Holographic vulnerability studies: Vulnerabilities as fractures in interpretation as information flows across abstraction boundaries

Jedidiah R. Crandall, Daniela Oliveira

Research output: Chapter in Book/Report/Conference proceedingConference contribution

7 Scopus citations

Abstract

We are always patching our systems against specific instances of whatever the latest new, hot, trendy vulnerability type is. First it was time-of-check-to-time-of-use, then buffer overflows, then SQL injection, then cross-site scripting. Vulnerability studies are supposed to accomplish two main goals: to classify vulnerabilities into general classes so that unknown vulnerabilities of that class can be discovered in a proactive way, and to enable us to understand the fundamental nature of vulnerabilities so that when we build new systems we know how to make them secure. In this paper we propose a new paradigm for vulnerability studies: we view vulnerabilities as fractures in the interpretation of information as the information flows across the boundaries of different abstractions. We argue that categorizing vulnerabilities based on this view, as opposed to the types of categories that have been used in past vulnerability studies, makes vulnerability types more easily generalizable and avoids problems where vulnerabilities could be put in multiple categories.

Original languageEnglish (US)
Title of host publicationNSPW 2012 - Proceedings of the 2012 New Security Paradigms Workshop
Pages141-151
Number of pages11
StatePublished - 2012
Externally publishedYes
Event2012 21st New Security Paradigms Workshop, NSPW 2012 - Bertinoro, Italy
Duration: Sep 18 2012Sep 21 2012

Publication series

NameProceedings New Security Paradigms Workshop

Other

Other2012 21st New Security Paradigms Workshop, NSPW 2012
CountryItaly
CityBertinoro
Period9/18/129/21/12

Keywords

  • Information flow
  • Layers of abstraction
  • TOCTTOU
  • Vulnerabilities

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Hardware and Architecture
  • Software
  • Information Systems

Cite this