Formalization of Software Weakness CWE-128
Formalization of Software Weakness CWE-128

Author(s): Vladimir Dimitrov
Subject(s): Economy, Business Economy / Management, ICT Information and Communications Technologies
Published by: Университет за национално и световно стопанство (УНСС)
Keywords: Z-notation; CWE; Formal specification; Software weakness; Cyber security
Summary/Abstract: Collection and publication of software and hardware vulnerabilities, weaknesses, and attacks is an important activity for cyber defense. NIST has initiated establishment and support of such databases. However, these initiatives are supported in clearly defined process to and by all stakeholders. These are CVE, CWE and CAPEC initiatives maintained by MITRE Corporation. CVE is a list containing all registered software and hardware vulnerabilities in particular platforms. CWE is organized as vulnerability (CVEs) classifier. It has complex hierarchical structure – more precisely, vulnerabilities are classified in several application hierarchies. CAPEC contains attack patterns. The last are organized in complex hierarchical structure as CWEs. CVE, CWE, and CAPEC refer to each other: vulnerabilities are classified by one or more weaknesses; attack patterns exploit one or more weaknesses. CWEs are described in formatted text – structured unformal description. There is no widely accepted formal notation for that purpose. This paper presents an attempt for formal description of CWEs. Z-notation is used as description tool. CWE-128 description is formalized. CWE-128: Wrap-around Error is simple weakness that occurs whenever a value is incremented past the maximum value for its type. Z-notation is standardized tool for formal specification based on mathematics – set theory and logic extended with schemas. It is powerful but complex tool for non-mathematicians. This means that nearly all knowledge can be specified, but the problem is how computer scientists that are not mathematicians would accept these specifications.

• Details
• Contents