TY - GEN
T1 - Holographic vulnerability studies
T2 - 2012 21st New Security Paradigms Workshop, NSPW 2012
AU - Crandall, Jedidiah R.
AU - Oliveira, Daniela
PY - 2012
Y1 - 2012
N2 - We are always patching our systems against specific instances of whatever the latest new, hot, trendy vulnerability type is. First it was time-of-check-to-time-of-use, then buffer overflows, then SQL injection, then cross-site scripting. Vulnerability studies are supposed to accomplish two main goals: to classify vulnerabilities into general classes so that unknown vulnerabilities of that class can be discovered in a proactive way, and to enable us to understand the fundamental nature of vulnerabilities so that when we build new systems we know how to make them secure. In this paper we propose a new paradigm for vulnerability studies: we view vulnerabilities as fractures in the interpretation of information as the information flows across the boundaries of different abstractions. We argue that categorizing vulnerabilities based on this view, as opposed to the types of categories that have been used in past vulnerability studies, makes vulnerability types more easily generalizable and avoids problems where vulnerabilities could be put in multiple categories.
AB - We are always patching our systems against specific instances of whatever the latest new, hot, trendy vulnerability type is. First it was time-of-check-to-time-of-use, then buffer overflows, then SQL injection, then cross-site scripting. Vulnerability studies are supposed to accomplish two main goals: to classify vulnerabilities into general classes so that unknown vulnerabilities of that class can be discovered in a proactive way, and to enable us to understand the fundamental nature of vulnerabilities so that when we build new systems we know how to make them secure. In this paper we propose a new paradigm for vulnerability studies: we view vulnerabilities as fractures in the interpretation of information as the information flows across the boundaries of different abstractions. We argue that categorizing vulnerabilities based on this view, as opposed to the types of categories that have been used in past vulnerability studies, makes vulnerability types more easily generalizable and avoids problems where vulnerabilities could be put in multiple categories.
KW - Information flow
KW - Layers of abstraction
KW - TOCTTOU
KW - Vulnerabilities
UR - http://www.scopus.com/inward/record.url?scp=84871961577&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84871961577&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:84871961577
SN - 9781450317948
T3 - Proceedings New Security Paradigms Workshop
SP - 141
EP - 151
BT - NSPW 2012 - Proceedings of the 2012 New Security Paradigms Workshop
Y2 - 18 September 2012 through 21 September 2012
ER -