Background

The medical profession has an extensive, elaborate vocabulary to precisely name muscles, bones, organs, conditions and diseases. When a doctor says that a comatose patient has a left temporal lobe epidural hematoma, the intention is to enlighten, not to obfuscate.

In the software profession, we have many efforts that have helped us develop terms to discuss software, faults, failures, attacks and vulnerabilities, such as the Common Weakness Enumeration (CWE) [1] and Landwehr et. al. Taxonomy of Computer Program Security Flaws [2], but much work remains. We want to more accurately and precisely define software bugs or vulnerabilities. Consider that including "canary" values around arrays detects some buffer overflows while using address layout randomization mitigates other buffer overflows. A precise, orthogonal classification can state exactly which cases of buffer overflows each approach handles. We can also clearly state the classes of bugs that a tool can find and more easily determine if two tools generally find the same set of bugs or if they find different, complimentary sets.

Through centuries of experimentation and development of scientific principles, we now have the Periodic Table of Elements. Just as the structure of the periodic table reflects the underlying atomic structure, we are developing a taxonomy dictated by the "natural" organization of software bugs, while using as stepping stones known bugs enumerations, compendia and collections. For this and other analogies on what we are embarking on, we recall below some well-know organizational structures in science.

Science has developed many different organizational structures. For example, the Periodic Table of Elements, the recently rearranged Tree of Life, the Geographic Coordinate System, and the Dewey Decimal Classification System.

Mendeleev's Periodic Table

Tree of Life

Geographic Coordinate System

Dewey Decimal Classification System

References

    [2] C. E. Landwehr, A. R. Bull, J. P. McDermott, and W. S. Choi. A taxonomy of computer program security flaws, and examples. ACM Computing Surveys. vol. 26. no. 3. pp. 211-254. September 1994.