Holographic vulnerability studies: Vulnerabilities as fractures in interpretation as information flows across abstraction boundaries

Jedidiah R. Crandall; Daniela Oliveira

Holographic vulnerability studies: Vulnerabilities as fractures in interpretation as information flows across abstraction boundaries

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

We are always patching our systems against specific instances of whatever the latest new, hot, trendy vulnerability type is. First it was time-of-check-to-time-of-use, then buffer overflows, then SQL injection, then cross-site scripting. Vulnerability studies are supposed to accomplish two main goals: to classify vulnerabilities into general classes so that unknown vulnerabilities of that class can be discovered in a proactive way, and to enable us to understand the fundamental nature of vulnerabilities so that when we build new systems we know how to make them secure. In this paper we propose a new paradigm for vulnerability studies: we view vulnerabilities as fractures in the interpretation of information as the information flows across the boundaries of different abstractions. We argue that categorizing vulnerabilities based on this view, as opposed to the types of categories that have been used in past vulnerability studies, makes vulnerability types more easily generalizable and avoids problems where vulnerabilities could be put in multiple categories.

Original language	English (US)
Title of host publication	NSPW 2012 - Proceedings of the 2012 New Security Paradigms Workshop
Pages	141-151
Number of pages	11
State	Published - 2012
Externally published	Yes
Event	2012 21st New Security Paradigms Workshop, NSPW 2012 - Bertinoro, Italy Duration: Sep 18 2012 → Sep 21 2012

Publication series

Name	Proceedings New Security Paradigms Workshop

Other

Other	2012 21st New Security Paradigms Workshop, NSPW 2012
Country/Territory	Italy
City	Bertinoro
Period	9/18/12 → 9/21/12

Keywords

Information flow
Layers of abstraction
TOCTTOU
Vulnerabilities

ASJC Scopus subject areas

Safety, Risk, Reliability and Quality
Hardware and Architecture
Software
Information Systems

Cite this

Holographic vulnerability studies: Vulnerabilities as fractures in interpretation as information flows across abstraction boundaries. / Crandall, Jedidiah R.; Oliveira, Daniela.
NSPW 2012 - Proceedings of the 2012 New Security Paradigms Workshop. 2012. p. 141-151 (Proceedings New Security Paradigms Workshop).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Crandall, JR & Oliveira, D 2012, Holographic vulnerability studies: Vulnerabilities as fractures in interpretation as information flows across abstraction boundaries. in NSPW 2012 - Proceedings of the 2012 New Security Paradigms Workshop. Proceedings New Security Paradigms Workshop, pp. 141-151, 2012 21st New Security Paradigms Workshop, NSPW 2012, Bertinoro, Italy, 9/18/12.

@inproceedings{72de1080ec0245628595c07313265d77,

title = "Holographic vulnerability studies: Vulnerabilities as fractures in interpretation as information flows across abstraction boundaries",

abstract = "We are always patching our systems against specific instances of whatever the latest new, hot, trendy vulnerability type is. First it was time-of-check-to-time-of-use, then buffer overflows, then SQL injection, then cross-site scripting. Vulnerability studies are supposed to accomplish two main goals: to classify vulnerabilities into general classes so that unknown vulnerabilities of that class can be discovered in a proactive way, and to enable us to understand the fundamental nature of vulnerabilities so that when we build new systems we know how to make them secure. In this paper we propose a new paradigm for vulnerability studies: we view vulnerabilities as fractures in the interpretation of information as the information flows across the boundaries of different abstractions. We argue that categorizing vulnerabilities based on this view, as opposed to the types of categories that have been used in past vulnerability studies, makes vulnerability types more easily generalizable and avoids problems where vulnerabilities could be put in multiple categories.",

keywords = "Information flow, Layers of abstraction, TOCTTOU, Vulnerabilities",

author = "Crandall, {Jedidiah R.} and Daniela Oliveira",

year = "2012",

language = "English (US)",

isbn = "9781450317948",

series = "Proceedings New Security Paradigms Workshop",

pages = "141--151",

booktitle = "NSPW 2012 - Proceedings of the 2012 New Security Paradigms Workshop",

note = "2012 21st New Security Paradigms Workshop, NSPW 2012 ; Conference date: 18-09-2012 Through 21-09-2012",

}

TY - GEN

T1 - Holographic vulnerability studies

T2 - 2012 21st New Security Paradigms Workshop, NSPW 2012

AU - Crandall, Jedidiah R.

AU - Oliveira, Daniela

PY - 2012

Y1 - 2012

N2 - We are always patching our systems against specific instances of whatever the latest new, hot, trendy vulnerability type is. First it was time-of-check-to-time-of-use, then buffer overflows, then SQL injection, then cross-site scripting. Vulnerability studies are supposed to accomplish two main goals: to classify vulnerabilities into general classes so that unknown vulnerabilities of that class can be discovered in a proactive way, and to enable us to understand the fundamental nature of vulnerabilities so that when we build new systems we know how to make them secure. In this paper we propose a new paradigm for vulnerability studies: we view vulnerabilities as fractures in the interpretation of information as the information flows across the boundaries of different abstractions. We argue that categorizing vulnerabilities based on this view, as opposed to the types of categories that have been used in past vulnerability studies, makes vulnerability types more easily generalizable and avoids problems where vulnerabilities could be put in multiple categories.

AB - We are always patching our systems against specific instances of whatever the latest new, hot, trendy vulnerability type is. First it was time-of-check-to-time-of-use, then buffer overflows, then SQL injection, then cross-site scripting. Vulnerability studies are supposed to accomplish two main goals: to classify vulnerabilities into general classes so that unknown vulnerabilities of that class can be discovered in a proactive way, and to enable us to understand the fundamental nature of vulnerabilities so that when we build new systems we know how to make them secure. In this paper we propose a new paradigm for vulnerability studies: we view vulnerabilities as fractures in the interpretation of information as the information flows across the boundaries of different abstractions. We argue that categorizing vulnerabilities based on this view, as opposed to the types of categories that have been used in past vulnerability studies, makes vulnerability types more easily generalizable and avoids problems where vulnerabilities could be put in multiple categories.

KW - Information flow

KW - Layers of abstraction

KW - TOCTTOU

KW - Vulnerabilities

UR - http://www.scopus.com/inward/record.url?scp=84871961577&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84871961577&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:84871961577

SN - 9781450317948

T3 - Proceedings New Security Paradigms Workshop

SP - 141

EP - 151

BT - NSPW 2012 - Proceedings of the 2012 New Security Paradigms Workshop

Y2 - 18 September 2012 through 21 September 2012

ER -

Holographic vulnerability studies: Vulnerabilities as fractures in interpretation as information flows across abstraction boundaries

Abstract

Publication series

Other

Keywords

ASJC Scopus subject areas

Other files and links

Cite this