BF Bug Detection – from Failure to Bug
Irena Bojanova, PI & Lead, NIST Bugs Framework (BF), 2014 – ~~~~

Create tools detcting bugs from a failure(s) through backwards fault-error transitions utilizing the BE taxonomy, and causation and propagation rules - including BF matrices of meaningful (cause, operation, conseqeunce) weakness triples.

BF describes a vulnerability as a chain of improper states and their transitions (see Figure 1). Each improper state corresponds to an instance of a BF class. The initial state has an improper operation over proper operands. The transition states have proper operations with at least one improper operand. All improper states propagate by the error from one state becoming the fault for the next state. I other words, the transition from the initial state is by improper operation (an operation that has a bug) over proper operands; the transitions from intermediate states are by proper operations with at least one improper operand (the operand is at fault). The improper operation or improper operand is the cause for that weakness. The improper result from an operation over its operands is the consequence from that weakness, and it becomes a cause for a next weakness or a failure. Knowing the failure and all the transitions at execution, we should be able to find the bug (see Figure 3)– simply go backwards by operand until an operation is improper – fixing the bug within that operation will resolve the vulnerability.


Figure 1. BF features: Backwards from a failure to the bug – knowing the failure, go backwards by improper operand until an operation is improper – fixing the bug within that operation will resolve the vulnerability..


Please see details also from the following video from May 2021:



BF Goals, Features, and Taxonomy




BF CITATION: Irena Bojanova, NIST Bugs Framework (BF) Goals, Features, and Taxonomy. Video. Accessed: [Online]. Available: https://usnistgov.github.io/BF/info/challenges/bf-backtracking/ .

I. Bojanova, C. E. Galhardo and S. Moshtari, “Data Type Bugs Taxonomy: Integer Overflow, Juggling, and Pointer Arithmetics in Spotlight,” 2022 IEEE 29th Annual Software Technology Conference (STC), 2022, pp. 192-205, doi: 10.1109/STC55697.2022.00035 , Local Download (has CWE-BF di-graphs with links)

I. Bojanova and C. Eduardo Galhardo, “Classifying Memory Bugs Using Bugs Framework Approach,” 2021 IEEE 45th Annual Computers, Software, and Applications Conference (COMPSAC, 2021), pp. 1157-1164, doi: 10.1109/COMPSAC51774.2021.00159 , Local Download (has CWE-BF di-graphs with links)

I. Bojanova, The Bugs Framework (BF) ; The Bugs Framework (BF) - with notes ; and video from 06/14/2021, 2021 IEEE 45th Annual Computers, Software, and Applications Conference (COMPSAC, 2021)

//more to be added//