Dailydave mailing list archives
Re: bug classes discovery via inference & reasoning :
From: "Steven M. Christey" <coley () mitre org>
Date: Wed, 31 Jan 2007 12:33:07 -0500 (EST)
But what about determining new classes of bugs ?
For over a year, I've been informally working on a "vulnerability theory" that, if successful, might provide a framework for modeling the physics of vulnerabilities (to put it very crudely). At the very least is a vocabulary for talking about some stuff that researchers do instinctively. One long-term application would be to use the framework to identify new classes of bugs, e.g. "product class X has behaviors B1 and B2, with manipulations M1...M5 on resource R that preserve property P and modifies property Q. What vulns involve P and Q, which are therefore likely to affect X?" However, it's not as precise as you might be looking for, although conceptually the ideas could go down to that level of detail. I expect to have some proposals into the usual conferences, but we'll see if they think it's worth anything. It might be too academic-tinged and it's broad in scope, not narrow, so specialists might not find it interesting. Feel free to contact me offline for a brief summary; it could benefit from some review by forward-thinking people. - Steve _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- bug classes discovery via inference & reasoning : endrazine (Jan 27)
- <Possible follow-ups>
- Re: bug classes discovery via inference & reasoning : Steven M. Christey (Jan 31)