Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Towards a “Periodic Table” of Bugs

Published

Author(s)

Paul E. Black, Irena V. Bojanova, Yaacov Yesha, Yan Wu

Abstract

High-confidence systems must not be vulnerable to attacks that reduce the security, reliability, or availability of the system as a whole. One collection of vulnerabilities is the Common Weakness Enumeration (CWE). It represents a considerable community effort, but many of the descriptions are inaccurate, incomplete, inconsistent, or ambiguous. Our vision is a "natural" organization of a catalog or dictionary or taxonomy to describe software weaknesses and vulnerabilities. Such an organization will help the community to more closely describe and explain (a) the nature of vulnerabilities (e.g. Heartbleed, Ghost, Chrome WebCore, etc.) and eventually detect, mitigate, or prevent them; (b) the classes of weaknesses that tools warnings cover (e.g. buffer overflow, injection, etc.), and (c) eliminate the need for an exhaustive Cartesian product of CWEs. It may also help (d) predict new classes of weaknesses and vulnerabilities, and (e) improve existing classifications. We started by developing more precise and accurate definitions for three representative CWEs: CWE-307 Improper Restriction of Excessive Authentication Attempts; CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer (Buffer Overflow), and CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). Based on CWEs (and the notions of chains and composites), Software Fault Patterns (SFPs), and Semantic Templates, we refined and extended the structures. Our definition of Buffer Overflow is "The software can access through a buffer a memory location not allocated to that buffer." The poster's graph of causes shows that there are only three proximate causes of buffer overflows: 1. Destination is too small, 2. Source is too big, and/or 3. Wrong index / pointer out of range. The poster also shows some of the preceding causes that may lead to those.
Citation
OWASP Northern Virginia Chapter

Keywords

Common Weakness Enumeration, CWE, software vulnerability, taxonomy of bugs, software assurance

Citation

Black, P. , Bojanova, I. , Yesha, Y. and Wu, Y. (2015), Towards a “Periodic Table” of Bugs, OWASP Northern Virginia Chapter, [online], https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=918702, http://www.meetup.com/OWASP-Northern-Virginia-Chapter/events/226663394/ (Accessed October 31, 2024)

Issues

If you have any questions about this publication or are having problems accessing it, please contact reflib@nist.gov.

Created June 19, 2015, Updated February 19, 2017