious Faultsmentioning

confidence: 99%

Basic concepts and taxonomy of dependable and secure computing

Avižienis

Laprie

Randell

et al. 2004

IEEE Trans.Dependable and Secure Comput.

4,102

2,435

View full text Add to dashboard Cite

show abstract

“…This event will cause 2 hours of unavailability for R 01 . Taxonomy-based approaches, such as Computer Program Flaws [15], Faults [16], can be used to identify this class of events related to the software systems. For identifying events in other domains (e.g., management, financial), analysts should conduct the interviews to the related stakeholders or the domain experts.…”

Section: Modeling Processmentioning

confidence: 99%

Analyzing Business Continuity through a Multi-layers Model

Asnar

Giorgini

2008

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Business Continuity Management (BCM) is a process to manage risks, emergencies, and recovery plans of an organization during a crisis. It results in a document called Business Continuity Plans (BCP) that specifies the methodology and procedures required to backup and recover the functional unit of a disrupted business. Traditionally, the BCP assessment is based only on the continuity of IS infrastructures and does not consider possible relations with the business objectives and business processes. This traditional approach assumes that the risk of business continuity is resulted from the disruption of the IS infrastructures. However, we believe there are situations where the risk emerges even the infrastructures up and running. Moreover, the lack of modeling framework and the aided-tool make the process even harder. In this paper, we propose a framework to support modeling and analysis of BCP from the organization perspective, where risks and treatments are modeled and analyzed along strategic objectives and their realizations. An automated reasoner based on cost-benefit analysis techniques is proposed to elicit and then adopt the most cost-efficient plan. The approach is developed using the Tropos GoalRisk Framework and the Time Dependency and Recovery Model as underlain frameworks. A Loan Originating Process case study is used as a running example to illustrate the proposal.

show abstract

“…A facility of this program is that it can log all terminal output into a user-specified file. Due to a serialisation error in the procedure for checking this write privilege [Landwehr et al 1994], the output can be diverted to any file in the file system.…”

Section: Examples Of Used Programs Are Crack Cops Tiger and Iss (Inmentioning

confidence: 99%

Towards Operational Measures of Computer Security: Experimentation and Modelling

Olovsson

Jonsson

Brocklehurst³

et al. 1995

Predictably Dependable Computing Systems

View full text Add to dashboard Cite

Abstract.This paper discusses similarities between reliability and security with the intention of finding probabilistic measures of operational security similar to those that we have for reliability of systems. Ideally, a measure of the security of a system should capture quantitatively the intuitive notion of 'the ability of the system to resist attack', described by the parameter effort.That is, it should reflect the degree to which the system can be expected to remain free of security breaches under particular conditions of operation, including those of attack. Current security levels, e.g., those of the Orange book, at best reflect the extensiveness of safeguards introduced during the design and development of a system. Even though we might expect a system developed to a higher level than another system to exhibit 'more secure behaviour' in operation, this cannot be guaranteed. In particular, we can not assess the actual operational security from knowledge of such a level.We have carried out two realistic intrusion experiments intended to investigate the empirical issues that arise from this probabilistic view of security assessment. More specifically, they investigated the problems of measuring effort and reward associated with security attacks and breaches. In the first, pilot experiment, the intention was to see whether experiments of this type, in which a number of under-graduate students were allowed to attack a system under controlled circumstances, were at all feasible, and if so, to get valuable information on how they should be carried out. In the second full-scale experiment, we aimed at getting enough data to be able to start a methodology development, a methodology by which operational security measures could be derived. During this latter experiment 181 activity reports were submitted, resulting in 63 successful breaches, and reflecting a total expenditure of 594 man-hours. The breaches were classified into 6 different categories, based on which kind if security flaw was exploited and the underlying functionality and nature of these flaws is discussed. In a short concluding discussion on quantitative assessment, it is recognized that, even if effort is meant to be composed of many different parameters, various time parameters, such as working time, on-line time and CPU time, form an important base for the measure.

show abstract

A taxonomy of computer program security flaws

Cited by 333 publications

References 11 publications

Basic concepts and taxonomy of dependable and secure computing

Basic concepts and taxonomy of dependable and secure computing

Analyzing Business Continuity through a Multi-layers Model

Towards Operational Measures of Computer Security: Experimentation and Modelling

Contact Info

Product

Resources

About