1、實現過程中會引入fault

2、fault database，并且進行分類，對于classification scheme中的不同類別提出不同的測試方法

弄這個database的作用有三：一，static audit analysis；二，intrusion detection；三，fault detection

并且可以讓fault prevention和detection的過程更加系統化；database里面包含兩部分信息：vulnerability information和security patch information

問題：這里的fault能否和flaw等同？fault的定義是什么？

3、分類的原因：

A fault classification scheme can be used to categorize faults that share a common characteristic. The categories can be used to collect statistics about faults and devise methods for fault prevention and detection. Beizer [Bei83] summarized the importance of fault classifications as:
"It is important to establish categories for bugs if you take the goal of bug prevention seriously. If a particular kind of bug recurs or seems to dominate the kinds of bugs you have, then it is possible through education, training, new controls, revised controls, documentation, inspection, and a variety of other methods to reduce the incidence of that kind of bug. If you have no statistics on the frequency of bugs, you cannot have a rational perspective on where and how to allocate your limited bug prevention resources."

4、安全破壞的三種原因：

4.1 operational fault

4.2 coding fault

4.3 environment fault

5、傳統方法不給力

penetrate & patch paradigm [Sch79a]

6、security testing的作用 [Bei83] - 一本書 Software Testing Techniques

confidence in the security measure

缺乏系統的security testing的方法，現在有兩種：

一、penetration analysis - 需要一個tiger team，而且效果依賴于這個團隊的能力[Lin75, H+80, Wil81, AMP76]

二、formal verification -[MD79]

7、一些penetrating analysis的例子

7.1 Protection Analysis (PA) Project (1970')

它無法完成原定的自動error detection process的目標，使用的方法為pattern-directed approach

7.2 PISOS項目

7.3 Flaw Hypothesis Methodology

有許多成功的案例

8、static方法和dynamic方法的比較

各有所長，而且可以作為一個互補

轉載于:https://www.cnblogs.com/wanzhiyuan/archive/2011/08/19/2145741.html

總結

以上是生活随笔為你收集整理的[我研究] A TAXONOMY OF SECURITY FAULTS IN THE UNIX OPERATING SYSTEM - Master Thesis的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。