0
Understanding Vulnerabilities by Refining Taxonomy Nurul Haszeli Ahmad₁ Syed Ahmad Aljunid₁ Jamalul-lail Ab     Manan₂  ₁ ...
Contents  •   Introduction  •   Taxonomy and Criteria of a Well-Defined Taxonomy  •   Previous Vulnerabilities Taxonomies ...
Introduction  • Vulnerabilities and exploitations starts in the late 80s  • Experts start to identify vulnerabilities to i...
Introduction… cont. • This paper is focusing    – Identify and describe the criteria of a Well-Defined      Taxonomy    – ...
Contents• Introduction• Taxonomy and Criteria of a Well-  Defined Taxonomy•   Previous Taxonomy and Gaps•   Propose improv...
Taxonomy and Criteria of a  Well-Defined Taxonomy  • Definition (Krsul, 1998; Patrick, 2006; Merriam-Webster, 2011)      –...
Criteria of A Well-Defined    Taxonomy                          1. Simplicity                          2. Organized Struct...
Criteria of A Well-Defined   Taxonomy  No.  Characteristics    Description    1      Simplicity                         •S...
Contents • Introduction • Taxonomy and Criteria of a Well-Defined Taxonomy • Previous Taxonomy and Gaps •   Propose improv...
Previous Vulnerabilities Taxonomies    and Gaps (General)          Taxonomy                         Well-Defined Character...
Previous Vulnerabilities   Taxonomies and Gaps (C   Overflow)        Taxonomy                      Well-Defined Characteri...
Contents• Introduction• Taxonomy and Criteria of a Well-Defined Taxonomy• Previous Taxonomy and Gaps• Propose improvement ...
Proposed improvements for    previous taxonomies (General)    Taxonomy                          Proposed ImprovementH. Sha...
Proposed improvements for   previous taxonomies (General)     Taxonomy                       Proposed ImprovementV. Potham...
Proposed improvements for    previous taxonomies (C    Overflow)    Taxonomy      Proposed ImprovementH. D. Moore         ...
Contents •   Introduction •   Taxonomy and Criteria of a Well-Defined Taxonomy •   Previous Taxonomy and Gaps •   Propose ...
Taxonomy of C OverflowVulnerabilities AttackSources: Ahmad, et. al., 2011 (ICSECS); Ahmad, et. al. ,2011 (IJNCAA)
Contents•   Introduction•   Taxonomy and Criteria of a Well-Defined Taxonomy•   Previous Taxonomy and Gaps•   Propose impr...
Contribution     • Consolidate and construct criterions of       well-define taxonomy 1     • Consolidate all reviews on p...
Contents•   Introduction•   Taxonomy and Criteria of a Well-Defined Taxonomy•   Previous Taxonomy and Gaps•   Propose impr...
Conclusion• Construct and discuss characteristics of  well-defined taxonomy• Critical review on previous vulnerabilities  ...
Nurul Haszeli AhmadUiTM Shah AlamEmail: masteramuk@yahoo.comBlog: http://malaysiandeveloper.blogspot.comSkype, LinkedIn & ...
Understanding Vulnerability by Refining Taxonomy
Upcoming SlideShare
Loading in...5
×

Understanding Vulnerability by Refining Taxonomy

233

Published on

In this presentation slide, we share our reviews and critics on various vulnerability taxonomy. We also proposed on criteria for a taxonomy to be graded as well-defined taxonomy. On top of that, we share our taxonomy that specifically constructed to understand various vulnerability in C programming language

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
233
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Proposing improvements – covers all identified vulnerabilities taxonomies to have comprehensive remarks but our proposal has significant impact to latest taxonomies such as by Shahriar (2011), Bazaaz (2007), and Moore (2005)
  • Transcript of "Understanding Vulnerability by Refining Taxonomy"

    1. 1. Understanding Vulnerabilities by Refining Taxonomy Nurul Haszeli Ahmad₁ Syed Ahmad Aljunid₁ Jamalul-lail Ab Manan₂ ₁ FSKM, UiTM Shah Alam ₂ MIMOS Berhad
    2. 2. Contents • Introduction • Taxonomy and Criteria of a Well-Defined Taxonomy • Previous Vulnerabilities Taxonomies and Gaps • Refining Previous Taxonomies • Taxonomy of C Overflow Vulnerabilities Attack • Contribution • Conclusion • Q&A
    3. 3. Introduction • Vulnerabilities and exploitations starts in the late 80s • Experts start to identify vulnerabilities to improve understanding of behavior and nature of vulnerability in early 90s (Aslam, 1995; Howard et.al., 2009; Viega & McGraw, 2001; Seacord, 2005; etc.) • Using the classifications, programming rules and tools are constructed • However, vulnerabilities is still at large (Microsoft, 2011; MITRE, 2011; and IBM, 2011) • Most dominant and prominent – overflow vulnerabilities in applications developed using C language
    4. 4. Introduction… cont. • This paper is focusing – Identify and describe the criteria of a Well-Defined Taxonomy – Criticize previous taxonomies; including identifying gaps, and proposing improvements – Present briefly C overflow vulnerabilities attack taxonomy • Why? – Accurate comprehension on the problems is crucial towards improvement of security implementation and analysis tool (Krsul, 1998) – Understanding vulnerabilities is crucial towards developing a secure software thus gaining trustworthiness from users (Bill Gates, 2002)
    5. 5. Contents• Introduction• Taxonomy and Criteria of a Well- Defined Taxonomy• Previous Taxonomy and Gaps• Propose improvement for previous taxonomy• Taxonomy of C Overflow Vulnerabilities Attack• Contribution• Conclusion• Q&A
    6. 6. Taxonomy and Criteria of a Well-Defined Taxonomy • Definition (Krsul, 1998; Patrick, 2006; Merriam-Webster, 2011) – Taxonomy • a study to generalize and classify studied objects – Classification • an arrangement of studied objects into specific order or sharing the same behaviour – Vulnerabilities Taxonomy • A generalize and classification of vulnerabilities – Criteria of a well-defined taxonomy • Set of criterions that ensure a taxonomy covers the scope of the objects studied. • An arrangement or classifications structures thatWell-Defined fulfil list of criterions which ensure it is complete and understandable thus becomes useful in Taxonomy building knowledge on objects studied.
    7. 7. Criteria of A Well-Defined Taxonomy 1. Simplicity 2. Organized Structures 3. Obvious 4. Repeatability 5. Mutual Exclusive 6. Completeness 7. Similarity 8. Knowledge CompliantSource: Krsul, 1998; Alhazmi et.al., 2006; Howard et.al., 1998; Vijayaraghavan & Kaner, 2003;Hansmann, 2003; Killhourhy et.al., 2004; Bishop, 1999; Igure & Williams, 2008; Hansmann & Hunt, 2005;Venter & Eloff, 2003; Bishop & Bailey, 1996.
    8. 8. Criteria of A Well-Defined Taxonomy No. Characteristics Description 1 Simplicity •Simplified into diagram or structures 2 Organized Structures •Organized into readable structures. 3 Obvious •SMART and Observable objective. •Process flow is clear and easily followed. 4 Repeatability •Repeatable result 5 Specificity / Mutual •Specific and Explicit value Exclusive / Primitive •Object belongs to ONLY one class. 6 Completeness *covers all object of the same behavior or character 7 Similarity *Similar characteristics of objects in a class 8 Knowledge Built using known existing terminology CompliantSource: Krsul, 1998; Alhazmi et.al., 2006; Howard et.al., 1998;Vijayaraghavan & Kaner, 2003;Hansmann, 2003; Killhourhy et.al., 2004; Bishop, 1999; Igure & Williams, 2008; Hansmann & Hunt, 2005;Venter & Eloff, 2003; Bishop & Bailey, 1996.
    9. 9. Contents • Introduction • Taxonomy and Criteria of a Well-Defined Taxonomy • Previous Taxonomy and Gaps • Propose improvement for previous taxonomy • Taxonomy of C Overflow Vulnerabilities Attack • Contribution • Conclusion • Q&A
    10. 10. Previous Vulnerabilities Taxonomies and Gaps (General) Taxonomy Well-Defined Characteristics 1 2 3 4 5 6 7 8H. Shahriar, M. Zulkernine √ √ X X X X √ √(2011)A. Bazaz, J. D. Arthur (2007) √ √ X X X X √ √O. H. Alhazmi et. al. (2006) √ √ √ √ √ X √ √M. Gegick, L. Williams (2005) √ X √ √ √ X √ √K. Tsipenyuk, et. al. (2005) √ √ √ X X X √ √S. Hansman, R. Hunt (2005) X √ X √ X √ √ √V. Pothamsetty, B. Akyol X X √ X X √ √ √(2004)Killourhy, K. S., et. al. (2004) √ √ √ X √ X √ √Lough, D. L. (2001) √ √ X X X X √ √Krsul, I. V. (1998) √ √ X X X X √ √Howard, J. D., Longstaff, T. A √ √ X X √ √ √ √(1998)Aslam, T. (1995) √ √ X X X X √ √
    11. 11. Previous Vulnerabilities Taxonomies and Gaps (C Overflow) Taxonomy Well-Defined Characteristics 1 2 3 4 5 6 7 8H. D. Moore (2007) √ √ X √ X X √ √A. I. Sotirov (2005) √ √ √ X √ X √ √M. A. Zhivich (2005) √ √ √ X X X √ √K. Kratkiewicz (2005) √ √ √ X X X √ √M. Zitser (2003) √ √ √ X X X √ √
    12. 12. Contents• Introduction• Taxonomy and Criteria of a Well-Defined Taxonomy• Previous Taxonomy and Gaps• Propose improvement for previous taxonomy• Taxonomy of C Overflow Vulnerabilities Attack• Contribution• Conclusion• Q&A
    13. 13. Proposed improvements for previous taxonomies (General) Taxonomy Proposed ImprovementH. Shahriar, M. •Combine classes with object sharing similarZulkernine (2011) characteristics •Clear and observable definition and process flowA. Bazaz, J. D. •Divide classes into sub-class due to generalityArthur (2007) •Clear and observable process flow •Reduce constraint or assumptionO. H. Alhazmi et. •Combine process and classes for both by type andal. (2006) severity •Further divided into sub-classesM. Gegick, L. •Build on top of existing knowledge.Williams (2005) •Clear and observable process flowK. Tsipenyuk, et. al. •Combine classes that share characteristic(2005) •Well-structures to differentiate languages used •Too many classes and to wide – should reduce the scopeS. Hansman, R. •Reduce the scopeHunt (2005) •Rearrange the classification
    14. 14. Proposed improvements for previous taxonomies (General) Taxonomy Proposed ImprovementV. Pothamsetty, B. •Further divide into sub-classesAkyol (2004) •Reduce the scope •Rearrange the class structureKillourhy, K. S., et. •Clear and observable process flow and definitional. (2004) •Build on top of existing knowledgeLough, D. L. •Further divide into sub-classes.(2001)Krsul, I. V. (1998) •Clear and observable process flow •Well-structure classesHoward, J. D., •Clear and observable process flowLongstaff, T. A •Well-structure of classes(1998) •Further divide into sub-classesAslam, T. (1995) •Extend the list further •Rearrange the classes
    15. 15. Proposed improvements for previous taxonomies (C Overflow) Taxonomy Proposed ImprovementH. D. Moore •Clear definition of class(2007) •Divide further into few sub-classesA. I. Sotirov (2005) •To extend and generalize to cover latest vulnerabilities •Restructure the class.M. A. Zhivich •To extend the list of overflow vulnerabilities(2005) •Restructure to have specific class on overflowsK. Kratkiewicz •Restructure the classes(2005) •To implement hierarchy based classM. Zitser (2003) •Restructure the classes •To implement hierarchy based class
    16. 16. Contents • Introduction • Taxonomy and Criteria of a Well-Defined Taxonomy • Previous Taxonomy and Gaps • Propose improvement for previous taxonomy • Taxonomy of C Overflow Vulnerabilities Attack • Contribution • Conclusion • Q&A
    17. 17. Taxonomy of C OverflowVulnerabilities AttackSources: Ahmad, et. al., 2011 (ICSECS); Ahmad, et. al. ,2011 (IJNCAA)
    18. 18. Contents• Introduction• Taxonomy and Criteria of a Well-Defined Taxonomy• Previous Taxonomy and Gaps• Propose improvement for previous taxonomy• Taxonomy of C Overflow Vulnerabilities Attack• Contribution• Conclusion• Q&A
    19. 19. Contribution • Consolidate and construct criterions of well-define taxonomy 1 • Consolidate all reviews on previous taxonomies 2 • Critical reviews; including identifying gaps and proposing potential improvements on 3 previous taxonomy
    20. 20. Contents• Introduction• Taxonomy and Criteria of a Well-Defined Taxonomy• Previous Taxonomy and Gaps• Propose improvement for previous taxonomy• Taxonomy of C Overflow Vulnerabilities Attack• Contribution• Conclusion• Q&A
    21. 21. Conclusion• Construct and discuss characteristics of well-defined taxonomy• Critical review on previous vulnerabilities taxonomies in the context of well-defined characteristics• Propose possible improvements for previous taxonomies• Share briefly constructed taxonomy specific to C overflow vulnerabilities which meet the criteria of well-defined taxonomy
    22. 22. Nurul Haszeli AhmadUiTM Shah AlamEmail: masteramuk@yahoo.comBlog: http://malaysiandeveloper.blogspot.comSkype, LinkedIn & Twitter: masteramukSyed Ahmad AljunidFSMK, UiTM Shah AlamEmail: aljunid@tmsk.uitm.edu.myJamalul-lail Ab MananMIMOS BerhadEmail: jamalul.lail@mimos.my
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×