On Wed, Jan 26, 2005 at 11:07:50PM +0000, Steve Kemp wrote:
> I think that both the bugs and the DSAs should now be organised
> by catagory:
Yes, Joey asked me to do this but I just haven't had the time yet.
> * Buffer overflow.
> * Insecure execution.
> * Temporary file / symlink / insecure file creation.
> * Format string bug.
>
> Are there any others that I've missed?
The main problem is that there is no single taxonomy of vulnerability
types. For example, NIST acknowledges different vulnerability types. From
http://icat.nist.gov/icat.cfm?function=statistics
- Input Validation Error:
- Boundary Condition Error
- Buffer Overflow
- Access Validation Error
- Exceptional Condition Error
- Environment Error
- Configuration Error
- Race Condition
- Design Error
- Other
So:
Buffer overflow => input validation
Format string bugs => input validation
Temporary symlink attacks => race condition
That taxonomy is not too fine grained, CVE has an informal vulnerability
type use which Steven Christey has published in different occasions. You
could look at this post at the CVE mailing list:
http://www.cve.mitre.org/board/archives/2002-10/msg00005.html which
references more "fine grained" type of vulnerabilibities. This seems to
have been reviewed by Steven again recently:
http://seclists.org/lists/webappsec/2005/Jan-Mar/0056.html
And then OASIS has an other list of vulnerability types at
http://lists.oasis-open.org/archives/was/200404/doc00002.doc
Finally, googling I've found a PhD Thesis written by Ian Victor Krusl,
which certainly looks like it could be a very good read:
http://www.securitymap.net/svm/docs/krsul-phd-thesis.pdf
And there's even more taxonomies available in Citeseer... Matt Bishop, for
example, wrote a paper a while back:
http://citeseer.ist.psu.edu/bishop95taxonomy.html
!
Regards
Javier