Lightweight formal models of software weaknesses

Robin Gandhi, Harvey Pe Siy, Yan Wu

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Many vulnerabilities in today's software products are rehashes of past vulnerabilities. Such rehashes could be a result of software complexity that masks inadvertent loopholes in design and implementation, developer ignorance/disregard for security issues, or use of software in contexts not anticipated for the original specification. While weaknesses and exposures in code are vendor, language, or environment specific, to understand them we need better descriptions that identify their precise characteristics in an unambiguous representation. In this paper, we present a methodology to develop precise and accurate descriptions of common software weaknesses through lightweight formal modeling using Alloy. Natural language descriptions of software weaknesses used for formalization are based on the community developed Common Weakness Enumerations (CWE).

Original languageEnglish (US)
Title of host publication2013 1st FME Workshop on Formal Methods in Software Engineering, FormaliSE 2013 - Proceedings
PublisherIEEE Computer Society
Pages50-56
Number of pages7
ISBN (Print)9781467362924
DOIs
StatePublished - Jan 1 2013
Event2013 1st FME Workshop on Formal Methods in Software Engineering, FormaliSE 2013 - San Francisco, CA, United States
Duration: May 25 2013May 25 2013

Publication series

Name2013 1st FME Workshop on Formal Methods in Software Engineering, FormaliSE 2013 - Proceedings

Conference

Conference2013 1st FME Workshop on Formal Methods in Software Engineering, FormaliSE 2013
CountryUnited States
CitySan Francisco, CA
Period5/25/135/25/13

Fingerprint

Masks
Specifications

Keywords

  • Alloy modeling
  • CWE
  • Software weakness

ASJC Scopus subject areas

  • Software

Cite this

Gandhi, R., Siy, H. P., & Wu, Y. (2013). Lightweight formal models of software weaknesses. In 2013 1st FME Workshop on Formal Methods in Software Engineering, FormaliSE 2013 - Proceedings (pp. 50-56). [6612277] (2013 1st FME Workshop on Formal Methods in Software Engineering, FormaliSE 2013 - Proceedings). IEEE Computer Society. https://doi.org/10.1109/FormaliSE.2013.6612277

Lightweight formal models of software weaknesses. / Gandhi, Robin; Siy, Harvey Pe; Wu, Yan.

2013 1st FME Workshop on Formal Methods in Software Engineering, FormaliSE 2013 - Proceedings. IEEE Computer Society, 2013. p. 50-56 6612277 (2013 1st FME Workshop on Formal Methods in Software Engineering, FormaliSE 2013 - Proceedings).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Gandhi, R, Siy, HP & Wu, Y 2013, Lightweight formal models of software weaknesses. in 2013 1st FME Workshop on Formal Methods in Software Engineering, FormaliSE 2013 - Proceedings., 6612277, 2013 1st FME Workshop on Formal Methods in Software Engineering, FormaliSE 2013 - Proceedings, IEEE Computer Society, pp. 50-56, 2013 1st FME Workshop on Formal Methods in Software Engineering, FormaliSE 2013, San Francisco, CA, United States, 5/25/13. https://doi.org/10.1109/FormaliSE.2013.6612277
Gandhi R, Siy HP, Wu Y. Lightweight formal models of software weaknesses. In 2013 1st FME Workshop on Formal Methods in Software Engineering, FormaliSE 2013 - Proceedings. IEEE Computer Society. 2013. p. 50-56. 6612277. (2013 1st FME Workshop on Formal Methods in Software Engineering, FormaliSE 2013 - Proceedings). https://doi.org/10.1109/FormaliSE.2013.6612277
Gandhi, Robin ; Siy, Harvey Pe ; Wu, Yan. / Lightweight formal models of software weaknesses. 2013 1st FME Workshop on Formal Methods in Software Engineering, FormaliSE 2013 - Proceedings. IEEE Computer Society, 2013. pp. 50-56 (2013 1st FME Workshop on Formal Methods in Software Engineering, FormaliSE 2013 - Proceedings).
@inproceedings{730efe86097c4162ae174a0b9f2c0724,
title = "Lightweight formal models of software weaknesses",
abstract = "Many vulnerabilities in today's software products are rehashes of past vulnerabilities. Such rehashes could be a result of software complexity that masks inadvertent loopholes in design and implementation, developer ignorance/disregard for security issues, or use of software in contexts not anticipated for the original specification. While weaknesses and exposures in code are vendor, language, or environment specific, to understand them we need better descriptions that identify their precise characteristics in an unambiguous representation. In this paper, we present a methodology to develop precise and accurate descriptions of common software weaknesses through lightweight formal modeling using Alloy. Natural language descriptions of software weaknesses used for formalization are based on the community developed Common Weakness Enumerations (CWE).",
keywords = "Alloy modeling, CWE, Software weakness",
author = "Robin Gandhi and Siy, {Harvey Pe} and Yan Wu",
year = "2013",
month = "1",
day = "1",
doi = "10.1109/FormaliSE.2013.6612277",
language = "English (US)",
isbn = "9781467362924",
series = "2013 1st FME Workshop on Formal Methods in Software Engineering, FormaliSE 2013 - Proceedings",
publisher = "IEEE Computer Society",
pages = "50--56",
booktitle = "2013 1st FME Workshop on Formal Methods in Software Engineering, FormaliSE 2013 - Proceedings",

}

TY - GEN

T1 - Lightweight formal models of software weaknesses

AU - Gandhi, Robin

AU - Siy, Harvey Pe

AU - Wu, Yan

PY - 2013/1/1

Y1 - 2013/1/1

N2 - Many vulnerabilities in today's software products are rehashes of past vulnerabilities. Such rehashes could be a result of software complexity that masks inadvertent loopholes in design and implementation, developer ignorance/disregard for security issues, or use of software in contexts not anticipated for the original specification. While weaknesses and exposures in code are vendor, language, or environment specific, to understand them we need better descriptions that identify their precise characteristics in an unambiguous representation. In this paper, we present a methodology to develop precise and accurate descriptions of common software weaknesses through lightweight formal modeling using Alloy. Natural language descriptions of software weaknesses used for formalization are based on the community developed Common Weakness Enumerations (CWE).

AB - Many vulnerabilities in today's software products are rehashes of past vulnerabilities. Such rehashes could be a result of software complexity that masks inadvertent loopholes in design and implementation, developer ignorance/disregard for security issues, or use of software in contexts not anticipated for the original specification. While weaknesses and exposures in code are vendor, language, or environment specific, to understand them we need better descriptions that identify their precise characteristics in an unambiguous representation. In this paper, we present a methodology to develop precise and accurate descriptions of common software weaknesses through lightweight formal modeling using Alloy. Natural language descriptions of software weaknesses used for formalization are based on the community developed Common Weakness Enumerations (CWE).

KW - Alloy modeling

KW - CWE

KW - Software weakness

UR - http://www.scopus.com/inward/record.url?scp=84886073263&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84886073263&partnerID=8YFLogxK

U2 - 10.1109/FormaliSE.2013.6612277

DO - 10.1109/FormaliSE.2013.6612277

M3 - Conference contribution

SN - 9781467362924

T3 - 2013 1st FME Workshop on Formal Methods in Software Engineering, FormaliSE 2013 - Proceedings

SP - 50

EP - 56

BT - 2013 1st FME Workshop on Formal Methods in Software Engineering, FormaliSE 2013 - Proceedings

PB - IEEE Computer Society

ER -