Bugs Framework: Formalizing Software Security Weaknesses and Vulnerabilities
Irena Bojanova, Inventor, Creator, PI, Lead, Bugs Framework (BF), 2014 – ~~~~

Bugs Framework (BF) is being created as a formal classification system of software security bugs, faults, and weaknesses that allows unambiguous formal specification of the software security vulnerabilities that exploit them. It comprises:

➢ Software security concepts definitions

➢ A Bugs model with possible flow of operations

➢ A structured, complete, orthogonal, language and domain independent weakness taxonomy

➢ A vulnerability model of weakness chains leading to failures

➢ An LL(1) formal language for specification of weaknesses and vulnerabilities

➢ A database for querying weakness and vulnerability repositories and scoring systems towards BF

Tools for generation of BF CWE and BF CVE formal specifications and visualization of BF classes and BF specifications.

Structured means a weakness is described via one cause, one operation, one consequence, and attributes from the lists defining a BF class (see BF concepts ).This assures precise causal descriptions as (bug, operation, error) and (fault, operation, error) triples. Complete means BF has the expressive power to describe precisely any software security bug and weakness. This assures the BF weakness types have no gaps in coverage. Orthogonal means the sets of operations of any two BF classes do not overlap. This assures the BF weakness types do not overlap, as there is no operation with different meanings. Language and domain independent means BF is applicable for source code in any programming language for any platform, operating environment, or application technology. This assures BF is context-free, as an operation cannot have different meanings depending on the context.

The BF bug model combines the bug models of particular BF cluster of classes that reveal possible chains of weaknesses within a particular BF cluster of classes.

The BF vulnerability model defines how software security weaknesses chain via cause–consequence–cause transitions to form a vulnerability that ends with a software security failure. This assures back-tracking from the failure through the errors to the bug.

The BF formal language is generated by the BF LL(1) context-free formal grammar with lexicon defined by the BF Taxonomy and syntax defined by the BF Vulnerability Model . This assures the BF specifications are unambiguous!

BF Citation: I. Bojanova, NIST, The Bugs Framework (BF), Accessed: . [Online]. Available: https://usnistgov.github.io/BF .

Note: Any BF-application publication that lists classes not featured on this website is a misrepresentation of BF. If in doubt, please seek guidance from the BF PI .

BF Intro Presentations


BF Terminology and Existing Repositories:



BF Goals, Features, and Taxonomy
(contuniation of the previous presentation):



BF Hands On and Potential Impacts
(contuniation of the previous presentation):