A Practical Formalism for Vulnerability Comparison
- S. Engle, S. Whalen, D. Howard, A. Carlson, E. Proebstel, and M. Bishop, “A Practical Formalism for Vulnerability Comparison”, Technical Report CSE-2006-11, Dept. of Computer Science, University of California at Davis, Davis, CA 95616-8562 (Aug. 2006).
In our efforts to create a vulnerability classification scheme, we encountered a significant obstacle: ambiguous or conflicting notions of security, policy, vulnerabilities, and exploits. This paper defines a framework that explicitly and formal ly define these and related notions to facilitate vulnerability analysis. We focus our work on the concept of runtime vulnerabilities, exploits, and policy violations. We then provide an abstraction of these concepts to al low for quantitative comparison of vulnerabilities across systems. Finally, we discuss how this framework al lows for practical evaluation of secure systems at a formal level.