A vulnerability is a condition that enables someone to violate the security policy

A security policy says what is and is not allowed. A vulnerability is a condition that enables someone (the attacker) to violate the security policy. Security policies vary from site to site. For example, consider a race condition problem in UNIX software that is to be run with root privileges. If all users of that system have root privileges, then the race condition is not a vulnerability because it allows users to access root–an access they already enjoy. Usually, however, UNIX systems have users not authorized to work as root. If they exploit the race condition to gain root access, then the security policy (which says that only users authorized to acquire root privileges may acquire them) has been violated.In order to develop the property-based testing tool to analyze programs for potential security vulnerabilities, we must understand exactly what a vulnerability is in the NASA environment.

One ancillary issue is the mapping of a high-level security policy to an implementation level. Continuing the above example, the policy states a rule at an abstract level (”only users authorized to acquire root privileges may acquire root privileges”). At the implementation level, this translates into several rules (”butter overflows are a vulnerability,” “failure to check arguments are a vulnerability,” and so forth). Unfortunately, testing for security flaws requires the implementation level statement of the policy. Hence the vulnerabilities must be stated at that level to prepare for the next step.

Related posts:

1. vulnerability stems from a buffer overflow condition in IE for an XML
2. Suhosin 0.9.20 and crypt() Thread Safety Vulnerability
3. How vulnerability can help your network system
4. Vulnerability management
5. New Windows vulnerability discovered
6. Software Security Assurance: A Framework for Software Vulnerability Management and Audit

Related posts brought to you by Yet Another Related Posts Plugin.