Taxonomias de Vulnerabilidades: Situação Atual
Resumo
É grande o número de vulnerabilidades em softwares que têm sido descobertas a cada ano, porém não existe nenhum tipo de classificação ou padronização das informações que devem ser mantidas a respeito dessas vulnerabilidades. Este artigo apresenta uma revisão dos trabalhos nas áreas de taxonomias e classificações de vulnerabilidades, discutindo desde as primeiras propostas até os trabalhos mais atuais.Referências
CERT Coordination Center, "CERT/CC Statistics 1988-2005: Vulnerabilities reported." http://www.cert.org/stats/cert_stats.html.
R. C. Seacord and A. D. Householder, "A structured approach to classifying security vulnerabilities," Tech. Rep. CMU/SEI-2005-TN-003, CMU/SEI, January 2005.
I. V. Krsul, Software Vulnerability Analysis. PhD thesis, Purdue University, May 1998.
J. D. Howard and T. A. Longstaff, "A Common Language for Computer Security Incidents," tech. rep., Sandia National Laboratories, October 1998.
G. Hoglund and G. McGraw, Exploiting Software: How to Break Code. Addison-Wesley Professional, 1st ed., February 2004. ISBN 0-201-78695-8.
C. Landwehr, A. Bull, J. McDermott, and W. Choi, "A Taxonomy of Computer Program Security Flaws," ACM Computing Surveys, vol. 26, no. 3, pp. 211-254, 1994.
ANSI/IEEE, IEEE Standard Glossary of Software Engineering Terminology. New York: IEEE, 1983.
R. Shirey, "RFC 2828: Internet Security Glossary." http://www.ietf.org/rfc/rfc2828.txt, May 2000.
N.Weaver, V. Paxson, S. Staniford, and R. Cunningham, "A Taxonomy of Computer Worms," in Proceedings of The First ACM Workshop on Rapid Malcode (WORM), October 2003.
T. Aslam, I. Krsul, and E. H. Spafford, "Use of a Taxonomy of Security Faults," in Proceedings of the 19th National Information Systems Security Conference, pp. 551-560, October 1996.
R. Abbott, J. Chin, J. Donnelley,W. Konigsford, S. Tokubo, and D.Webb, "Security Analysis and Enhancements of Computer Operating Systems," Tech. Rep. NBSIR 76-1041, National Bureau of Standards, April 1976.
R. B. II and D. Hollingworth, "Protection Analysis: Final Report," Tech. Rep. ISI/SR-78-13, University of Southern California Information Sciences Institute, May 1978.
M. Bishop, Computer Security: Art and Science. Addison Wesley Professional, 1st ed., December 2002. ISBN 0-201-44099-7.
F. Piessens, "A taxonomy of causes of software vulnerabilities in internet software," in Supplementary Proceedings of the 13th International Symposium on Software Reliability Engineering, pp. 47-52, 2002.
V. Pothamsetty and B. Akyol, "A Vulnerability Taxonomy for Network Protocols: Corresponding Engineering Best Practice Countermeasures," in Proceeding of Communications, Internet, and Information Technology 2004 (M. H. Hamza, ed.), IASTED, ACTA Press, November 2004. ISBN 0-88986-445-4.
MITRE, "Common Vulnerabilities and Exposures (CVE)." http://www.cve.mitre.org/.
National Institute of Standards and Technology (NIST), "ICAT." http://icat.nist.gov/.
Symantec, "SecurityFocus." http://securityfocus.com/.
R. Gopalakrishna and E. H. Spafford, "A trend analysis of vulnerabilities," tech. rep., CERIAS, Purdue University, 2005. CERIAS TR 2005-05.
"Open Source Vulnerability Data Base (OSVDB)." http://www.osvdb.org/.
European Task Force on Computing Security Incident Response Teams, "Vulnerability & Exploit Definition and Exchange Format (VEDEF)." http://www.vedef.org/.
J. T. Chambers and J.W. Thompson, "Common Vulnerability Scoring System: Final Report and Recommendations by the Council," tech. rep., National Infrastructure Advisory Council, October 2004.
Forum of Incident Response and Security Teams, "FIRST to host CVSS." http://www.first.org/cvss/.
A. Houaiss, Dicionário Houaiss da Língua Portuguesa. Editora Objetiva, 1a ed., 2004. ISBN 8-573-02383-X.
R. C. Seacord and A. D. Householder, "A structured approach to classifying security vulnerabilities," Tech. Rep. CMU/SEI-2005-TN-003, CMU/SEI, January 2005.
I. V. Krsul, Software Vulnerability Analysis. PhD thesis, Purdue University, May 1998.
J. D. Howard and T. A. Longstaff, "A Common Language for Computer Security Incidents," tech. rep., Sandia National Laboratories, October 1998.
G. Hoglund and G. McGraw, Exploiting Software: How to Break Code. Addison-Wesley Professional, 1st ed., February 2004. ISBN 0-201-78695-8.
C. Landwehr, A. Bull, J. McDermott, and W. Choi, "A Taxonomy of Computer Program Security Flaws," ACM Computing Surveys, vol. 26, no. 3, pp. 211-254, 1994.
ANSI/IEEE, IEEE Standard Glossary of Software Engineering Terminology. New York: IEEE, 1983.
R. Shirey, "RFC 2828: Internet Security Glossary." http://www.ietf.org/rfc/rfc2828.txt, May 2000.
N.Weaver, V. Paxson, S. Staniford, and R. Cunningham, "A Taxonomy of Computer Worms," in Proceedings of The First ACM Workshop on Rapid Malcode (WORM), October 2003.
T. Aslam, I. Krsul, and E. H. Spafford, "Use of a Taxonomy of Security Faults," in Proceedings of the 19th National Information Systems Security Conference, pp. 551-560, October 1996.
R. Abbott, J. Chin, J. Donnelley,W. Konigsford, S. Tokubo, and D.Webb, "Security Analysis and Enhancements of Computer Operating Systems," Tech. Rep. NBSIR 76-1041, National Bureau of Standards, April 1976.
R. B. II and D. Hollingworth, "Protection Analysis: Final Report," Tech. Rep. ISI/SR-78-13, University of Southern California Information Sciences Institute, May 1978.
M. Bishop, Computer Security: Art and Science. Addison Wesley Professional, 1st ed., December 2002. ISBN 0-201-44099-7.
F. Piessens, "A taxonomy of causes of software vulnerabilities in internet software," in Supplementary Proceedings of the 13th International Symposium on Software Reliability Engineering, pp. 47-52, 2002.
V. Pothamsetty and B. Akyol, "A Vulnerability Taxonomy for Network Protocols: Corresponding Engineering Best Practice Countermeasures," in Proceeding of Communications, Internet, and Information Technology 2004 (M. H. Hamza, ed.), IASTED, ACTA Press, November 2004. ISBN 0-88986-445-4.
MITRE, "Common Vulnerabilities and Exposures (CVE)." http://www.cve.mitre.org/.
National Institute of Standards and Technology (NIST), "ICAT." http://icat.nist.gov/.
Symantec, "SecurityFocus." http://securityfocus.com/.
R. Gopalakrishna and E. H. Spafford, "A trend analysis of vulnerabilities," tech. rep., CERIAS, Purdue University, 2005. CERIAS TR 2005-05.
"Open Source Vulnerability Data Base (OSVDB)." http://www.osvdb.org/.
European Task Force on Computing Security Incident Response Teams, "Vulnerability & Exploit Definition and Exchange Format (VEDEF)." http://www.vedef.org/.
J. T. Chambers and J.W. Thompson, "Common Vulnerability Scoring System: Final Report and Recommendations by the Council," tech. rep., National Infrastructure Advisory Council, October 2004.
Forum of Incident Response and Security Teams, "FIRST to host CVSS." http://www.first.org/cvss/.
A. Houaiss, Dicionário Houaiss da Língua Portuguesa. Editora Objetiva, 1a ed., 2004. ISBN 8-573-02383-X.
Publicado
26/09/2005
Como Citar
GRÉGIO, André Ricardo Abed; BARBATO, Luiz Gustavo C.; DUARTE, Luiz Otávio; MONTES, Antonio; HOEPERS, Cristine; STEDING-JESSEN, Klaus.
Taxonomias de Vulnerabilidades: Situação Atual. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 5. , 2005, Florianópolis.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2005
.
p. 325-338.
DOI: https://doi.org/10.5753/sbseg.2005.21540.
