A Taxonomy Built on Layers of Abstraction for Time and State Vulnerabilities

Abstract

Software classifications have been created before with the purpose of keeping track of attack patterns as well as providing a history for the various vulnerable software packages. This article focuses on one single class of such attacks, conventionally known as “Time and State†attacks. The authors offer a more fine-grained analysis of the anatomy of such attacks. They reason about vulnerabilities by using “swimlane†diagrams which are loosely derived from UML diagrams, annotated with semantics of concurrent programming, such as the notions of traces and stability. The authors offer a taxonomy based on abstraction layers, implying thereby some form of tree hierarchy where vulnerabilities inherit properties from the upper abstract layers and share code-level flaws on the lower layers. That allows them to classify attacks by what they share in common, which is a different approach than other related classification attempts.