Bojanova, I.
, Cardoso Galhardo, C.
and Moshtari, S.
(2021),
Input/Output Check Bugs Taxonomy: Injection Errors in Spotlight, 2021 IEEE 31st International Symposium on Software Reliability Engineering (ISSRE), Wuhan, CN, [online], https://doi.org/10.1109/ISSREW53611.2021.00052, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=933193
(Accessed April 27, 2024)
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Input/Output Check Bugs Taxonomy: Injection Errors in Spotlight
Published
Author(s)
, Carlos Eduardo Cardoso Galhardo, Sara Moshtari
Abstract
In this work, we present an orthogonal classification of input/output check bugs, allowing precise structured descriptions of related software vulnerabilities. We utilize the Bugs Framework (BF) approach to define two language-independent classes that cover all possible kinds of data check bugs. We also identify all types of injection errors, as they are always directly caused by input/output data validation bugs. In BF each class is a taxonomic category of a weakness type defined by sets of operations, cause-->consequence relations, and attributes. A BF description of a bug or a weakness is an instance of a taxonomic BF class with one operation, one cause, one consequence, and their attributes. Any vulnerability then can be described as a chain of such instances and their consequence–cause transitions. With our newly developed Data Validation Bugs and Data Verification Bugs classes, we confirm that BF is a classification system that extends the Common Weakness Enumeration (CWE). It allows clear communication about software bugs and weaknesses, providing a structured way to precisely describe real-world vulnerabilities.Proceedings Title
2021 IEEE 31st International Symposium on Software Reliability Engineering (ISSRE)
Conference Dates
October 25-28, 2021
Conference Location
Wuhan, CN
Pub Type
Conferences
Download Paper
Keywords
Bug classification, bug taxonomy, software vulnerability, software weakness, input validation, input sanitization, input verification, injection.
Citation
Created November 17, 2021, Updated November 29, 2022