Towards a Taxonomy of Vulnerabilities

This paper presents a taxonomy of vulnerabilities created as a part of an effort to develop a framework for deriving verification and validation strategies to assess software security. This taxonomy is grounded in a Process/Object Model of Computation that establishes a relationship between software vulnerabilities, an executing process, and computer system resources such as memory, input/output, or cryptographic resources. That relationship promotes the concept that a software application is vulnerable to exploits when it permits the violation of (a) constraints imposed by computer system resources and/or (b) assumptions made about the usage of those resources. The taxonomy identifies and classifies these constraints and assumptions. The Process/Object Model also serves as a basis for the classification scheme the taxonomy uses. That is, the computer system resources (or objects) identified in the Process/Object Model form the categories and refined subcategories of the taxonomy. Vulnerabilities, which are expressed in the form of constraints and assumptions, are classified within the taxonomy according to these categories and subcategories. This taxonomy of vulnerabilities is novel and distinctively different from other taxonomies found in literature.