NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.
Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.
An official website of the United States government
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Input/Output Check Bugs Taxonomy: Injection Errors in Spotlight
Published
Author(s)
Irena Bojanova, Carlos Eduardo Cardoso Galhardo, Sara Moshtari
Abstract
In this work, we present an orthogonal classification of input/output check bugs, allowing precise structured descriptions of related software vulnerabilities. We utilize the Bugs Framework (BF) approach to define two language-independent classes that cover all possible kinds of data check bugs. We also identify all types of injection errors, as they are always directly caused by input/output data validation bugs. In BF each class is a taxonomic category of a weakness type defined by sets of operations, cause-->consequence relations, and attributes. A BF description of a bug or a weakness is an instance of a taxonomic BF class with one operation, one cause, one consequence, and their attributes. Any vulnerability then can be described as a chain of such instances and their consequence–cause transitions. With our newly developed Data Validation Bugs and Data Verification Bugs classes, we confirm that BF is a classification system that extends the Common Weakness Enumeration (CWE). It allows clear communication about software bugs and weaknesses, providing a structured way to precisely describe real-world vulnerabilities.
Proceedings Title
2021 IEEE 31st International Symposium on Software Reliability Engineering (ISSRE)
Bojanova, I.
, Cardoso Galhardo, C.
and Moshtari, S.
(2021),
Input/Output Check Bugs Taxonomy: Injection Errors in Spotlight, 2021 IEEE 31st International Symposium on Software Reliability Engineering (ISSRE), Wuhan, CN, [online], https://doi.org/10.1109/ISSREW53611.2021.00052, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=933193
(Accessed October 5, 2025)