In this presentation slide, we share our reviews and critics on various vulnerability taxonomy. We also proposed on criteria for a taxonomy to be graded as well-defined taxonomy. On top of that, we share our taxonomy that specifically constructed to understand various vulnerability in C programming language
1. Understanding
Vulnerabilities
by Refining
Taxonomy
Nurul Haszeli Ahmad₁
Syed Ahmad Aljunid₁
Jamalul-lail Ab
Manan₂
₁ FSKM, UiTM Shah
Alam
₂ MIMOS Berhad
2. Contents
• Introduction
• Taxonomy and Criteria of a Well-Defined Taxonomy
• Previous Vulnerabilities Taxonomies and Gaps
• Refining Previous Taxonomies
• Taxonomy of C Overflow Vulnerabilities Attack
• Contribution
• Conclusion
• Q&A
3. Introduction
• Vulnerabilities and exploitations starts in the late 80s
• Experts start to identify vulnerabilities to improve
understanding of behavior and nature of
vulnerability in early 90s (Aslam, 1995; Howard et.al., 2009; Viega
& McGraw, 2001; Seacord, 2005; etc.)
• Using the classifications, programming rules and
tools are constructed
• However, vulnerabilities is still at large (Microsoft, 2011;
MITRE, 2011; and IBM, 2011)
• Most dominant and prominent – overflow
vulnerabilities in applications developed using C
language
4. Introduction… cont.
• This paper is focusing
– Identify and describe the criteria of a Well-Defined
Taxonomy
– Criticize previous taxonomies; including identifying
gaps, and proposing improvements
– Present briefly C overflow vulnerabilities attack taxonomy
• Why?
– Accurate comprehension on the problems is crucial
towards improvement of security implementation and
analysis tool (Krsul, 1998)
– Understanding vulnerabilities is crucial towards
developing a secure software thus gaining
trustworthiness from users (Bill Gates, 2002)
5. Contents
• Introduction
• Taxonomy and Criteria of a Well-
Defined Taxonomy
• Previous Taxonomy and Gaps
• Propose improvement for previous taxonomy
• Taxonomy of C Overflow Vulnerabilities Attack
• Contribution
• Conclusion
• Q&A
6. Taxonomy and Criteria of a
Well-Defined Taxonomy
• Definition (Krsul, 1998; Patrick, 2006; Merriam-Webster, 2011)
– Taxonomy
• a study to generalize and classify studied objects
– Classification
• an arrangement of studied objects into specific order or
sharing the same behaviour
– Vulnerabilities Taxonomy
• A generalize and classification of vulnerabilities
– Criteria of a well-defined taxonomy
• Set of criterions that ensure a taxonomy covers the
scope of the objects studied.
• An arrangement or classifications structures that
Well-Defined fulfil list of criterions which ensure it is complete
and understandable thus becomes useful in
Taxonomy building knowledge on objects studied.
8. Criteria of A Well-Defined
Taxonomy
No. Characteristics Description
1 Simplicity •Simplified into diagram or structures
2 Organized Structures •Organized into readable structures.
3 Obvious •SMART and Observable objective.
•Process flow is clear and easily
followed.
4 Repeatability •Repeatable result
5 Specificity / Mutual •Specific and Explicit value
Exclusive / Primitive •Object belongs to ONLY one class.
6 Completeness *covers all object of the same behavior
or character
7 Similarity *Similar characteristics of objects in a
class
8 Knowledge Built using known existing terminology
Compliant
Source: Krsul, 1998; Alhazmi et.al., 2006; Howard et.al., 1998;Vijayaraghavan & Kaner, 2003;
Hansmann, 2003; Killhourhy et.al., 2004; Bishop, 1999; Igure & Williams, 2008; Hansmann & Hunt, 2005;
Venter & Eloff, 2003; Bishop & Bailey, 1996.
9. Contents
• Introduction
• Taxonomy and Criteria of a Well-Defined Taxonomy
• Previous Taxonomy and Gaps
• Propose improvement for previous taxonomy
• Taxonomy of C Overflow Vulnerabilities Attack
• Contribution
• Conclusion
• Q&A
10. Previous Vulnerabilities Taxonomies
and Gaps (General)
Taxonomy Well-Defined Characteristics
1 2 3 4 5 6 7 8
H. Shahriar, M. Zulkernine √ √ X X X X √ √
(2011)
A. Bazaz, J. D. Arthur (2007) √ √ X X X X √ √
O. H. Alhazmi et. al. (2006) √ √ √ √ √ X √ √
M. Gegick, L. Williams (2005) √ X √ √ √ X √ √
K. Tsipenyuk, et. al. (2005) √ √ √ X X X √ √
S. Hansman, R. Hunt (2005) X √ X √ X √ √ √
V. Pothamsetty, B. Akyol X X √ X X √ √ √
(2004)
Killourhy, K. S., et. al. (2004) √ √ √ X √ X √ √
Lough, D. L. (2001) √ √ X X X X √ √
Krsul, I. V. (1998) √ √ X X X X √ √
Howard, J. D., Longstaff, T. A √ √ X X √ √ √ √
(1998)
Aslam, T. (1995) √ √ X X X X √ √
11. Previous Vulnerabilities
Taxonomies and Gaps (C
Overflow)
Taxonomy Well-Defined Characteristics
1 2 3 4 5 6 7 8
H. D. Moore (2007) √ √ X √ X X √ √
A. I. Sotirov (2005) √ √ √ X √ X √ √
M. A. Zhivich (2005) √ √ √ X X X √ √
K. Kratkiewicz (2005) √ √ √ X X X √ √
M. Zitser (2003) √ √ √ X X X √ √
12. Contents
• Introduction
• Taxonomy and Criteria of a Well-Defined Taxonomy
• Previous Taxonomy and Gaps
• Propose improvement for previous
taxonomy
• Taxonomy of C Overflow Vulnerabilities Attack
• Contribution
• Conclusion
• Q&A
13. Proposed improvements for
previous taxonomies (General)
Taxonomy Proposed Improvement
H. Shahriar, M. •Combine classes with object sharing similar
Zulkernine (2011) characteristics
•Clear and observable definition and process flow
A. Bazaz, J. D. •Divide classes into sub-class due to generality
Arthur (2007) •Clear and observable process flow
•Reduce constraint or assumption
O. H. Alhazmi et. •Combine process and classes for both by type and
al. (2006) severity
•Further divided into sub-classes
M. Gegick, L. •Build on top of existing knowledge.
Williams (2005) •Clear and observable process flow
K. Tsipenyuk, et. al. •Combine classes that share characteristic
(2005) •Well-structures to differentiate languages used
•Too many classes and to wide – should reduce the
scope
S. Hansman, R. •Reduce the scope
Hunt (2005) •Rearrange the classification
14. Proposed improvements for
previous taxonomies (General)
Taxonomy Proposed Improvement
V. Pothamsetty, B. •Further divide into sub-classes
Akyol (2004) •Reduce the scope
•Rearrange the class structure
Killourhy, K. S., et. •Clear and observable process flow and definition
al. (2004) •Build on top of existing knowledge
Lough, D. L. •Further divide into sub-classes.
(2001)
Krsul, I. V. (1998) •Clear and observable process flow
•Well-structure classes
Howard, J. D., •Clear and observable process flow
Longstaff, T. A •Well-structure of classes
(1998) •Further divide into sub-classes
Aslam, T. (1995) •Extend the list further
•Rearrange the classes
15. Proposed improvements for
previous taxonomies (C
Overflow)
Taxonomy Proposed Improvement
H. D. Moore •Clear definition of class
(2007) •Divide further into few sub-classes
A. I. Sotirov (2005) •To extend and generalize to cover latest
vulnerabilities
•Restructure the class.
M. A. Zhivich •To extend the list of overflow vulnerabilities
(2005) •Restructure to have specific class on overflows
K. Kratkiewicz •Restructure the classes
(2005) •To implement hierarchy based class
M. Zitser (2003) •Restructure the classes
•To implement hierarchy based class
16. Contents
• Introduction
• Taxonomy and Criteria of a Well-Defined Taxonomy
• Previous Taxonomy and Gaps
• Propose improvement for previous taxonomy
• Taxonomy of C Overflow
Vulnerabilities Attack
• Contribution
• Conclusion
• Q&A
17. Taxonomy of C Overflow
Vulnerabilities Attack
Sources: Ahmad, et. al., 2011 (ICSECS); Ahmad, et. al. ,2011 (IJNCAA)
18. Contents
• Introduction
• Taxonomy and Criteria of a Well-Defined Taxonomy
• Previous Taxonomy and Gaps
• Propose improvement for previous taxonomy
• Taxonomy of C Overflow Vulnerabilities Attack
• Contribution
• Conclusion
• Q&A
19. Contribution
• Consolidate and construct criterions of
well-define taxonomy
1
• Consolidate all reviews on previous
taxonomies
2
• Critical reviews; including identifying gaps
and proposing potential improvements on
3 previous taxonomy
20. Contents
• Introduction
• Taxonomy and Criteria of a Well-Defined Taxonomy
• Previous Taxonomy and Gaps
• Propose improvement for previous taxonomy
• Taxonomy of C Overflow Vulnerabilities Attack
• Contribution
• Conclusion
• Q&A
21. Conclusion
• Construct and discuss characteristics of
well-defined taxonomy
• Critical review on previous vulnerabilities
taxonomies in the context of well-defined
characteristics
• Propose possible improvements for previous
taxonomies
• Share briefly constructed taxonomy specific
to C overflow vulnerabilities which meet the
criteria of well-defined taxonomy
22.
23. Nurul Haszeli Ahmad
UiTM Shah Alam
Email: masteramuk@yahoo.com
Blog: http://malaysiandeveloper.blogspot.com
Skype, LinkedIn & Twitter: masteramuk
Syed Ahmad Aljunid
FSMK, UiTM Shah Alam
Email: aljunid@tmsk.uitm.edu.my
Jamalul-lail Ab Manan
MIMOS Berhad
Email: jamalul.lail@mimos.my
Editor's Notes
Proposing improvements – covers all identified vulnerabilities taxonomies to have comprehensive remarks but our proposal has significant impact to latest taxonomies such as by Shahriar (2011), Bazaaz (2007), and Moore (2005)