Abstract
Computer vulnerabilities seem to be omnipresent. In every system fielded,
programming errors, configuration errors, and operation errors have allowed
unauthorized users to enter systems, or authorized users to take unauthorized
actions. Efforts to eliminate the flaws have failed miserably; indeed, sometimes
attempts to patch a vulnerability have increased the danger. Further, designers
and implementers rarely learn from the mistakes of others, in part because these
security holes are so rarely documented in the open literature.