Vulnerability Description Languages and Classifications - Empirical Validation of Muffett's Second Law?
By davew on Mar 19, 2007
"There are no new security bugs, there are merely ever-more-complex reincarnations of the same classes of bug."
While this appears to fly in the face of a huge plethora of vulnerability disclosures at first sight, there's method behind this. Consider the ways in which vulnerabilities can readily be grouped:
- stack or heap overflows / smashes
- connection source spoofing
- cache poisoning
- dictionary attacks
- data injection into existing sessions
- session replay
- introduction of "unexpected" data (eg numbers outside expected ranges, strings of greater than expected length)
- reference rewriting (whether to force or block branches within self-contained code or to perpetrate cross-site scripting attacks...)
The fact that a vulnerability description language has emerged to handle structured vulnerability disclosures, and a dictionary of terms is being compiled to assist with consistency of same, suggests that this particular Muffett's Law has a good degree of truth behind it...