Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Bugs Framework (BF): Formalizing Cybersecurity Weaknesses and Vulnerabilities

Published

Author(s)

Irena Bojanova

Abstract

The Bugs Framework (BF) is a classification of security bugs and related faults, featuring a formal language for unambiguous specification of security weaknesses and underlined by them vulnerabilities. It organizes bugs and faults by the operations of distinct software or hardware execution phases -- as weakness causes, and the resulting errors propagating to other faults or causing failures -- as weakness consequences. The phases do not overlap by operation, which guarantees complete orthogonal weakness types coverage (without gaps and overlaps) and unique precise weakness and vulnerability descriptions (with clear causality). The BF formal language is generated by the BF Left-to-right Leftmost-derivation One-symbol-lookahead (LL(1)) attribute context-free grammar (ACFG), based on the BF taxonomy, bugs models, and vulnerability models. This formalism enables a new range of research and development efforts for creation of comprehensively labeled weakness and vulnerability datasets, and diverse vulnerability classifications; as well as vulnerability specification generation, bug detection, and vulnerability analysis and remediation. The BF weakness and vulnerability specifications may serve as a formal augmentation to the Common Weakness Enumeration (CWE) and the Common Vulnerabilities and Exposures (CVE) natural language descriptions. This Special Publication (SP) presents an overview on the Bugs Framework (BF). Further details will be available in NIST SP xxx-xxxA-I at \urlhttps://csrc.nist.gov/publications/}. The expected audience is of security researchers, software and hardware developers, information technology (IT) managers, and IT executives. To our knowledge, the ideas, approach, and methodologies in which the BF formal language, models, tools, and datasets are being created and presented here are unique.
Citation
Special Publication (NIST SP) - 800-231
Report Number
800-231

Keywords

Bug, Bug Classification, Bug Detection, Bug Taxonomy, Bug Triaging, Code, CVE, CWE, Cybersecurity, Design, Exploitation, Exploitable Error, Failure, Fault, Firmware, Firmware Design, Firmware Specification, Formal Language, Formal Methods, Generation Tool, Hardware, Hardware Design, Hardware Specification, Labeled Dataset, LL(1) Grammar, Microcode, Microcode Design, Microcode Specification, NVD, Security, Security Bug, Error, Fault, Security Failure, Security Vulnerability, Security Weakness, Software Design, Software Specification, Specification, Vulnerability, Vulnerability Analysis, Vulnerability Dataset, Vulnerability Remediation, Vulnerability Resolution, Vulnerability Mitigation, Weakness Dataset.

Citation

Bojanova, I. (2024), Bugs Framework (BF): Formalizing Cybersecurity Weaknesses and Vulnerabilities, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.SP.800-231, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=957756 (Accessed December 7, 2024)

Issues

If you have any questions about this publication or are having problems accessing it, please contact reflib@nist.gov.

Created July 30, 2024