Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library

Allen D. Householder
December 2018 - White Paper Towards Improving CVSS

Topics: Vulnerability Analysis

This paper outlines challenges with the Common Vulnerability Scoring System (CVSS).

October 2018 - Poster Modeling the Operations of the Vulnerability Ecosystem

This poster describes models, metrics, datasets, and key performance indicators developed to improve vulnerability response.

March 2018 - Presentation Analyzing 24 Years of CVD

Topics: Vulnerability Analysis

The CERT/CC has pioneered the Coordinated Vulnerability Disclosure (CVD) process. In the past year, they analyzed their case tracking data, focusing on the distribution of case workloads over time. This slide deck contains findings from this analysis.

August 2017 - Special Report The CERT Guide to Coordinated Vulnerability Disclosure

Topics: Vulnerability Analysis

This guide provides an introduction to the key concepts, principles, and roles necessary to establish a successful Coordinated Vulnerability Disclosure process. It also provides insights into how CVD can go awry and how to respond when it does so.

May 2016 - Podcast Threat Modeling and the Internet of Things

Topics: Vulnerability Analysis

Art Manion and Allen Householder of the CERT Vulnerability Analysis team, talk about threat modeling and its use in improving the security of the Internet of Things (IoT).

December 2015 - Technical Report Extending AADL for Security Design Assurance of Cyber-Physical Systems

Topics: Cyber-Physical Systems

This report demonstrates the viability and limitations of using the Architecture Analysis and Design Language (AADL) through an extended example that allows for specifying and analyzing the security properties of an automotive electronics system.

August 2015 - Presentation Vulnerability Coordination and Concurrency

Topics: Vulnerability Analysis

In this talk, the presenter will describe the process of coordinating vulnerability disclosures, why it's hard, and some of the pitfalls and hidden complexities we have encountered.

August 2015 - Presentation Systemic Vulnerabilities: An Allegorical Tale of SteampunkVulnerability to Aero-Physical Threats.

Topics: Vulnerability Analysis

In this talk, we will trace the origin and evolution of a physical-world vulnerability that dates to the late 19th century, and explore whether "building security in" is even always an available option.

July 2015 - White Paper Comments on Bureau of Industry and Security (BIS) Proposed Rule Regarding Wassenaar Arrangement 2013 Plenary Agreements Implementation for Intrusion and Surveillance Items

Topics: Vulnerability Analysis

In this paper, CERT researchers comment on the proposed rule, Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items.

May 2013 - White Paper Strengths in Security Solutions

Topics: Cybersecurity Engineering, Secure Coding

In this white paper, the authors map eight CERT tools, services, and processes to Microsoft's Simplified Security Development Lifecycle.

October 2012 - Technical Note Well There’s Your Problem: Isolating the Crash-Inducing Bits in a Fuzzed File

Topics: Vulnerability Analysis

In this 2012 report, Allen Householder describes an algorithm for reverting bits from a fuzzed file to those found in the original seed file to recreate the crash.

August 2012 - Technical Note Probability-Based Parameter Selection for Black-Box Fuzz Testing

Topics: Vulnerability Analysis

In this report, the authors describe an algorithm for automating the selection of seed files and other parameters used in black-box fuzz testing.

January 2005 - Technical Note A Structured Approach to Classifying Security Vulnerabilities

Topics: Secure Coding, Vulnerability Analysis

In this 2005 report, the authors propose a classification scheme that uses attribute-value pairs to provide a multidimensional view of vulnerabilities.

August 2002 - White Paper 2002 Tech Tip: Securing an Internet Name Server

This document discusses name server security and focuses on BIND, which is the most commonly used software for DNS servers.

October 2001 - White Paper 2001 Tech Tip: Managing the Threat of Denial-of-Service Attacks

Topics: Vulnerability Analysis

In this 2001 paper, the authors describe the then-current situation regarding denial-of-service (DOS) attacks and ways of addressing the problem.