The New Cryptographic Store/Transfer (CST) Class from Bugs Framework (BF)
The Bugs Framework (BF) is a set of software weakness classes. Each BF class comprises (1) an accurate and precise definition, (2) attributes that identify the software fault, (3) possible causes, (4) consequences that it could lead to, and (5) code sites where it might occur. Building on CWEs, Software Fault Patterns, and Semantic Templates, the Bugs Framework allows us to precisely and unambiguously express software bugs.
This poster presents one new BF class: Cryptographic Store/Transfer (CST). CST covers encryption/decryption, verification, and key management. It details bugs such as missing required cryptographic step, weak algorithm, and key exchange without entity authentication.
The work on this new class illustrates how BF clarifies and rationalizes the structure of bugs. For example, CST is intimately related to, but separate from, the Randomization (RND), Authentication (ATN), and Information Exposure (IEX) classes.
The poster contributes to the HCSS theme of Industrialization of Formal Methods. Formal methods must be based on rigorous definitions. In BF we are vastly improving descriptions of bug classes. This enables, for instance, formal reasoning about assurance techniques or mitigation approaches that may work for a fault with certain attributes, but not for the same general class of faults that has other attributes.
--
Irena Bojanova is a computer scientist at NIST and the BF Project Lead. Previously she was a program chair at UMUC, an academic director at JHU-CTY, and a co-founder of OBS Ltd. (now CSC Bulgaria). She earned her Ph.D. in Mathematics/Computer Science from the Bulgarian Academy of Sciences in 1991. Irena serves on the IEEE CS Publications Board, AEIC of IEEE IT Professional, co-chair of IEEE RS IoT TC and founding member of IEEE TSC on Big Data. Irena was the founding chair of IEEE CS Cloud Computing STC and EIC of IEEE Transactions on Cloud Computing. She writes cloud and IoT blogs for IEEE CS Computing Now.
Paul E. Black has nearly 20 years of industrial experience in developing software for IC design and verification, assuring software quality, and managing business data processing. He is a Computer Scientist in the Software Quality Group at NIST and is the founder and editor of the Dictionary of Algorithms and Data Structures http://www.nist.gov/dads/. Paul earned a Ph.D. from Brigham Young University in 1998. He taught classes at Brigham Young University and Johns Hopkins University. He has published in static analysis, software testing, networks and queuing analysis, formal methods, software verification, quantum computing, and computer forensics. He is a member of ACM and IEEE Computer Society and is a senior member of IEEE.