Announcements

Center for Information Protection
UC Davis is planning to join the NSF I/UCRC Center for Information Protection. We are looking for companies to join our Industrial Advisory Board.
Find out more here!

Conferences and Workshops

• ISGIG 2009
• ACSAC 25
• PETRA 2010 (due 11/15)
• Oakland 2010 (due 11/18)

My Links

• My Home Page
• Books
• Classes
• Papers
• Reports and Notes
• Research
• Security in Programming
• Service
• Students
• Talks
• Miscellaneous
• My Family
• About Me (CV and such)

Other Links

• MyUCDavis
• Computer Security Lab
• Dept. of Computer Science
• College of Engineering
• University of California, Davis
• City of Davis
• County of Yolo
• State of California
• United States of America

This Quarter’s Classes

Office Hours for This Quarter

Contacting Me

A Practical Formalism for Vulnerability Comparison

Citation

• S. Engle, S. Whalen, D. Howard, A. Carlson, E. Proebstel, and M. Bishop, “A Practical Formalism for Vulnerability Comparison”, Technical Report CSE-2006-11, Dept. of Computer Science, University of California at Davis, Davis, CA 95616-8562 (Aug. 2006).

Paper

• PDF
  
• PS
  

Abstract

In our efforts to create a vulnerability classification scheme, we encountered a significant obstacle: ambiguous or conflicting notions of security, policy, vulnerabilities, and exploits. This paper defines a framework that explicitly and formal ly define these and related notions to facilitate vulnerability analysis. We focus our work on the concept of runtime vulnerabilities, exploits, and policy violations. We then provide an abstraction of these concepts to al low for quantitative comparison of vulnerabilities across systems. Final ly, we discuss how this framework al lows for practical evaluation of secure systems at a formal level.

Background