Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Input/Output Check Bugs Taxonomy: Injection Errors in Spotlight

Published

Author(s)

Irena Bojanova, Carlos Eduardo Cardoso Galhardo, Sara Moshtari

Abstract

In this work, we present an orthogonal classification of input/output check bugs, allowing precise structured descriptions of related software vulnerabilities. We utilize the Bugs Framework (BF) approach to define two language-independent classes that cover all possible kinds of data check bugs. We also identify all types of injection errors, as they are always directly caused by input/output data validation bugs. In BF each class is a taxonomic category of a weakness type defined by sets of operations, cause-->consequence relations, and attributes. A BF description of a bug or a weakness is an instance of a taxonomic BF class with one operation, one cause, one consequence, and their attributes. Any vulnerability then can be described as a chain of such instances and their consequence–cause transitions. With our newly developed Data Validation Bugs and Data Verification Bugs classes, we confirm that BF is a classification system that extends the Common Weakness Enumeration (CWE). It allows clear communication about software bugs and weaknesses, providing a structured way to precisely describe real-world vulnerabilities.
Proceedings Title
2021 IEEE 31st International Symposium on Software Reliability Engineering (ISSRE)
Conference Dates
October 25-28, 2021
Conference Location
Wuhan, CN

Keywords

Bug classification, bug taxonomy, software vulnerability, software weakness, input validation, input sanitization, input verification, injection.

Citation

Bojanova, I. , Cardoso Galhardo, C. and Moshtari, S. (2021), Input/Output Check Bugs Taxonomy: Injection Errors in Spotlight, 2021 IEEE 31st International Symposium on Software Reliability Engineering (ISSRE), Wuhan, CN, [online], https://doi.org/10.1109/ISSREW53611.2021.00052, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=933193 (Accessed December 6, 2024)

Issues

If you have any questions about this publication or are having problems accessing it, please contact reflib@nist.gov.

Created November 17, 2021, Updated November 29, 2022