Vulnerabilities are states in which computer or network system(s) act in violation of a security policy. They arise in the design, implementation, and management stages. The goal of this project is to develop a classification scheme (or schemes) that leads to tools, techniques, and methodologies to detect vulnerabilities, prevent vulnerabilities, and eliminate vulnerabilities.
Currently, most systems have vulnerabilities. The goals of this project speak to the design, implementation, and operation of more reliable, more secure, and more robust systems. If vendors can examine systems and detect vulnerabilities before they ship systems or software, they can save the cost of distributing many patches, and provide customers with products that better protect their data and resources. Preventing vulnerabilities achieves the same goal, with a payoff up front because the extra cost of designing for security into the system greatly reduces the security problems in the system.
In addition to research, this project also focuses on education. The art (and science) of writing robust programs is critical for the implementation of secure programs and systems. Further, all systems have their idiosyncracies. Understanding how system calls work, what not to do, and how to attack systems, helps one understand the weaknesses of computer systems.
As part of both the research and education effort, we are developing a vulnerabilities database. This effort, called the Database Of Vulnerabilities, Exploits, and Signatures, will be an ongoing effore to collect and cross-index vulnerabilities, attack tools ("exploits"), and signatures (traces of the attack used for intrusion detection and/or system forensics). Part of this will be public, but part of it will have limited distribution. It will provide a historical record of vulnerabilities, as well as a database against which theories of vulnerabilities and vulnerability analysis.
These web pages contain information about the project. Please explore them!
Department of Computer Science
3059 Engineering Unit II
phone: +1 (530) 752-8060
fax: +1 (530) 752-4767
Last modified on November 27, 1998.