|
|
Design and implementation of vulnerability code
semantic description language |
1. School of Computer Science and Communication Engineering, Jiangsu University, Zhenjiang, Jiangsu 212013, China; 2. China Information Technology Security Evaluation Center, Beijing 100085, China |
|
|
Abstract To solve the shortcomings of the current general description language of security vulnerability source code, a formal vulnerability code semantic description language (VCSDL) was proposed and implemented based on eXtensible markup language (XML). From the perspective of vulnerability code, the unified security vulnerability code description language was defined based on the traditional security vulnerability description method to convert the unstructured vulnerability source code into structured XML file. The application of VCSDL was discussed, and the description and release of VCSDL were elaborated with the vulnerability code in Juliet vulnerability suite as example. The performance of VCSDL was compared with the other description languages. The results show that VCSDL has good universality and comprehensiveness with high structure, especially has an advantage in describing the vulnerability code attributes. VCSDL can improve the efficiencies of collection, integration and analysis of security vulnerability information. The unified model can be provided by VCSDL for exchanging information between different security tools and security vulnerability data sources, and the exchange of security vulnerability information between different security tools is facilitated.
|
|
|
|
|
|
|
|