T2: The Bugs Framework (BF) “Hands-On”

Irena Bojanova
NIST, Gaithersburg, USA
Paul E. Black
NIST, Gaithersburg, USA


July 25 (Tuesday)


13:30 - 17:00 (Half-day)


The Bugs Framework (BF) organizes software weaknesses (bugs) into distinct classes, such as buffer overflow (BOF), injection (INJ), faulty operation (FOP), and control of interaction frequency (CIF). Each BF class has an accurate and precise definition and comprises: • Attributes that identify the software fault; • Causes that bring about the fault; • Consequences the fault could lead to; • Sites in code where the fault might occur.

Through a “hands-on” approach the attendees will be able to analyze definitions and (static) attributes of bugs’ classes, along with their related dynamic properties, such as proximate, secondary and tertiary causes, consequences and sites. The focus will be on at least three of the developed BF classes, as well as on examples of applying the BF taxonomy to describe vulnerabilities such as Heartbleed, Ghost and Yoggie Pico. The audience will be involved in the development of at least one new BF class and in discussions about the benefits of BF and related future research opportunities. The organizers are the BF Principal Investigators and are proposing this tutorial as a way to share expertize with related communities such as the QRS community.

About the Speakers

Irena Bojanova is a computer scientist at NIST and the BF Project Lead. Previously she was a program chair at UMUC, an academic director at JHU-CTY, and a co-founder of OBS Ltd. (now CSC Bulgaria). She earned her Ph.D. in Mathematics/Computer Science from the Bulgarian Academy of Sciences in 1991. Irena serves on the IEEE CS Publications Board, AEIC of IEEE IT Professional, co-chair of IEEE RS IoT TC and founding member of IEEE TSC on Big Data. Irena was the founding chair of IEEE CS Cloud Computing STC and EIC of IEEE Transactions on Cloud Computing. She writes cloud and IoT blogs for IEEE CS Computing Now.

Paul E. Black has nearly 20 years of industrial experience in developing software for IC design and verification, assuring software quality, and managing business data processing. He is the founder and editor of the Dictionary of Algorithms and Data Structures http://www.nist.gov/dads/. Black earned a Ph.D. from Brigham Young University in 1998. He taught classes at Brigham Young University and Johns Hopkins University. He has published in static analysis, software testing, networks and queuing analysis, formal methods, software verification, quantum computing, and computer forensics. He is a member of ACM and a senior member of IEEE.

Intended Audience

Computer Science and Cybersecurity students, educators and professionals.