A "Periodic Table" of Bugs, or, How Can I Really Tell What's Wrong With My Code?

Abstract: Medical doctors spend years learning a vocabulary to precisely designate muscles, bones, organs, diseases, and conditions to communicate clearly. The software community has the Common Weakness Enumeration (CWE), Software Fault Patterns (SFP), and other beginnings, but none of them are complete or easy to understand. We break down the parts of CWEs and SFPs for buffer overflows and injection into simple "atoms" or attributes of bugs, then organize them so they make sense. I will use this "periodic table" to precisely explain Heartbleed (CVE-2014-0160), Ghost (CVE-2015-0235), ChromeWebCore (CVE-2010-1773), and Yoggie Pico (CVE-2007-3572). This gives us a powerful way of talking about the preconditions, attributes, and consequences of bugs. This way of thinking moves us closer to detect,mitigate, and even preclude some kinds of bugs from ever occurring(again).

Bio: Dr. Paul E. Black has nearly 20 years of industrial experience in areas such as assuring software quality, developing software for ICdesign and verification, and managing business data processing. He is a member of the SAMATE team in the Software Quality Group, Systems and Software Division, Information Technology Laboratory at NIST. Heearned a Ph.D. at Brigham Young University in 1998. Paul has been active in the formal methods research community and has organized several workshops related to software assurance. He taught classes at Brigham Young University and Johns Hopkins University. Paul published in the areas of static analysis, software testing, software configuration control, networks and queuing analysis, formal methods,software verification, quantum computing, and computer forensics. He is a member of ACM and IEEE Computer Society and a senior member of IEEE.