Towards a “Periodic Table” of Bugs

Published: June 19, 2015


Paul E. Black, Irena V. Bojanova, Yaacov Yesha, Yan Wu


High-confidence systems must not be vulnerable to attacks that reduce the security, reliability, or availability of the system as a whole. One collection of vulnerabilities is the Common Weakness Enumeration (CWE). It represents a considerable community effort, but many of the descriptions are inaccurate, incomplete, inconsistent, or ambiguous. Our vision is a "natural" organization of a catalog or dictionary or taxonomy to describe software weaknesses and vulnerabilities. Such an organization will help the community to more closely describe and explain (a) the nature of vulnerabilities (e.g. Heartbleed, Ghost, Chrome WebCore, etc.) and eventually detect, mitigate, or prevent them; (b) the classes of weaknesses that tools warnings cover (e.g. buffer overflow, injection, etc.), and (c) eliminate the need for an exhaustive Cartesian product of CWEs. It may also help (d) predict new classes of weaknesses and vulnerabilities, and (e) improve existing classifications. We started by developing more precise and accurate definitions for three representative CWEs: CWE-307 Improper Restriction of Excessive Authentication Attempts; CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer (Buffer Overflow), and CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). Based on CWEs (and the notions of chains and composites), Software Fault Patterns (SFPs), and Semantic Templates, we refined and extended the structures. Our definition of Buffer Overflow is "The software can access through a buffer a memory location not allocated to that buffer." The poster's graph of causes shows that there are only three proximate causes of buffer overflows: 1. Destination is too small, 2. Source is too big, and/or 3. Wrong index / pointer out of range. The poster also shows some of the preceding causes that may lead to those.
Citation: OWASP Northern Virginia Chapter
Pub Type: Websites

Download Paper


Common Weakness Enumeration, CWE, software vulnerability, taxonomy of bugs, software assurance
Created June 19, 2015, Updated February 19, 2017