SlideShare a Scribd company logo

Understanding Vulnerability by Refining Taxonomy

Download as PPTX, PDF
Nurul Haszeli Ahmad
Nurul Haszeli Ahmad

In this presentation slide, we share our reviews and critics on various vulnerability taxonomy. We also proposed on criteria for a taxonomy to be graded as well-defined taxonomy. On top of that, we share our taxonomy that specifically constructed to understand various vulnerability in C programming language

Education
1 of 23
Understanding Vulnerabilities by Refining Taxonomy Nurul Haszeli Ahmad₁ Syed Ahmad Aljunid₁ Jamalul-lail Ab Manan₂ ₁ FSKM, UiTM Shah Alam ₂ MIMOS Berhad
Contents • Introduction • Taxonomy and Criteria of a Well-Defined Taxonomy • Previous Vulnerabilities Taxonomies and Gaps • Refining Previous Taxonomies • Taxonomy of C Overflow Vulnerabilities Attack • Contribution • Conclusion • Q&A
Introduction • Vulnerabilities and exploitations starts in the late 80s • Experts start to identify vulnerabilities to improve understanding of behavior and nature of vulnerability in early 90s (Aslam, 1995; Howard et.al., 2009; Viega & McGraw, 2001; Seacord, 2005; etc.) • Using the classifications, programming rules and tools are constructed • However, vulnerabilities is still at large (Microsoft, 2011; MITRE, 2011; and IBM, 2011) • Most dominant and prominent – overflow vulnerabilities in applications developed using C language
Introduction… cont. • This paper is focusing – Identify and describe the criteria of a Well-Defined Taxonomy – Criticize previous taxonomies; including identifying gaps, and proposing improvements – Present briefly C overflow vulnerabilities attack taxonomy • Why? – Accurate comprehension on the problems is crucial towards improvement of security implementation and analysis tool (Krsul, 1998) – Understanding vulnerabilities is crucial towards developing a secure software thus gaining trustworthiness from users (Bill Gates, 2002)
Contents • Introduction • Taxonomy and Criteria of a Well- Defined Taxonomy • Previous Taxonomy and Gaps • Propose improvement for previous taxonomy • Taxonomy of C Overflow Vulnerabilities Attack • Contribution • Conclusion • Q&A
Taxonomy and Criteria of a Well-Defined Taxonomy • Definition (Krsul, 1998; Patrick, 2006; Merriam-Webster, 2011) – Taxonomy • a study to generalize and classify studied objects – Classification • an arrangement of studied objects into specific order or sharing the same behaviour – Vulnerabilities Taxonomy • A generalize and classification of vulnerabilities – Criteria of a well-defined taxonomy • Set of criterions that ensure a taxonomy covers the scope of the objects studied. • An arrangement or classifications structures that Well-Defined fulfil list of criterions which ensure it is complete and understandable thus becomes useful in Taxonomy building knowledge on objects studied.
Criteria of A Well-Defined Taxonomy 1. Simplicity 2. Organized Structures 3. Obvious 4. Repeatability 5. Mutual Exclusive 6. Completeness 7. Similarity 8. Knowledge Compliant Source: Krsul, 1998; Alhazmi et.al., 2006; Howard et.al., 1998; Vijayaraghavan & Kaner, 2003; Hansmann, 2003; Killhourhy et.al., 2004; Bishop, 1999; Igure & Williams, 2008; Hansmann & Hunt, 2005; Venter & Eloff, 2003; Bishop & Bailey, 1996.
Criteria of A Well-Defined Taxonomy No. Characteristics Description 1 Simplicity •Simplified into diagram or structures 2 Organized Structures •Organized into readable structures. 3 Obvious •SMART and Observable objective. •Process flow is clear and easily followed. 4 Repeatability •Repeatable result 5 Specificity / Mutual •Specific and Explicit value Exclusive / Primitive •Object belongs to ONLY one class. 6 Completeness *covers all object of the same behavior or character 7 Similarity *Similar characteristics of objects in a class 8 Knowledge Built using known existing terminology Compliant Source: Krsul, 1998; Alhazmi et.al., 2006; Howard et.al., 1998;Vijayaraghavan & Kaner, 2003; Hansmann, 2003; Killhourhy et.al., 2004; Bishop, 1999; Igure & Williams, 2008; Hansmann & Hunt, 2005; Venter & Eloff, 2003; Bishop & Bailey, 1996.
Contents • Introduction • Taxonomy and Criteria of a Well-Defined Taxonomy • Previous Taxonomy and Gaps • Propose improvement for previous taxonomy • Taxonomy of C Overflow Vulnerabilities Attack • Contribution • Conclusion • Q&A
Previous Vulnerabilities Taxonomies and Gaps (General) Taxonomy Well-Defined Characteristics 1 2 3 4 5 6 7 8 H. Shahriar, M. Zulkernine √ √ X X X X √ √ (2011) A. Bazaz, J. D. Arthur (2007) √ √ X X X X √ √ O. H. Alhazmi et. al. (2006) √ √ √ √ √ X √ √ M. Gegick, L. Williams (2005) √ X √ √ √ X √ √ K. Tsipenyuk, et. al. (2005) √ √ √ X X X √ √ S. Hansman, R. Hunt (2005) X √ X √ X √ √ √ V. Pothamsetty, B. Akyol X X √ X X √ √ √ (2004) Killourhy, K. S., et. al. (2004) √ √ √ X √ X √ √ Lough, D. L. (2001) √ √ X X X X √ √ Krsul, I. V. (1998) √ √ X X X X √ √ Howard, J. D., Longstaff, T. A √ √ X X √ √ √ √ (1998) Aslam, T. (1995) √ √ X X X X √ √
Previous Vulnerabilities Taxonomies and Gaps (C Overflow) Taxonomy Well-Defined Characteristics 1 2 3 4 5 6 7 8 H. D. Moore (2007) √ √ X √ X X √ √ A. I. Sotirov (2005) √ √ √ X √ X √ √ M. A. Zhivich (2005) √ √ √ X X X √ √ K. Kratkiewicz (2005) √ √ √ X X X √ √ M. Zitser (2003) √ √ √ X X X √ √
Contents • Introduction • Taxonomy and Criteria of a Well-Defined Taxonomy • Previous Taxonomy and Gaps • Propose improvement for previous taxonomy • Taxonomy of C Overflow Vulnerabilities Attack • Contribution • Conclusion • Q&A
Proposed improvements for previous taxonomies (General) Taxonomy Proposed Improvement H. Shahriar, M. •Combine classes with object sharing similar Zulkernine (2011) characteristics •Clear and observable definition and process flow A. Bazaz, J. D. •Divide classes into sub-class due to generality Arthur (2007) •Clear and observable process flow •Reduce constraint or assumption O. H. Alhazmi et. •Combine process and classes for both by type and al. (2006) severity •Further divided into sub-classes M. Gegick, L. •Build on top of existing knowledge. Williams (2005) •Clear and observable process flow K. Tsipenyuk, et. al. •Combine classes that share characteristic (2005) •Well-structures to differentiate languages used •Too many classes and to wide – should reduce the scope S. Hansman, R. •Reduce the scope Hunt (2005) •Rearrange the classification
Proposed improvements for previous taxonomies (General) Taxonomy Proposed Improvement V. Pothamsetty, B. •Further divide into sub-classes Akyol (2004) •Reduce the scope •Rearrange the class structure Killourhy, K. S., et. •Clear and observable process flow and definition al. (2004) •Build on top of existing knowledge Lough, D. L. •Further divide into sub-classes. (2001) Krsul, I. V. (1998) •Clear and observable process flow •Well-structure classes Howard, J. D., •Clear and observable process flow Longstaff, T. A •Well-structure of classes (1998) •Further divide into sub-classes Aslam, T. (1995) •Extend the list further •Rearrange the classes
Proposed improvements for previous taxonomies (C Overflow) Taxonomy Proposed Improvement H. D. Moore •Clear definition of class (2007) •Divide further into few sub-classes A. I. Sotirov (2005) •To extend and generalize to cover latest vulnerabilities •Restructure the class. M. A. Zhivich •To extend the list of overflow vulnerabilities (2005) •Restructure to have specific class on overflows K. Kratkiewicz •Restructure the classes (2005) •To implement hierarchy based class M. Zitser (2003) •Restructure the classes •To implement hierarchy based class
Contents • Introduction • Taxonomy and Criteria of a Well-Defined Taxonomy • Previous Taxonomy and Gaps • Propose improvement for previous taxonomy • Taxonomy of C Overflow Vulnerabilities Attack • Contribution • Conclusion • Q&A
Taxonomy of C Overflow Vulnerabilities Attack Sources: Ahmad, et. al., 2011 (ICSECS); Ahmad, et. al. ,2011 (IJNCAA)
Contents • Introduction • Taxonomy and Criteria of a Well-Defined Taxonomy • Previous Taxonomy and Gaps • Propose improvement for previous taxonomy • Taxonomy of C Overflow Vulnerabilities Attack • Contribution • Conclusion • Q&A
Contribution • Consolidate and construct criterions of well-define taxonomy 1 • Consolidate all reviews on previous taxonomies 2 • Critical reviews; including identifying gaps and proposing potential improvements on 3 previous taxonomy
Contents • Introduction • Taxonomy and Criteria of a Well-Defined Taxonomy • Previous Taxonomy and Gaps • Propose improvement for previous taxonomy • Taxonomy of C Overflow Vulnerabilities Attack • Contribution • Conclusion • Q&A
Conclusion • Construct and discuss characteristics of well-defined taxonomy • Critical review on previous vulnerabilities taxonomies in the context of well-defined characteristics • Propose possible improvements for previous taxonomies • Share briefly constructed taxonomy specific to C overflow vulnerabilities which meet the criteria of well-defined taxonomy
Nurul Haszeli Ahmad UiTM Shah Alam Email: masteramuk@yahoo.com Blog: http://malaysiandeveloper.blogspot.com Skype, LinkedIn & Twitter: masteramuk Syed Ahmad Aljunid FSMK, UiTM Shah Alam Email: aljunid@tmsk.uitm.edu.my Jamalul-lail Ab Manan MIMOS Berhad Email: jamalul.lail@mimos.my

Recommended

C Overflows Vulnerabilities Exploit Taxonomy And Evaluation on Static Analysi...
C Overflows Vulnerabilities Exploit Taxonomy And Evaluation on Static Analysi...C Overflows Vulnerabilities Exploit Taxonomy And Evaluation on Static Analysi...
C Overflows Vulnerabilities Exploit Taxonomy And Evaluation on Static Analysi...Nurul Haszeli Ahmad
 
Research 101: Key aspects of a Thesis .
Research 101: Key aspects of a Thesis .Research 101: Key aspects of a Thesis .
Research 101: Key aspects of a Thesis .Harold Gamero
 
The use of influence tactics and valence on commitment for assigned student t...
The use of influence tactics and valence on commitment for assigned student t...The use of influence tactics and valence on commitment for assigned student t...
The use of influence tactics and valence on commitment for assigned student t...Tony Swaim
 
Preposition Semantics: Challenges in Comprehensive Corpus Annotation and Auto...
Preposition Semantics: Challenges in Comprehensive Corpus Annotation and Auto...Preposition Semantics: Challenges in Comprehensive Corpus Annotation and Auto...
Preposition Semantics: Challenges in Comprehensive Corpus Annotation and Auto...Seth Grimes
 
The Ins and Outs of Preposition Semantics:
 Challenges in Comprehensive Corpu...
The Ins and Outs of Preposition Semantics:
 Challenges in Comprehensive Corpu...The Ins and Outs of Preposition Semantics:
 Challenges in Comprehensive Corpu...
The Ins and Outs of Preposition Semantics:
 Challenges in Comprehensive Corpu...Seth Grimes
 
BT02.pptx
BT02.pptxBT02.pptx
BT02.pptxThAnhonc
 
General Research Design Issues in Psychology
General Research Design Issues in PsychologyGeneral Research Design Issues in Psychology
General Research Design Issues in PsychologyGrant Heller
 
To MATE or not to MATE - Evolution2016
To MATE or not to MATE - Evolution2016To MATE or not to MATE - Evolution2016
To MATE or not to MATE - Evolution2016Cory Kohn
 

Recommended

C Overflows Vulnerabilities Exploit Taxonomy And Evaluation on Static Analysi...
C Overflows Vulnerabilities Exploit Taxonomy And Evaluation on Static Analysi...C Overflows Vulnerabilities Exploit Taxonomy And Evaluation on Static Analysi...
C Overflows Vulnerabilities Exploit Taxonomy And Evaluation on Static Analysi...Nurul Haszeli Ahmad
 
Research 101: Key aspects of a Thesis .
Research 101: Key aspects of a Thesis .Research 101: Key aspects of a Thesis .
Research 101: Key aspects of a Thesis .Harold Gamero
 
The use of influence tactics and valence on commitment for assigned student t...
The use of influence tactics and valence on commitment for assigned student t...The use of influence tactics and valence on commitment for assigned student t...
The use of influence tactics and valence on commitment for assigned student t...Tony Swaim
 
Preposition Semantics: Challenges in Comprehensive Corpus Annotation and Auto...
Preposition Semantics: Challenges in Comprehensive Corpus Annotation and Auto...Preposition Semantics: Challenges in Comprehensive Corpus Annotation and Auto...
Preposition Semantics: Challenges in Comprehensive Corpus Annotation and Auto...Seth Grimes
 
The Ins and Outs of Preposition Semantics:
 Challenges in Comprehensive Corpu...
The Ins and Outs of Preposition Semantics:
 Challenges in Comprehensive Corpu...The Ins and Outs of Preposition Semantics:
 Challenges in Comprehensive Corpu...
The Ins and Outs of Preposition Semantics:
 Challenges in Comprehensive Corpu...Seth Grimes
 
BT02.pptx
BT02.pptxBT02.pptx
BT02.pptxThAnhonc
 
General Research Design Issues in Psychology
General Research Design Issues in PsychologyGeneral Research Design Issues in Psychology
General Research Design Issues in PsychologyGrant Heller
 
To MATE or not to MATE - Evolution2016
To MATE or not to MATE - Evolution2016To MATE or not to MATE - Evolution2016
To MATE or not to MATE - Evolution2016Cory Kohn
 
Ontology model for c overflow vulnerabilities attack
Ontology model for c overflow vulnerabilities attackOntology model for c overflow vulnerabilities attack
Ontology model for c overflow vulnerabilities attackNurul Haszeli Ahmad
 
Agile Project Management: Introduction to AGILE - The Basic 101
Agile Project Management: Introduction to AGILE - The Basic 101Agile Project Management: Introduction to AGILE - The Basic 101
Agile Project Management: Introduction to AGILE - The Basic 101Nurul Haszeli Ahmad
 
Windows Services 101
Windows Services 101Windows Services 101
Windows Services 101Nurul Haszeli Ahmad
 
A SOURCE CODE PERSPECTIVE C OVERFLOW VULNERABILITIES EXPLOIT TAXONOMY BASED...
A SOURCE CODE PERSPECTIVE C OVERFLOW VULNERABILITIES EXPLOIT TAXONOMY BASED...A SOURCE CODE PERSPECTIVE C OVERFLOW VULNERABILITIES EXPLOIT TAXONOMY BASED...
A SOURCE CODE PERSPECTIVE C OVERFLOW VULNERABILITIES EXPLOIT TAXONOMY BASED...Nurul Haszeli Ahmad
 
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURE
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTUREVULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURE
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURENurul Haszeli Ahmad
 
Introduction to UML
Introduction to UMLIntroduction to UML
Introduction to UMLNurul Haszeli Ahmad
 
Introduction To TRIZ
Introduction To TRIZIntroduction To TRIZ
Introduction To TRIZNurul Haszeli Ahmad
 
Amazing quran by Dr Milller
Amazing quran by Dr MilllerAmazing quran by Dr Milller
Amazing quran by Dr MilllerNurul Haszeli Ahmad
 
2013 Security Report by Sophos
2013 Security Report by Sophos2013 Security Report by Sophos
2013 Security Report by SophosNurul Haszeli Ahmad
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxAmanpreet Kaur
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsMebane Rash
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxCeline George
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...pradhanghanshyam7136
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Association for Project Management
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseAnaAcapella
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17Celine George
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxDr. Ravikiran H M Gowda
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.christianmathematics
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxJisc
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxheathfieldcps1
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.pptRamjanShidvankar
 

More Related Content

More from Nurul Haszeli Ahmad

Ontology model for c overflow vulnerabilities attack
Ontology model for c overflow vulnerabilities attackOntology model for c overflow vulnerabilities attack
Ontology model for c overflow vulnerabilities attackNurul Haszeli Ahmad
 
Agile Project Management: Introduction to AGILE - The Basic 101
Agile Project Management: Introduction to AGILE - The Basic 101Agile Project Management: Introduction to AGILE - The Basic 101
Agile Project Management: Introduction to AGILE - The Basic 101Nurul Haszeli Ahmad
 
A SOURCE CODE PERSPECTIVE C OVERFLOW VULNERABILITIES EXPLOIT TAXONOMY BASED...
A SOURCE CODE PERSPECTIVE C OVERFLOW VULNERABILITIES EXPLOIT TAXONOMY BASED...A SOURCE CODE PERSPECTIVE C OVERFLOW VULNERABILITIES EXPLOIT TAXONOMY BASED...
A SOURCE CODE PERSPECTIVE C OVERFLOW VULNERABILITIES EXPLOIT TAXONOMY BASED...Nurul Haszeli Ahmad
 
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURE
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTUREVULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURE
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURENurul Haszeli Ahmad
 

More from Nurul Haszeli Ahmad (9)

Ontology model for c overflow vulnerabilities attack
Ontology model for c overflow vulnerabilities attackOntology model for c overflow vulnerabilities attack
Ontology model for c overflow vulnerabilities attack
 
Agile Project Management: Introduction to AGILE - The Basic 101
Agile Project Management: Introduction to AGILE - The Basic 101Agile Project Management: Introduction to AGILE - The Basic 101
Agile Project Management: Introduction to AGILE - The Basic 101
 
Windows Services 101
Windows Services 101Windows Services 101
Windows Services 101
 
A SOURCE CODE PERSPECTIVE C OVERFLOW VULNERABILITIES EXPLOIT TAXONOMY BASED...
A SOURCE CODE PERSPECTIVE C OVERFLOW VULNERABILITIES EXPLOIT TAXONOMY BASED...A SOURCE CODE PERSPECTIVE C OVERFLOW VULNERABILITIES EXPLOIT TAXONOMY BASED...
A SOURCE CODE PERSPECTIVE C OVERFLOW VULNERABILITIES EXPLOIT TAXONOMY BASED...
 
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURE
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTUREVULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURE
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURE
 
Introduction to UML
Introduction to UMLIntroduction to UML
Introduction to UML
 
Introduction To TRIZ
Introduction To TRIZIntroduction To TRIZ
Introduction To TRIZ
 
Amazing quran by Dr Milller
Amazing quran by Dr MilllerAmazing quran by Dr Milller
Amazing quran by Dr Milller
 
2013 Security Report by Sophos
2013 Security Report by Sophos2013 Security Report by Sophos
2013 Security Report by Sophos
 

Recently uploaded

SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxAmanpreet Kaur
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsMebane Rash
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxCeline George
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...pradhanghanshyam7136
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Association for Project Management
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseAnaAcapella
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17Celine George
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxDr. Ravikiran H M Gowda
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.christianmathematics
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxJisc
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxheathfieldcps1
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.pptRamjanShidvankar
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...Nguyen Thanh Tu Collection
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...Nguyen Thanh Tu Collection
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jisc
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...ZurliaSoop
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSCeline George
 

Recently uploaded (20)

SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 

Understanding Vulnerability by Refining Taxonomy

  • 1. Understanding Vulnerabilities by Refining Taxonomy Nurul Haszeli Ahmad₁ Syed Ahmad Aljunid₁ Jamalul-lail Ab Manan₂ ₁ FSKM, UiTM Shah Alam ₂ MIMOS Berhad
  • 2. Contents • Introduction • Taxonomy and Criteria of a Well-Defined Taxonomy • Previous Vulnerabilities Taxonomies and Gaps • Refining Previous Taxonomies • Taxonomy of C Overflow Vulnerabilities Attack • Contribution • Conclusion • Q&A
  • 3. Introduction • Vulnerabilities and exploitations starts in the late 80s • Experts start to identify vulnerabilities to improve understanding of behavior and nature of vulnerability in early 90s (Aslam, 1995; Howard et.al., 2009; Viega & McGraw, 2001; Seacord, 2005; etc.) • Using the classifications, programming rules and tools are constructed • However, vulnerabilities is still at large (Microsoft, 2011; MITRE, 2011; and IBM, 2011) • Most dominant and prominent – overflow vulnerabilities in applications developed using C language
  • 4. Introduction… cont. • This paper is focusing – Identify and describe the criteria of a Well-Defined Taxonomy – Criticize previous taxonomies; including identifying gaps, and proposing improvements – Present briefly C overflow vulnerabilities attack taxonomy • Why? – Accurate comprehension on the problems is crucial towards improvement of security implementation and analysis tool (Krsul, 1998) – Understanding vulnerabilities is crucial towards developing a secure software thus gaining trustworthiness from users (Bill Gates, 2002)
  • 5. Contents • Introduction • Taxonomy and Criteria of a Well- Defined Taxonomy • Previous Taxonomy and Gaps • Propose improvement for previous taxonomy • Taxonomy of C Overflow Vulnerabilities Attack • Contribution • Conclusion • Q&A
  • 6. Taxonomy and Criteria of a Well-Defined Taxonomy • Definition (Krsul, 1998; Patrick, 2006; Merriam-Webster, 2011) – Taxonomy • a study to generalize and classify studied objects – Classification • an arrangement of studied objects into specific order or sharing the same behaviour – Vulnerabilities Taxonomy • A generalize and classification of vulnerabilities – Criteria of a well-defined taxonomy • Set of criterions that ensure a taxonomy covers the scope of the objects studied. • An arrangement or classifications structures that Well-Defined fulfil list of criterions which ensure it is complete and understandable thus becomes useful in Taxonomy building knowledge on objects studied.
  • 7. Criteria of A Well-Defined Taxonomy 1. Simplicity 2. Organized Structures 3. Obvious 4. Repeatability 5. Mutual Exclusive 6. Completeness 7. Similarity 8. Knowledge Compliant Source: Krsul, 1998; Alhazmi et.al., 2006; Howard et.al., 1998; Vijayaraghavan & Kaner, 2003; Hansmann, 2003; Killhourhy et.al., 2004; Bishop, 1999; Igure & Williams, 2008; Hansmann & Hunt, 2005; Venter & Eloff, 2003; Bishop & Bailey, 1996.
  • 8. Criteria of A Well-Defined Taxonomy No. Characteristics Description 1 Simplicity •Simplified into diagram or structures 2 Organized Structures •Organized into readable structures. 3 Obvious •SMART and Observable objective. •Process flow is clear and easily followed. 4 Repeatability •Repeatable result 5 Specificity / Mutual •Specific and Explicit value Exclusive / Primitive •Object belongs to ONLY one class. 6 Completeness *covers all object of the same behavior or character 7 Similarity *Similar characteristics of objects in a class 8 Knowledge Built using known existing terminology Compliant Source: Krsul, 1998; Alhazmi et.al., 2006; Howard et.al., 1998;Vijayaraghavan & Kaner, 2003; Hansmann, 2003; Killhourhy et.al., 2004; Bishop, 1999; Igure & Williams, 2008; Hansmann & Hunt, 2005; Venter & Eloff, 2003; Bishop & Bailey, 1996.
  • 9. Contents • Introduction • Taxonomy and Criteria of a Well-Defined Taxonomy • Previous Taxonomy and Gaps • Propose improvement for previous taxonomy • Taxonomy of C Overflow Vulnerabilities Attack • Contribution • Conclusion • Q&A
  • 10. Previous Vulnerabilities Taxonomies and Gaps (General) Taxonomy Well-Defined Characteristics 1 2 3 4 5 6 7 8 H. Shahriar, M. Zulkernine √ √ X X X X √ √ (2011) A. Bazaz, J. D. Arthur (2007) √ √ X X X X √ √ O. H. Alhazmi et. al. (2006) √ √ √ √ √ X √ √ M. Gegick, L. Williams (2005) √ X √ √ √ X √ √ K. Tsipenyuk, et. al. (2005) √ √ √ X X X √ √ S. Hansman, R. Hunt (2005) X √ X √ X √ √ √ V. Pothamsetty, B. Akyol X X √ X X √ √ √ (2004) Killourhy, K. S., et. al. (2004) √ √ √ X √ X √ √ Lough, D. L. (2001) √ √ X X X X √ √ Krsul, I. V. (1998) √ √ X X X X √ √ Howard, J. D., Longstaff, T. A √ √ X X √ √ √ √ (1998) Aslam, T. (1995) √ √ X X X X √ √
  • 11. Previous Vulnerabilities Taxonomies and Gaps (C Overflow) Taxonomy Well-Defined Characteristics 1 2 3 4 5 6 7 8 H. D. Moore (2007) √ √ X √ X X √ √ A. I. Sotirov (2005) √ √ √ X √ X √ √ M. A. Zhivich (2005) √ √ √ X X X √ √ K. Kratkiewicz (2005) √ √ √ X X X √ √ M. Zitser (2003) √ √ √ X X X √ √
  • 12. Contents • Introduction • Taxonomy and Criteria of a Well-Defined Taxonomy • Previous Taxonomy and Gaps • Propose improvement for previous taxonomy • Taxonomy of C Overflow Vulnerabilities Attack • Contribution • Conclusion • Q&A
  • 13. Proposed improvements for previous taxonomies (General) Taxonomy Proposed Improvement H. Shahriar, M. •Combine classes with object sharing similar Zulkernine (2011) characteristics •Clear and observable definition and process flow A. Bazaz, J. D. •Divide classes into sub-class due to generality Arthur (2007) •Clear and observable process flow •Reduce constraint or assumption O. H. Alhazmi et. •Combine process and classes for both by type and al. (2006) severity •Further divided into sub-classes M. Gegick, L. •Build on top of existing knowledge. Williams (2005) •Clear and observable process flow K. Tsipenyuk, et. al. •Combine classes that share characteristic (2005) •Well-structures to differentiate languages used •Too many classes and to wide – should reduce the scope S. Hansman, R. •Reduce the scope Hunt (2005) •Rearrange the classification
  • 14. Proposed improvements for previous taxonomies (General) Taxonomy Proposed Improvement V. Pothamsetty, B. •Further divide into sub-classes Akyol (2004) •Reduce the scope •Rearrange the class structure Killourhy, K. S., et. •Clear and observable process flow and definition al. (2004) •Build on top of existing knowledge Lough, D. L. •Further divide into sub-classes. (2001) Krsul, I. V. (1998) •Clear and observable process flow •Well-structure classes Howard, J. D., •Clear and observable process flow Longstaff, T. A •Well-structure of classes (1998) •Further divide into sub-classes Aslam, T. (1995) •Extend the list further •Rearrange the classes
  • 15. Proposed improvements for previous taxonomies (C Overflow) Taxonomy Proposed Improvement H. D. Moore •Clear definition of class (2007) •Divide further into few sub-classes A. I. Sotirov (2005) •To extend and generalize to cover latest vulnerabilities •Restructure the class. M. A. Zhivich •To extend the list of overflow vulnerabilities (2005) •Restructure to have specific class on overflows K. Kratkiewicz •Restructure the classes (2005) •To implement hierarchy based class M. Zitser (2003) •Restructure the classes •To implement hierarchy based class
  • 16. Contents • Introduction • Taxonomy and Criteria of a Well-Defined Taxonomy • Previous Taxonomy and Gaps • Propose improvement for previous taxonomy • Taxonomy of C Overflow Vulnerabilities Attack • Contribution • Conclusion • Q&A
  • 17. Taxonomy of C Overflow Vulnerabilities Attack Sources: Ahmad, et. al., 2011 (ICSECS); Ahmad, et. al. ,2011 (IJNCAA)
  • 18. Contents • Introduction • Taxonomy and Criteria of a Well-Defined Taxonomy • Previous Taxonomy and Gaps • Propose improvement for previous taxonomy • Taxonomy of C Overflow Vulnerabilities Attack • Contribution • Conclusion • Q&A
  • 19. Contribution • Consolidate and construct criterions of well-define taxonomy 1 • Consolidate all reviews on previous taxonomies 2 • Critical reviews; including identifying gaps and proposing potential improvements on 3 previous taxonomy
  • 20. Contents • Introduction • Taxonomy and Criteria of a Well-Defined Taxonomy • Previous Taxonomy and Gaps • Propose improvement for previous taxonomy • Taxonomy of C Overflow Vulnerabilities Attack • Contribution • Conclusion • Q&A
  • 21. Conclusion • Construct and discuss characteristics of well-defined taxonomy • Critical review on previous vulnerabilities taxonomies in the context of well-defined characteristics • Propose possible improvements for previous taxonomies • Share briefly constructed taxonomy specific to C overflow vulnerabilities which meet the criteria of well-defined taxonomy
  • 22.
  • 23. Nurul Haszeli Ahmad UiTM Shah Alam Email: masteramuk@yahoo.com Blog: http://malaysiandeveloper.blogspot.com Skype, LinkedIn & Twitter: masteramuk Syed Ahmad Aljunid FSMK, UiTM Shah Alam Email: aljunid@tmsk.uitm.edu.my Jamalul-lail Ab Manan MIMOS Berhad Email: jamalul.lail@mimos.my

Editor's Notes

  1. Proposing improvements – covers all identified vulnerabilities taxonomies to have comprehensive remarks but our proposal has significant impact to latest taxonomies such as by Shahriar (2011), Bazaaz (2007), and Moore (2005)