Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Publications by: Irena Bojanova (Fed)

Search Title, Abstract, Conference, Citation, Keyword or Author
Displaying 1 - 25 of 25

Bug, Fault, Error, Weakness, or Vulnerability - Poster

November 7, 2023
Author(s)
Irena Bojanova
Motivation: Software security vulnerabilities are leveraged to attack cyberspace and critical infrastructure, leading to security failures. When communicating about them, however, even security experts might conflate essential related software concepts

Bugs Framework (BF) - Poster

November 7, 2023
Author(s)
Irena Bojanova
Motivation: Crucial need of a formal classification system allowing unambiguous specification of software security bugs and weaknesses, and the vulnerabilities that exploit them. Objective: Create bug models, weakness taxonomies, and vulnerability models

Labeling Software Security Vulnerabilities - Poster

November 7, 2023
Author(s)
Irena Bojanova, John Guerrerio
Motivation: Crucial need for systematic comprehensive labeling of the more than 228 000 publicly disclosed cybersecurity CVE vulnerabilities to enable advances in modern AI cybersecurity research. Objective: Utilize the Bugs Framework (BF) formalism for BF

Labeling Software Security Vulnerabilities

October 1, 2023
Author(s)
Irena Bojanova, John Guerrerio
Labeling software security vulnerabilities would benefit greatly modern artificial intelligence cybersecurity research. The National Vulnerability Database (NVD) partially achieves this via assignment of Common Weakness Enumeration (CWE) entries to Common

Critical Software Security Weaknesses

August 1, 2023
Author(s)
Assane Gueye, Carlos Eduardo Cardoso Galhardo, Irena Bojanova
In this work, we append our historical study on the most significant software security weaknesses, re-evaluate our findings, and look closely at the Injection and Memory Corruption/Disclosure weaknesses through the NIST Bugs Framework (BF) lenses. Our goal

Heartbleed Revisited: Is it just a Buffer Over-Read?

April 1, 2023
Author(s)
Irena Bojanova, Carlos Eduardo Cardoso Galhardo
In this work, we examine in detail the weaknesses underlying the Heartbleed vulnerability and show how it may lead to private information exposure.

Input/Output Check Bugs Taxonomy: Injection Errors in Spotlight

November 17, 2021
Author(s)
Irena Bojanova, Carlos Eduardo Cardoso Galhardo, Sara Moshtari
In this work, we present an orthogonal classification of input/output check bugs, allowing precise structured descriptions of related software vulnerabilities. We utilize the Bugs Framework (BF) approach to define two language-independent classes that

Classifying Memory Bugs Using Bugs Framework Approach

September 9, 2021
Author(s)
Irena Bojanova, Carlos Galhardo
In this work, we present an orthogonal classification of memory corruption bugs, allowing precise structured descriptions of related software vulnerabilities. The Common Weakness Enumeration (CWE) is a well-known and used list of software weaknesses

A Decade of Reoccurring Software Weaknesses

June 24, 2021
Author(s)
Assane Gueye, Carlos Galhardo, Irena Bojanova, Peter Mell
The Common Weakness Enumeration (CWE) community publishes an aggregate metric to calculate the 'Most Dangerous Software Errors.' However, the used equation highly biases frequency and almost ignores exploitability and impact. We provide a metric to

Algorithms and Data Structures for New Models of Computation

February 1, 2021
Author(s)
Paul E. Black, David W. Flater, Irena Bojanova
In the early days of computer science, the community settled on a simple standard model of computing and a basic canon of general purpose algorithms and data structures suited to that model. With isochronous computing, heterogeneous multiprocessors, flash

Measurements of the Most Significant Software Security Weaknesses

December 6, 2020
Author(s)
Carlos E. Cardoso Galhardo, Peter Mell, Irena Bojanova, Assane Gueye
In this work, we provide a metric to calculate the most significant software security weaknesses as defined by an aggregate metric of the frequency, exploitability, and impact of related vulnerabilities. The Common Weakness Enumeration (CWE) is a well

Information Exposure (IEX): A New Class in the Bugs Framework (BF)

July 9, 2019
Author(s)
Irena Bojanova, Yaacov Yesha, Paul E. Black, Yan Wu
Exposure of sensitive information can be harmful on its own and in addition could enable further attacks. A rigorous and unambiguous definition of information exposure faults can help researchers and practitioners identify them, thus avoiding security

Defeating Buffer Overflow: One of the Most Trivial and Dangerous Bugs of All!

October 31, 2016
Author(s)
Paul E. Black, Irena Bojanova
The C programming language was invented over 40 years ago. It is infamous for buffer overflows. We have learned a lot about computer science, language design, and software engineering since then. As it is unlikely that we will stop using C any time soon

The Bugs Framework (BF): A Structured Approach to Express Bugs

October 13, 2016
Author(s)
Irena Bojanova, Paul E. Black, Yaacov Yesha, Yan Wu
To achieve higher levels of assurance for digital systems, we need to answer questions such as, does this software have bugs of these critical classes? Do these two tools generally find the same set of bugs, or different, complimentary sets? Can we

Guest Editors’ Introduction: Cybersecurity or Privacy

September 1, 2016
Author(s)
Irena V. Bojanova, Jeffrey M. Voas
Cybersecurity is a major concern. Governments’, industry, and even hospitals’ IT infrastructure is being penetrated with increasing frequency and sophistication. The growth of mobile and IoT devices and amateur software only add to that. But, privacy is

Learning Internet of Things Security "Hands-on"

February 3, 2016
Author(s)
Constantinos Kolias, Angelos Stavrou, Jeff Voas, Irena Bojanova, D. Richard Kuhn
Our research began from asking whether there is a science behind the Internet of Things (IoT). We started from zero knowledge and no bias. The results of that work determined that indeed there is a science, but it is a science of numerous actors, that when

Cyber-Physical Social Systems: Getting People into the Loop

January 1, 2016
Author(s)
Sulayman Sowe, Eric D. Simmon, Koji Zettsu, Frederic J. de Vaulx, Irena Bojanova
This paper outlines the need to effectively integrate people into the design of a new generation of Cyber-Physical Social Systems (CPSS) and proposes a Human Service Capability Description Model to do it.

Towards a “Periodic Table” of Bugs

June 19, 2015
Author(s)
Paul E. Black, Irena V. Bojanova, Yaacov Yesha, Yan Wu
High-confidence systems must not be vulnerable to attacks that reduce the security, reliability, or availability of the system as a whole. One collection of vulnerabilities is the Common Weakness Enumeration (CWE). It represents a considerable community

Towards a "Periodic Table" of Bugs

April 8, 2015
Author(s)
Irena Bojanova
Our vision for a "periodic table" of bugs is a "natural" organization of a catalog or dictionary or taxonomy to describe software weaknesses and vulnerabilities. Such an organization will help the community to: a) more closely explain the nature of

Formalizing Software Bugs

December 8, 2014
Author(s)
Irena Bojanova
Knowing what makes a software systems vulnerable to attacks is critical, as software vulnerabilities hurt security, reliability, and availability of the system as a whole. In addition, understanding how an adversary operates is essential to effective cyber