Data Type Bugs Taxonomy: Integer Overflow, Juggling, and Pointer Arithmetics in Spotlight

2022 IEEE 29th Annual Software Technology Conference (STC) Pub Date : 2022-10-01 DOI:10.1109/STC55697.2022.00035

Irena Bojanova, C. E. Galhardo, Sara Moshtari

{"title":"Data Type Bugs Taxonomy: Integer Overflow, Juggling, and Pointer Arithmetics in Spotlight","authors":"Irena Bojanova, C. E. Galhardo, Sara Moshtari","doi":"10.1109/STC55697.2022.00035","DOIUrl":null,"url":null,"abstract":"In this work, we present an orthogonal classification of data type bugs, allowing precise structured descriptions of related software vulnerabilities. We utilize the Bugs Framework (BF) approach to define four language-independent classes that cover all possible kinds of data type bugs. In BF each class is a taxonomic category of a weakness type defined by sets of operations, cause$\\rightarrow$consequence relations, and attributes. A BF description of a bug or a weakness is an instance of a taxonomic BF class with one operation, one cause, one consequence, and their attributes. Any vulnerability then can be described as a chain of such instances and their consequence-cause transitions. With our newly developed classes Declaration Bugs, Name Resolution Bugs, Type Conversion Bugs, and Type Computation Bugs, we confirm that BF is a classification system that extends the Common Weakness Enumeration (CWE). The proposed classes allow clear communication about software bugs that relate to misuse of data types, and provide a structured way to precisely describe data type related vulnerabilities.","PeriodicalId":170123,"journal":{"name":"2022 IEEE 29th Annual Software Technology Conference (STC)","volume":"13 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2022 IEEE 29th Annual Software Technology Conference (STC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/STC55697.2022.00035","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

Abstract

In this work, we present an orthogonal classification of data type bugs, allowing precise structured descriptions of related software vulnerabilities. We utilize the Bugs Framework (BF) approach to define four language-independent classes that cover all possible kinds of data type bugs. In BF each class is a taxonomic category of a weakness type defined by sets of operations, cause$\rightarrow$consequence relations, and attributes. A BF description of a bug or a weakness is an instance of a taxonomic BF class with one operation, one cause, one consequence, and their attributes. Any vulnerability then can be described as a chain of such instances and their consequence-cause transitions. With our newly developed classes Declaration Bugs, Name Resolution Bugs, Type Conversion Bugs, and Type Computation Bugs, we confirm that BF is a classification system that extends the Common Weakness Enumeration (CWE). The proposed classes allow clear communication about software bugs that relate to misuse of data types, and provide a structured way to precisely describe data type related vulnerabilities.

查看原文本刊更多论文

数据类型错误分类:整数溢出，杂耍和指针算术在聚光灯下

在这项工作中，我们提出了数据类型错误的正交分类，允许对相关软件漏洞进行精确的结构化描述。我们利用bug框架(Bugs Framework, BF)方法定义了四个独立于语言的类，它们涵盖了所有可能的数据类型bug。在BF中，每个类都是一个弱点类型的分类范畴，由一组操作、因果关系和属性定义。错误或弱点的BF描述是一个分类BF类的实例，它具有一个操作、一个原因、一个结果及其属性。然后，任何漏洞都可以被描述为这样的实例链及其因果转换。通过我们新开发的类声明错误、名称解析错误、类型转换错误和类型计算错误，我们确认BF是一个扩展了共同弱点枚举(CWE)的分类系统。所建议的类允许对与数据类型滥用相关的软件错误进行清晰的沟通，并提供一种结构化的方法来精确描述与数据类型相关的漏洞。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2022 IEEE 29th Annual Software Technology Conference (STC)

自引率

0.00%

发文量