Bojanova, I.
(2024),
Comprehensively Labeled Weakness and Vulnerability Datasets via Unambiguous Formal Bugs Framework (BF) Specifications, IEEE IT Professional, [online], https://doi.org/10.1109/MITP.2024.3358970, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=957238
(Accessed April 27, 2024)
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Comprehensively Labeled Weakness and Vulnerability Datasets via Unambiguous Formal Bugs Framework (BF) Specifications
Published
Author(s)
Abstract
The current state of the art in software security -- describing weaknesses as CWEs, vulnerabilities as CVEs, and labeling CVEs with CWEs -- is not keeping up with the modern cybersecurity research and application requirements for comprehensively labeled datasets. As a formal classification system of software security bugs, faults, and weaknesses enabling unambiguous specification of vulnerabilities, the NIST Bugs Framework (BF) offers a prominent new approach towards systematic creation of labeled with the BF taxonomy datasets. This work presents methodologies based on BF and tools for comprehensive labeling of common weakness types (including CWEs) and publicly disclosed vulnerabilities (including CVEs). The BFCWE tool facilitates generation of unambiguous formal BF weakness specifications as entries of a comprehensively labeled BFCWE dataset. The BFCVE tool generates a comprehensively pre-labeled vulnerability dataset further refined via code analysis. Via a rich GUI it also guides the creation of unambiguous formal BF specifications as entries of a comprehensively labeled BFCVE dataset. The developed taxonomic datasets, transformation algorithms, databases, and queries can benefit the implementation of a new range of software testing, bug detection, test-case generation, and weakness/vulnerability specification generation tools.Citation
IEEE IT Professional
Volume
26
Issue
1
Pub Type
Journals
Download Paper
Keywords
Bug, Bug Classification, Bug Detection, Bug Taxonomy, Cybersecurity, Generation Tool, Labeled Dataset, Software Bug, Security Failure, Software Testing, Software Vulnerability, Software Weakness, Test-Case Generation, Vulnerability Dataset, Weakness Dataset.
Citation
Created January 20, 2024, Updated March 26, 2024