Skip to main content

NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.

Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.

U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Input/Output Check Bugs Taxonomy: Injection Errors in Spotlight

Published

Author(s)

Irena Bojanova, Carlos Eduardo Cardoso Galhardo, Sara Moshtari

Abstract

In this work, we present an orthogonal classification of input/output check bugs, allowing precise structured descriptions of related software vulnerabilities. We utilize the Bugs Framework (BF) approach to define two language-independent classes that cover all possible kinds of data check bugs. We also identify all types of injection errors, as they are always directly caused by input/output data validation bugs. In BF each class is a taxonomic category of a weakness type defined by sets of operations, cause-->consequence relations, and attributes. A BF description of a bug or a weakness is an instance of a taxonomic BF class with one operation, one cause, one consequence, and their attributes. Any vulnerability then can be described as a chain of such instances and their consequence–cause transitions. With our newly developed Data Validation Bugs and Data Verification Bugs classes, we confirm that BF is a classification system that extends the Common Weakness Enumeration (CWE). It allows clear communication about software bugs and weaknesses, providing a structured way to precisely describe real-world vulnerabilities.
Proceedings Title
2021 IEEE 31st International Symposium on Software Reliability Engineering (ISSRE)
Conference Dates
October 25-28, 2021
Conference Location
Wuhan, CN

Keywords

Bug classification, bug taxonomy, software vulnerability, software weakness, input validation, input sanitization, input verification, injection.

Citation

Bojanova, I. , Cardoso Galhardo, C. and Moshtari, S. (2021), Input/Output Check Bugs Taxonomy: Injection Errors in Spotlight, 2021 IEEE 31st International Symposium on Software Reliability Engineering (ISSRE), Wuhan, CN, [online], https://doi.org/10.1109/ISSREW53611.2021.00052, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=933193 (Accessed October 5, 2025)

Issues

If you have any questions about this publication or are having problems accessing it, please contact [email protected].

Created November 17, 2021, Updated November 29, 2022
Was this page helpful?