Irena Bojanova - Academia.edu (original) (raw)
Papers by Irena Bojanova
NIST Special Publicaton 800, 2024
The Bugs Framework (BF) is a classification of security bugs and related faults that features a f... more The Bugs Framework (BF) is a classification of security bugs and related faults that features a formal language for the unambiguous specification of software and hardware security weaknesses and vulnerabilities. BF bugs models, multdimensional weakness and
failure taxonomies, and vulnerability models define the lexis, syntax, and semantics of the BF formal language and form the basis for the definition of secure coding principles. The
BF formalism supports a deeper understanding of vulnerabilites as chains of weaknesses
that adhere to strict causaton, propagaton, and compositon rules. It enables the generation of comprehensively labeled weakness and vulnerability datasets and multidimensional vulnerability classifications. It also enables the development of new algorithms for
code analysis and the use of AI models and formal methods to identify bugs and detect,
analyze, prioritize, and resolve or mitigate vulnerabilities.
... Top Complete Chapter List. 1. Analyzing Risks to Determine a New Return on Security Investmen... more ... Top Complete Chapter List. 1. Analyzing Risks to Determine a New Return on Security Investment: Optimizing Security in an Escalating Threat Environment (pages 1-25). ... $30.00 Add to Cart. 6. New Technologies in E-Banking: Convenient and Trustworthy? ...
John Wiley & Sons, Ltd eBooks, May 13, 2016
Cloud computing provisions resources to consumers in the form of different services like software... more Cloud computing provisions resources to consumers in the form of different services like software, infrastructure, platform, and more. Many companies have come forward to offer cloud services. This chapter provides an overview of cloud services offered by various major providers such as Amazon, Microsoft, Google, EMC, Salesforce.com and IBM. They provide various tools and services in order to give cloud support for their customers. Each section briefly describes cloud services offered by a provider and their features, and identifies tools and technologies adopted by the company in order to provide services to the users. This chapter helps readers to distinguish among different services provided by various companies and make appropriate choices to suit their requirements.
Developing standalone applications running on a single computer is very different from developing... more Developing standalone applications running on a single computer is very different from developing scalable applications running on the cloud, such as data analytics applications that process terabytes of data, Web applications that receive thousands of requests per second, or distributed computing applications where components run simultaneously across many computers. Cloud computing service providers help facilitate the development of these complex applications through their cloud programming frameworks. A cloud programming framework is a software platform to develop applications in the cloud that takes care of nonfunctional concerns, such as scalability, elasticity, fault tolerance, and load balancing. Using cloud programming frameworks, application developers can focus on the functional aspects of their applications and benefit from the power of cloud computing. In this chapter, we will show how to use some of the existing cloud programming frameworks in three application domains: data analytics, Web applications, and distributed computing. More specifically, we will explain how to use MapReduce (Dean and Ghemawat, 2008) for data analytics, Google App Engine (Google, 2014) for Web applications, and SALSA (Varela and Agha, 2001) for distributed computing. The rest of the chapter is structured as follows. In section 50.2, we describe nonfunctional concerns supported at different levels of cloud services and go through existing cloud programming frameworks. In section 50.3, we explain MapReduce, Google App Engine, and Simple Actor Language System and Architecture (SALSA). In section 50.4, we illustrate how to use these three programming frameworks by showing example applications. Finally, we conclude the chapter in section 50.5.
John Wiley & Sons, Ltd eBooks, May 13, 2016
Cloud computing’s transformational potential is huge and is yet to be fully embraced. Driven by s... more Cloud computing’s transformational potential is huge and is yet to be fully embraced. Driven by several converging and complementary factors, it is advancing as an IT service‐delivery model at a staggering pace and is causing a paradigm shift in the way we deliver and use IT services and applications. Cloud computing is also helping to close the digital (information) divide. In order to embrace the cloud successfully and harness its power for traditional and new kinds of applications, we must recognize the features and promises of one or more of the three foundational cloud services – software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS). We must also understand and properly address several other aspects such as security, privacy, access management, compliance requirements, availability, and functional continuity in case of cloud failure. Furthermore, adopters need to learn how to architect cloud‐based systems that meet their specific requirements. We may have to use cloud services from more than one service provider, aggregate those services, and integrate them on premises’ legacy systems or applications. To assist cloud users in their transition to the cloud, a broader cloud ecosystem is emerging that aims to offer a spectrum of new cloud support services to augment, complement, or assist the foundational SaaS, IaaS, and PaaS offerings. Examples of such services are security as a service, identity management as a service, and data as a service. Investors, corporations, and startups are eagerly investing in promising cloud computing technologies and services in developed and developing countries. Many startups and established companies continue to enter into the cloud arena offering a variety of cloud products and services, and individuals and businesses around the world are increasingly adopting cloud‐based applications. Governments are promoting cloud adoption, particularly among micro, small, and medium enterprises. Thus, a new larger cloud ecosystem is emerging
IT Professional, 2023
In this work, we analyse in detail the weaknesses underlying the Heartbleed vulnerability, CVE-20... more In this work, we analyse in detail the weaknesses underlying the Heartbleed vulnerability, CVE-2014-0160, and show why and how highly sensitive information could be exposed via buffer over-read.
IT Professional, 2023
In this work, we define the notions of software bug, weakness, and vulnerability in the context o... more In this work, we define the notions of software bug, weakness, and vulnerability in the context of cybersecurity and elucidate their causal relations.
2022 IEEE 29th Annual Software Technology Conference (STC), 2022
In this work, we present an orthogonal classification of data type bugs, allowing precise structu... more In this work, we present an orthogonal classification of data type bugs, allowing precise structured descriptions of related software vulnerabilities. We utilize the Bugs Framework (BF) approach to define four language-independent classes that cover all possible kinds of data type bugs. In BF each class is a taxonomic category of a weakness type defined by sets of operations, cause− →consequence relations, and attributes. A BF description of a bug or a weakness is an instance of a taxonomic BF class with one operation, one cause, one consequence, and their attributes. Any vulnerability then can be described as a chain of such instances and their consequence-cause transitions. With our newly developed classes Declaration Bugs, Name Resolution Bugs, Type Conversion Bugs, and Type Computation Bugs, we confirm that BF is a classification system that extends the Common Weakness Enumeration (CWE). The proposed classes allow clear communication about software bugs that relate to misuse of data types, and provide a structured way to precisely describe data type related vulnerabilities.
2021 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW), 2021
In this work, we present an orthogonal classification of input/output check bugs, allowing precis... more In this work, we present an orthogonal classification of input/output check bugs, allowing precise structured descriptions of related software vulnerabilities. We utilize the Bugs Framework (BF) approach to define two languageindependent classes that cover all possible kinds of data check bugs. We also identify all types of injection errors, as they are always directly caused by input/output data validation bugs. In BF each class is a taxonomic category of a weakness type defined by sets of operations, cause− →consequence relations, and attributes. A BF description of a bug or a weakness is an instance of a taxonomic BF class with one operation, one cause, one consequence, and their attributes. Any vulnerability then can be described as a chain of such instances and their consequence-cause transitions. With our newly developed Data Validation Bugs and Data Verification Bugs classes, we confirm that BF is a classification system that extends the Common Weakness Enumeration (CWE). It allows clear communication about software bugs and weaknesses, providing a structured way to precisely describe real-world vulnerabilities.
IEEE Security & Privacy
The Common Weakness Enumeration (CWE) community publishes an aggregate metric to calculate the 'M... more The Common Weakness Enumeration (CWE) community publishes an aggregate metric to calculate the 'Most Dangerous Software Errors.' However, the used equation highly biases frequency over exploitability and impact. We provide a metric to mitigate this bias and discuss the most significant software weaknesses over the last ten years.
2022 IEEE 29th Annual Software Technology Conference (STC)
NIST Special Publicaton 800, 2024
The Bugs Framework (BF) is a classification of security bugs and related faults that features a f... more The Bugs Framework (BF) is a classification of security bugs and related faults that features a formal language for the unambiguous specification of software and hardware security weaknesses and vulnerabilities. BF bugs models, multdimensional weakness and
failure taxonomies, and vulnerability models define the lexis, syntax, and semantics of the BF formal language and form the basis for the definition of secure coding principles. The
BF formalism supports a deeper understanding of vulnerabilites as chains of weaknesses
that adhere to strict causaton, propagaton, and compositon rules. It enables the generation of comprehensively labeled weakness and vulnerability datasets and multidimensional vulnerability classifications. It also enables the development of new algorithms for
code analysis and the use of AI models and formal methods to identify bugs and detect,
analyze, prioritize, and resolve or mitigate vulnerabilities.
... Top Complete Chapter List. 1. Analyzing Risks to Determine a New Return on Security Investmen... more ... Top Complete Chapter List. 1. Analyzing Risks to Determine a New Return on Security Investment: Optimizing Security in an Escalating Threat Environment (pages 1-25). ... $30.00 Add to Cart. 6. New Technologies in E-Banking: Convenient and Trustworthy? ...
John Wiley & Sons, Ltd eBooks, May 13, 2016
Cloud computing provisions resources to consumers in the form of different services like software... more Cloud computing provisions resources to consumers in the form of different services like software, infrastructure, platform, and more. Many companies have come forward to offer cloud services. This chapter provides an overview of cloud services offered by various major providers such as Amazon, Microsoft, Google, EMC, Salesforce.com and IBM. They provide various tools and services in order to give cloud support for their customers. Each section briefly describes cloud services offered by a provider and their features, and identifies tools and technologies adopted by the company in order to provide services to the users. This chapter helps readers to distinguish among different services provided by various companies and make appropriate choices to suit their requirements.
Developing standalone applications running on a single computer is very different from developing... more Developing standalone applications running on a single computer is very different from developing scalable applications running on the cloud, such as data analytics applications that process terabytes of data, Web applications that receive thousands of requests per second, or distributed computing applications where components run simultaneously across many computers. Cloud computing service providers help facilitate the development of these complex applications through their cloud programming frameworks. A cloud programming framework is a software platform to develop applications in the cloud that takes care of nonfunctional concerns, such as scalability, elasticity, fault tolerance, and load balancing. Using cloud programming frameworks, application developers can focus on the functional aspects of their applications and benefit from the power of cloud computing. In this chapter, we will show how to use some of the existing cloud programming frameworks in three application domains: data analytics, Web applications, and distributed computing. More specifically, we will explain how to use MapReduce (Dean and Ghemawat, 2008) for data analytics, Google App Engine (Google, 2014) for Web applications, and SALSA (Varela and Agha, 2001) for distributed computing. The rest of the chapter is structured as follows. In section 50.2, we describe nonfunctional concerns supported at different levels of cloud services and go through existing cloud programming frameworks. In section 50.3, we explain MapReduce, Google App Engine, and Simple Actor Language System and Architecture (SALSA). In section 50.4, we illustrate how to use these three programming frameworks by showing example applications. Finally, we conclude the chapter in section 50.5.
John Wiley & Sons, Ltd eBooks, May 13, 2016
Cloud computing’s transformational potential is huge and is yet to be fully embraced. Driven by s... more Cloud computing’s transformational potential is huge and is yet to be fully embraced. Driven by several converging and complementary factors, it is advancing as an IT service‐delivery model at a staggering pace and is causing a paradigm shift in the way we deliver and use IT services and applications. Cloud computing is also helping to close the digital (information) divide. In order to embrace the cloud successfully and harness its power for traditional and new kinds of applications, we must recognize the features and promises of one or more of the three foundational cloud services – software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS). We must also understand and properly address several other aspects such as security, privacy, access management, compliance requirements, availability, and functional continuity in case of cloud failure. Furthermore, adopters need to learn how to architect cloud‐based systems that meet their specific requirements. We may have to use cloud services from more than one service provider, aggregate those services, and integrate them on premises’ legacy systems or applications. To assist cloud users in their transition to the cloud, a broader cloud ecosystem is emerging that aims to offer a spectrum of new cloud support services to augment, complement, or assist the foundational SaaS, IaaS, and PaaS offerings. Examples of such services are security as a service, identity management as a service, and data as a service. Investors, corporations, and startups are eagerly investing in promising cloud computing technologies and services in developed and developing countries. Many startups and established companies continue to enter into the cloud arena offering a variety of cloud products and services, and individuals and businesses around the world are increasingly adopting cloud‐based applications. Governments are promoting cloud adoption, particularly among micro, small, and medium enterprises. Thus, a new larger cloud ecosystem is emerging
IT Professional, 2023
In this work, we analyse in detail the weaknesses underlying the Heartbleed vulnerability, CVE-20... more In this work, we analyse in detail the weaknesses underlying the Heartbleed vulnerability, CVE-2014-0160, and show why and how highly sensitive information could be exposed via buffer over-read.
IT Professional, 2023
In this work, we define the notions of software bug, weakness, and vulnerability in the context o... more In this work, we define the notions of software bug, weakness, and vulnerability in the context of cybersecurity and elucidate their causal relations.
2022 IEEE 29th Annual Software Technology Conference (STC), 2022
In this work, we present an orthogonal classification of data type bugs, allowing precise structu... more In this work, we present an orthogonal classification of data type bugs, allowing precise structured descriptions of related software vulnerabilities. We utilize the Bugs Framework (BF) approach to define four language-independent classes that cover all possible kinds of data type bugs. In BF each class is a taxonomic category of a weakness type defined by sets of operations, cause− →consequence relations, and attributes. A BF description of a bug or a weakness is an instance of a taxonomic BF class with one operation, one cause, one consequence, and their attributes. Any vulnerability then can be described as a chain of such instances and their consequence-cause transitions. With our newly developed classes Declaration Bugs, Name Resolution Bugs, Type Conversion Bugs, and Type Computation Bugs, we confirm that BF is a classification system that extends the Common Weakness Enumeration (CWE). The proposed classes allow clear communication about software bugs that relate to misuse of data types, and provide a structured way to precisely describe data type related vulnerabilities.
2021 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW), 2021
In this work, we present an orthogonal classification of input/output check bugs, allowing precis... more In this work, we present an orthogonal classification of input/output check bugs, allowing precise structured descriptions of related software vulnerabilities. We utilize the Bugs Framework (BF) approach to define two languageindependent classes that cover all possible kinds of data check bugs. We also identify all types of injection errors, as they are always directly caused by input/output data validation bugs. In BF each class is a taxonomic category of a weakness type defined by sets of operations, cause− →consequence relations, and attributes. A BF description of a bug or a weakness is an instance of a taxonomic BF class with one operation, one cause, one consequence, and their attributes. Any vulnerability then can be described as a chain of such instances and their consequence-cause transitions. With our newly developed Data Validation Bugs and Data Verification Bugs classes, we confirm that BF is a classification system that extends the Common Weakness Enumeration (CWE). It allows clear communication about software bugs and weaknesses, providing a structured way to precisely describe real-world vulnerabilities.
IEEE Security & Privacy
The Common Weakness Enumeration (CWE) community publishes an aggregate metric to calculate the 'M... more The Common Weakness Enumeration (CWE) community publishes an aggregate metric to calculate the 'Most Dangerous Software Errors.' However, the used equation highly biases frequency over exploitability and impact. We provide a metric to mitigate this bias and discuss the most significant software weaknesses over the last ten years.
2022 IEEE 29th Annual Software Technology Conference (STC)