A Critical Analysis of Vulnerability Taxonomies



About This Report

From the introduction:

A taxonomy is a system of classification allowing one to uniquely identify something. The best known example, the science of systematics, classifies animals and plants into groups showing the relationship between each. Further, the classification is unique, so two of the same animal will always be classified with the same groups. That is, if one considers the hierarchy to be a tree structure and uniquely numbers each branch, each species of animal or plant is uniquely identified by a 6-tuple (kingdoms, phylums, classes, orders, family, genus).

A taxonomy for security vulnerabilities should provide the same benefits. The specific goals of such a taxonomy are to provide a historical record of the vulnerabilities in a form that system designers and implementers can use to anticipate flaws in their systems; to describe the vulnerabilities in a form useful for detection; to show common characteristics in related flaws for prevention and elimination; and to enable a security monitor to detect exploitation (or attempted exploitation) of the flaws. A taxonomy similar to the biological classification of plants and animals will do these.

Such a taxonomy allows one to classify each vulnerability as a unique ordered tuple. This is essential to detecting new vulnerabilities. Perhaps more importantly, it allows us to determine how many instances of a larger class of flaws are known, which in turn suggests where efforts to reduce or eliminate the flaws should be focused. It also allows us to characterize conditions under which the flaw arises, suggesting ways to detect new instances of the flaw.

The next section contains a precise definition of taxonomy, as well as a review of the PA, RISOS, and Aslam classification schema. The third section shows that two security flaws may be taxonomized in multiple ways under all of these schemes. The paper concludes with some observations on taxonomies and some ideas on how to develop a more precise taxonomy.


This was prepared for a NIST workshop on sharing vulnerability data.