On Vulnerabilities, Constraints and Assumptions

This report presents a taxonomy of vulnerabilities created as a part of an effort to develop a framework for deriving verification and validation strategies to assess software security. This taxonomy is grounded in a theoretical model of computing, which establishes the relationship between vulnerabilities, software applications and the computer system resources. This relationship illustrates that a software application is exploited by violating constraints imposed by computer system resources and assumptions made about their usage. In other words, a vulnerability exists in the software application if it allows violation of these constraints and assumptions. The taxonomy classifies these constraints and assumptions. The model also serves as a basis for the classification scheme the taxonomy uses, in which the computer system resources such as, memory, input/output, and cryptographic resources serve as categories and subcategories. Vulnerabilities, which are expressed in the form of constraints and assumptions, are classified according to these categories and subcategories. This taxonomy is both novel and distinctively different from other taxonomies found in the literature.