| With the increasing popularity of web applications, software trust-worthy became increasingly demanding. Security is one of the most important aspects of trust-worthy. Software security problems are essentially caused by several software security weaknesses which can be exploited by attackers. Therefore, analysis and researches of security weaknesses are essential. Even through in the last few years lots of researches of security weaknesses have made some progress, an intrinsic structure of software weaknesses and a formal modeling approach are lacking.This paper discusses causes, likelihood of exploit and potential mitigations, analyzes the intrinsic structure of security weaknesses on an abstract level, and defines intrinsic structure of security weaknesses into two elements:system behaviors and security constraints, when system behaviors violate security constraints, security weakness will be introduced.According to the intrinsic structure of weakness, this paper uses data resource and operation to refines system behaviors and security constraints, and then models specific security weakness formally.Build software security weaknesses knowledge base, then design and implement weakness knowledge database management system. This software security weakness knowledge base can be used in various automatic detection tools, include security verification module of Union Software Model.This paper proposes a formal modeling approach to describe security weakness essentially and precisely, and build the software security weaknesses knowledge base. This work lays the foundation for security weakness automatic processing and is of great significance for guiding software developers to build more secure software systems. |
PDF Full Text Request