pith. sign in

arxiv: 2607.01711 · v1 · pith:4AQANCQDnew · submitted 2026-07-02 · 💻 cs.CR

Trust Boundary Semantic Gaps: A Multi-dimensional Analysis and Mitigation for Security-by-Design

Pith reviewed 2026-07-03 11:29 UTC · model grok-4.3

classification 💻 cs.CR
keywords trust boundarysemantic gapsecurity-by-designsupply chain securitysyntactic validationincident analysisSolarWinds
0
0 comments X

The pith

Artifacts passing syntactic checks at trust boundaries can still violate the receiving domain's security requirements.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that format, protocol, and signature validations are necessary but insufficient when data crosses trust boundaries, because they do not confirm that the artifact meets the receiving side's semantic security expectations. Analysis of 75 reported incidents organizes the resulting misalignments into four dimensions: Identity, Spatial, Temporal, and Interpretation. From this model the authors derive a design-time method that surfaces unstated assumptions, traces how gaps propagate across boundaries, and maps them to candidate controls. The approach treats these semantic gaps as a distinct class of problem that Security-by-Design practices have not yet addressed explicitly.

Core claim

A Trust Boundary Semantic Gap exists when an artifact crosses a trust boundary, passes correctly implemented syntactic validation, yet fails to satisfy the receiving domain's security properties. The authors organize such gaps into the MDTBSG four-dimensional model and introduce the TBSAM framework, which extracts gaps from design specifications, prioritizes them, separates locally originating gaps from propagated ones, and identifies interrupting architectural controls. Retrospective application to the SolarWinds supply-chain attack demonstrates how the method makes receiving-domain assumptions explicit.

What carries the argument

Trust Boundary Semantic Gap (TBSG): the condition in which syntactic validation succeeds while semantic security properties required by the receiving domain remain unestablished.

If this is right

  • Design specifications must record the semantic properties the receiving domain expects, not only the syntactic checks performed.
  • Gaps identified at one boundary can be traced backward to their originating boundary rather than treated only locally.
  • Candidate architectural controls can be assigned to each gap to interrupt propagation paths, as illustrated in the SolarWinds reconstruction.
  • Syntactic validation remains necessary but must be supplemented by explicit semantic checks at trust boundaries.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The framework could be extended to generate machine-readable trust-boundary contracts that tools might check automatically during design reviews.
  • Similar semantic gaps may appear in non-traditional boundaries such as API contracts between microservices or between models and their training data pipelines.
  • Adoption would require updates to how security standards document assumptions across organizational or vendor boundaries.

Load-bearing premise

The 75 selected security incidents accurately represent and categorize the full range of Trust Boundary Semantic Gaps without material bias or omission.

What would settle it

A documented incident at a trust boundary in which syntactic validation alone proved sufficient to block compromise, or a new incident type that cannot be placed in any of the four MDTBSG dimensions.

Figures

Figures reproduced from arXiv: 2607.01711 by Doyeon Kim, Jin-Young Choi, Junghee Lee.

Figure 1
Figure 1. Figure 1: Structural model of a Trust Boundary Semantic Gap (TBSG). An artifact [PITH_FULL_IMAGE:figures/full_fig_p004_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Log4Shell boundary-level propagation. A syntac [PITH_FULL_IMAGE:figures/full_fig_p007_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: SolarWinds/SUNBURST cross-boundary propagation graph. The top lane shows the exploit path across five trust [PITH_FULL_IMAGE:figures/full_fig_p011_3.png] view at source ↗
read the original abstract

Modern systems use format-, protocol-, and signature-based mechanisms before accepting artifacts across trust boundaries. These mechanisms are necessary: they show that an artifact is well formed, protocol-compliant, or properly authenticated. They do not, however, show that the artifact satisfies the semantic security properties required by the receiving domain. A signed update or an authenticated token may therefore be accepted yet enable compromise. We call this condition a Trust Boundary Semantic Gap (TBSG): an artifact crosses a trust boundary and passes correctly implemented syntactic validation, but the assertions established by that pass are insufficient to satisfy the receiving domain's security requirements. TBSG concerns what remains unestablished after a syntactic pass, not absent checks or implementation bugs. Analyzing 75 publicly reported security incidents (2014-2025) at the boundary level, we organize semantic misalignment into a four-dimensional analysis model: Identity, Spatial, Temporal, and Interpretation (MDTBSG). Building on it, we develop Trust Boundary Semantic Analysis and Mitigation (TBSAM), a design-time framework that identifies TBSGs from design specifications, prioritizes them, traces propagated gaps to their originating boundary, and maps each to candidate architectural controls. We apply TBSAM to a retrospective reconstruction of the SolarWinds/SUNBURST supply-chain attack, showing how it makes receiving-domain assumptions explicit, separates locally originating from propagated gaps, and identifies controls that interrupt the path. These results suggest that syntactic validation, while necessary, is not sufficient at trust boundaries, and that making trust-boundary assumptions explicit can complement Security-by-Design.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper defines Trust Boundary Semantic Gap (TBSG) as the condition where an artifact passes syntactic validation (format, protocol, signature) at a trust boundary but fails to satisfy the receiving domain's semantic security properties. It analyzes 75 publicly reported incidents (2014-2025) to derive a four-dimensional model (MDTBSG: Identity, Spatial, Temporal, Interpretation), then introduces the TBSAM framework for design-time identification, prioritization, tracing, and mitigation of TBSGs. The framework is applied retrospectively to the SolarWinds/SUNBURST attack to demonstrate explicit assumption-making and control mapping. The central claim is that syntactic validation is necessary but insufficient at trust boundaries and that TBSAM complements Security-by-Design.

Significance. If the empirical categorization is robust, the work offers a structured lens for surfacing unstated semantic assumptions at trust boundaries, which are often implicit in current Security-by-Design practices. The SolarWinds reconstruction provides a concrete illustration of separating originating versus propagated gaps and mapping to architectural controls. The approach is falsifiable in principle via further incident studies or controlled design exercises, though its novelty relative to existing trust-boundary and assumption-tracking literature requires clearer positioning.

major comments (2)
  1. [Analysis of 75 incidents] The section describing the analysis of 75 incidents (referenced in the abstract and the paragraph on organizing semantic misalignment): no selection criteria, inclusion/exclusion rules, search methodology, or inter-rater process for mapping incidents to the four MDTBSG dimensions are provided. This is load-bearing for the central claim, as the MDTBSG model and subsequent TBSAM framework are derived directly from this categorization; without transparent criteria, the risk of post-hoc fitting cannot be assessed.
  2. [Definition of TBSG] The definition of TBSG (abstract and introduction): the claim that TBSG concerns only what remains unestablished after a correct syntactic pass, explicitly excluding implementation bugs and absent checks, is not accompanied by a decision procedure or examples showing how borderline cases (e.g., a missing semantic check that could be viewed as either absent or unestablished) are classified. This distinction is load-bearing for separating TBSG from ordinary vulnerabilities.
minor comments (2)
  1. [Abstract] The abstract states the time range 2014-2025 but does not indicate whether the 75 incidents are enumerated in a table or appendix with per-incident dimension assignments; adding such a table would improve verifiability.
  2. [TBSAM framework] The TBSAM framework description would benefit from a small worked example (beyond the high-level SolarWinds reconstruction) showing the tracing and propagation steps on a minimal design specification.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the thoughtful and constructive report. The two major comments identify areas where additional transparency and operational detail will strengthen the manuscript. We address each below and will incorporate revisions to improve methodological clarity and definitional precision while preserving the paper's core contributions on TBSG, MDTBSG, and TBSAM.

read point-by-point responses
  1. Referee: [Analysis of 75 incidents] The section describing the analysis of 75 incidents (referenced in the abstract and the paragraph on organizing semantic misalignment): no selection criteria, inclusion/exclusion rules, search methodology, or inter-rater process for mapping incidents to the four MDTBSG dimensions are provided. This is load-bearing for the central claim, as the MDTBSG model and subsequent TBSAM framework are derived directly from this categorization; without transparent criteria, the risk of post-hoc fitting cannot be assessed.

    Authors: We agree that explicit documentation of the incident analysis methodology is necessary for readers to evaluate the robustness of the derived MDTBSG model. The current manuscript states that the dimensions were obtained from analysis of 75 publicly reported incidents but does not provide the requested procedural details. In the revised version we will insert a dedicated subsection (likely 3.2 or equivalent) that specifies: search sources (NVD, vendor security bulletins, and public incident reports from 2014-2025), inclusion criteria (incidents in which an artifact crossed a trust boundary after correct syntactic validation yet produced a semantic security failure in the receiving domain), exclusion criteria (pure implementation bugs without boundary crossing, or incidents lacking sufficient public detail), and inter-rater process (independent mapping by two authors followed by consensus discussion, with disagreement rate reported). This addition will allow assessment of post-hoc fitting risk without changing the reported incidents or dimensions. revision: yes

  2. Referee: [Definition of TBSG] The definition of TBSG (abstract and introduction): the claim that TBSG concerns only what remains unestablished after a correct syntactic pass, explicitly excluding implementation bugs and absent checks, is not accompanied by a decision procedure or examples showing how borderline cases (e.g., a missing semantic check that could be viewed as either absent or unestablished) are classified. This distinction is load-bearing for separating TBSG from ordinary vulnerabilities.

    Authors: We accept that the boundary between TBSG and other vulnerability classes requires a clearer decision procedure and illustrative cases. The manuscript already states that TBSG applies when syntactic validation succeeds yet the receiving domain's semantic security properties remain unsatisfied, but it does not supply operational guidance for borderline situations. In revision we will augment the definition paragraph in the introduction with (1) a short decision procedure (verify syntactic pass occurred correctly; confirm that the validation does not establish the required semantic assertions; classify as TBSG only if both hold) and (2) three concrete examples distinguishing TBSG from absent checks or bugs (e.g., correctly signed update lacking provenance verification versus no signature check at all). These additions will make the separation from ordinary vulnerabilities more reproducible while leaving the core definition unchanged. revision: yes

Circularity Check

0 steps flagged

No significant circularity; empirical derivation from external incidents

full rationale

The paper's chain proceeds from an explicit definition of TBSG (syntactic pass succeeds but semantic properties remain unestablished), through analysis of 75 external publicly reported incidents (2014-2025) to induce the four MDTBSG dimensions, then to the TBSAM framework built on that model, and finally to retrospective application on SolarWinds. No step reduces a claimed result to its inputs by construction: the dimensions are presented as an organization of observed misalignments rather than presupposed categories into which incidents are forced; no fitted parameters are relabeled as predictions; no self-citations serve as load-bearing uniqueness theorems; and no equations or ansatzes are involved. The derivation remains self-contained as inductive analysis of independent incident data.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 3 invented entities

Since only the abstract is available, the ledger is based on concepts introduced in the abstract. The central claim rests on the new definitions and the incident analysis as the source of the model.

axioms (1)
  • domain assumption The 75 incidents provide a sufficient basis for deriving a general four-dimensional model of semantic misalignments.
    The paper builds the MDTBSG model from this analysis.
invented entities (3)
  • Trust Boundary Semantic Gap (TBSG) no independent evidence
    purpose: To describe the mismatch between syntactic validation and semantic security requirements.
    New concept defined in the paper.
  • MDTBSG model no independent evidence
    purpose: Four-dimensional analysis framework for TBSGs.
    Invented for this work.
  • TBSAM framework no independent evidence
    purpose: Design-time identification, prioritization, and mitigation of TBSGs.
    Proposed framework.

pith-pipeline@v0.9.1-grok · 5818 in / 1306 out tokens · 36364 ms · 2026-07-03T11:29:43.946409+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

71 extracted references · 1 canonical work pages

  1. [1]

    Threat modeling process,

    OW ASP Foundation, “Threat modeling process,” https://owasp.org/ www-community/Threat_Modeling_Process, 2023

  2. [2]

    The threats to our products,

    L. Kohnfelder and P. Garg, “The threats to our products,” Microsoft internal document, 1999. [Online]. Available: https: //adam.shostack.org/microsoft/The-Threats-To-Our-Products.docx

  3. [3]

    Shostack,Threat Modeling: Designing for Security

    A. Shostack,Threat Modeling: Designing for Security. John Wiley & Sons, 2014

  4. [4]

    Supply-chain levels for software artifacts (SLSA),

    OpenSSF SLSA Working Group, “Supply-chain levels for software artifacts (SLSA),” https://slsa.dev/spec/v1.0, 2023

  5. [5]

    Zero trust architecture,

    S. Rose, O. Borchert, S. Mitchell, and S. Connelly, “Zero trust architecture,” NIST, Tech. Rep. SP 800-207, 2020

  6. [6]

    The high-level benefits of low-level sandboxing,

    M. Sammler, D. Garg, D. Dreyer, and T. Litak, “The high-level benefits of low-level sandboxing,”Proc. ACM Program. Lang., vol. 4, no. POPL, pp. 1–32, 2019

  7. [7]

    Guidelines for API protection for cloud-native systems,

    R. Chandramouli and Z. Butcher, “Guidelines for API protection for cloud-native systems,” NIST, Tech. Rep. SP 800-228, 2025

  8. [8]

    SSAC report on domain name registration data validation,

    ICANN Security and Stability Advisory Committee, “SSAC report on domain name registration data validation,” ICANN, Tech. Rep. SAC058, 2013

  9. [9]

    Input validation cheat sheet,

    OW ASP Foundation, “Input validation cheat sheet,” https://cheatshe etseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html, 2024

  10. [10]

    Acto: Automatic end-to-end testing for operation correctness of cloud system management,

    J. T. Gu, X. Sun, W. Zhang, Y . Jiang, C. Wang, M. Vaziri, O. Le- gunsen, and T. Xu, “Acto: Automatic end-to-end testing for operation correctness of cloud system management,” inProc. ACM SOSP, 2023, pp. 96–112

  11. [11]

    Synthesis of Code-Reuse attacks from p-code programs,

    M. DenHoed and T. Melham, “Synthesis of Code-Reuse attacks from p-code programs,” inProc. USENIX Security Symp., 2025, pp. 395– 411

  12. [12]

    Nail: A practical interface generator for data formats,

    J. Bangert and N. Zeldovich, “Nail: A practical interface generator for data formats,” inProc. IEEE Security and Privacy Workshops (SPW), 2014, pp. 158–166

  13. [13]

    A virtual machine introspection based architecture for intrusion detection,

    T. Garfinkel and M. Rosenblum, “A virtual machine introspection based architecture for intrusion detection,” inProc. NDSS, 2003, pp. 191–206

  14. [14]

    Space traveling across VM: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection,

    Y . Fu and Z. Lin, “Space traveling across VM: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection,” inProc. IEEE Symp. Security and Privacy (S&P), 2012, pp. 586–600

  15. [15]

    SoK: Introspections on trust and the semantic gap,

    B. Jain, M. B. Baig, D. Zhang, D. E. Porter, and R. Sion, “SoK: Introspections on trust and the semantic gap,” inProc. IEEE Symp. Security and Privacy (S&P), 2014, pp. 605–620

  16. [16]

    The essence of command injection attacks in web applications,

    Z. Su and G. Wassermann, “The essence of command injection attacks in web applications,” inProc. ACM POPL, 2006, pp. 372–382

  17. [17]

    Exploiting cross- layer vulnerabilities: Off-path attacks on the TCP/IP protocol suite,

    X. Feng, Q. Li, K. Sun, K. Xu, and J. Wu, “Exploiting cross- layer vulnerabilities: Off-path attacks on the TCP/IP protocol suite,” Commun. ACM, vol. 68, no. 3, pp. 48–59, 2025

  18. [18]

    Inside risks: Semantic network attacks,

    B. Schneier, “Inside risks: Semantic network attacks,”Commun. ACM, vol. 43, no. 12, p. 168, 2000

  19. [19]

    A taxonomy of attacks and a survey of defence mechanisms for semantic social engineering attacks,

    R. Heartfield and G. Loukas, “A taxonomy of attacks and a survey of defence mechanisms for semantic social engineering attacks,”ACM Comput. Surv., vol. 48, no. 3, 2015

  20. [20]

    Semantic security against web application attacks,

    A. Razzaq, K. Latif, H. F. Ahmad, A. Hur, Z. Anwar, and P. C. Bloodsworth, “Semantic security against web application attacks,”Inf. Sci., vol. 254, pp. 19–38, 2014

  21. [21]

    The confused deputy: (or why capabilities might have been invented),

    N. Hardy, “The confused deputy: (or why capabilities might have been invented),”ACM SIGOPS Oper . Syst. Rev., vol. 22, no. 4, pp. 36–38, 1988

  22. [22]

    Checking for race conditions in file accesses,

    M. Bishop and M. Dilger, “Checking for race conditions in file accesses,”Computing Systems, vol. 9, no. 2, pp. 131–152, 1996

  23. [23]

    On the TOCTOU problem in remote attestation,

    I. De Oliveira Nunes, S. Jakkamsetti, N. Rattanavipanon, and G. Tsudik, “On the TOCTOU problem in remote attestation,” inProc. ACM CCS, 2021, pp. 2921–2936

  24. [24]

    Security applications of formal language theory,

    L. Sassaman, M. L. Patterson, S. Bratus, and M. E. Locasto, “Security applications of formal language theory,”IEEE Syst. J., vol. 7, no. 3, pp. 489–500, 2013

  25. [25]

    CVE-2021-44228,

    “CVE-2021-44228,” NIST National Vulnerability Database, 2021. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2021-44228

  26. [26]

    Sunspot malware: A technical analysis,

    CrowdStrike Intelligence Team, “Sunspot malware: A technical analysis,” CrowdStrike Blog, 2021. [Online]. Available: https://ww w.crowdstrike.com/en-us/blog/sunspot-malware-technical-analysis/

  27. [27]

    Highly evasive attacker leverages SolarWinds supply chain to compromise multiple global victims with SUNBURST backdoor,

    FireEye Mandiant, “Highly evasive attacker leverages SolarWinds supply chain to compromise multiple global victims with SUNBURST backdoor,” FireEye Blog, 2020. [Online]. Available: https://www.mandiant.com/resources/blog/evasive-attacker-leverages -solarwinds-supply-chain-compromises-with-sunburst-backdoor

  28. [28]

    The attack on SolarWinds: Next-level stealth was key,

    T. Peri ˇcin, “The attack on SolarWinds: Next-level stealth was key,” ReversingLabs Blog, 2020. [Online]. Available: https: //www.reversinglabs.com/blog/sunburst-the-next-level-of-stealth

  29. [29]

    Advanced persistent threat compromise of govern- ment agencies, critical infrastructure, and private sector organiza- tions,

    CISA and FBI, “Advanced persistent threat compromise of govern- ment agencies, critical infrastructure, and private sector organiza- tions,” CISA, Tech. Rep. AA20-352A, 2020

  30. [30]

    External technical root cause analysis: Channel file 291 incident,

    CrowdStrike, “External technical root cause analysis: Channel file 291 incident,” CrowdStrike Holdings, Inc., Tech. Rep., 2024. [Online]. Available: https://www.crowdstrike.com/wp-content/uploads/2024/08 /Channel-File-291-Incident-Root-Cause-Analysis-08.06.2024.pdf

  31. [31]

    Microsoft actions following attack by nation state actor Midnight Blizzard,

    Microsoft Security Response Center, “Microsoft actions following attack by nation state actor Midnight Blizzard,” MSRC Blog, 2024. [Online]. Available: https://www.microsoft.com/en-us/msrc/blog/20 24/01/microsoft-actions-following-attack-by-nation-state-actor-mid night-blizzard

  32. [32]

    DarkSide ransomware: Best practices for preventing business disruption from ransomware attacks,

    Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI), “DarkSide ransomware: Best practices for preventing business disruption from ransomware attacks,” Cybersecurity and Infrastructure Security Agency, Joint Cybersecurity Advisory AA21-131A, May 2021. [Online]. Available: https: //www.cisa.gov/news-events/cyber...

  33. [33]

    Microsoft mitigates China- based threat actor Storm-0558 targeting of customer email,

    Microsoft Security Response Center, “Microsoft mitigates China- based threat actor Storm-0558 targeting of customer email,” Microsoft Security Response Center Blog, Jul. 2023. [Online]. Available: https://msrc.microsoft.com/blog/2023/07/microsoft-mitigates-china-b ased-threat-actor-storm-0558-targeting-of-customer-email/

  34. [34]

    Review of the Summer 2023 Microsoft Exchange Online intrusion,

    Cyber Safety Review Board, “Review of the Summer 2023 Microsoft Exchange Online intrusion,” U.S. Department of Homeland Security, CSRB Review Report, Mar. 2024. [Online]. Available: https://www.cisa.gov/sites/default/files/2025-03/CSRBReviewOfTh eSummer2023MEOIntrusion508.pdf

  35. [35]

    CVE-2025-55241,

    “CVE-2025-55241,” NIST National Vulnerability Database, 2025. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2025-55241

  36. [36]

    CVE-2021-26855,

    “CVE-2021-26855,” NIST National Vulnerability Database, 2021. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2021-26855

  37. [37]

    CVE-2019-3396,

    “CVE-2019-3396,” NIST National Vulnerability Database, 2019. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2019-3396

  38. [38]

    CVE-2022-22965,

    “CVE-2022-22965,” NIST National Vulnerability Database, 2022. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2022-22965

  39. [39]

    Seattle tech worker arrested for data theft involving large financial services company,

    U.S. Department of Justice, “Seattle tech worker arrested for data theft involving large financial services company,” U.S. Attorney’s Office, Western District of Washington, Jul. 2019, refers to Capital One Financial Corporation data breach. [Online]. Available: https://www.justice.gov/usao-wdwa/pr/seattle-tech-worker-arrested-d ata-theft-involving-large-...

  40. [40]

    A systematic analysis of the Capital One data breach: Critical lessons learned,

    S. Khan, I. Kabanov, Y . Hua, and S. Madnick, “A systematic analysis of the Capital One data breach: Critical lessons learned,”ACM Trans. Priv. Secur ., vol. 26, no. 1, Nov. 2022. [Online]. Available: https://doi.org/10.1145/3546068

  41. [41]

    The Equifax data breach,

    U.S. House of Representatives Committee on Oversight and Government Reform, “The Equifax data breach,” U.S. House of Representatives, Majority Staff Report, Dec. 2018. [Online]. Available: https://oversight.house.gov/wp-content/uploads/2018/12/E quifax-Report.pdf

  42. [42]

    CVE-2017-12617: Apache Tomcat RCE via JSP upload bypass,

    Apache Software Foundation, “CVE-2017-12617: Apache Tomcat RCE via JSP upload bypass,” Apache Tomcat Security Advisory,

  43. [43]

    Available: https://tomcat.apache.org/security-9.html

    [Online]. Available: https://tomcat.apache.org/security-9.html

  44. [44]

    CVE-2018-18074,

    “CVE-2018-18074,” NIST National Vulnerability Database, 2018. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2018-18074

  45. [45]

    CVE-2022-31466,

    “CVE-2022-31466,” NIST National Vulnerability Database, 2022. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2022-31466

  46. [46]

    CVE-2022-32223,

    “CVE-2022-32223,” NIST National Vulnerability Database, 2022. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2022-32223

  47. [47]

    CVE-2024-38077: Windows remote desktop licensing service remote code execution vulnerability,

    Microsoft Security Response Center, “CVE-2024-38077: Windows remote desktop licensing service remote code execution vulnerability,” Microsoft Security Update Guide, Aug. 2024. [Online]. Available: https://msrc.microsoft.com/update-guide/vulnera bility/CVE-2024-38077

  48. [48]

    Cyberespionage attacks against Southeast Asian government linked to Stately Taurus, aka Mustang Panda,

    L. Rochberger, T. Fakterman, and R. Falcone, “Cyberespionage attacks against Southeast Asian government linked to Stately Taurus, aka Mustang Panda,” Palo Alto Networks Unit 42 Threat Intelligence Blog, Sep. 2023. [Online]. Available: https://unit42.paloaltonetwork s.com/stately-taurus-attacks-se-asian-government/

  49. [49]

    A confused deputy vulnerability in AWS AppSync,

    N. Frichette, “A confused deputy vulnerability in AWS AppSync,” Datadog Security Labs, Nov. 2022. [Online]. Available: https://secu ritylabs.datadoghq.com/articles/appsync-vulnerability-disclosure/

  50. [50]

    CVE-2020-0096,

    “CVE-2020-0096,” NIST National Vulnerability Database, 2020. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2020-0096

  51. [51]

    WalletConnect v2 protocol specification: Sign API and session request handling,

    WalletConnect Foundation, “WalletConnect v2 protocol specification: Sign API and session request handling,” WalletConnect Specs, 2023. [Online]. Available: https://specs.walletconnect.com/2.0/specs/client s/sign

  52. [52]

    Trojan source: Invisible vulnerabilities,

    N. Boucher and R. Anderson, “Trojan source: Invisible vulnerabilities,” in32nd USENIX Security Symposium (USENIX Security 23). Anaheim, CA: USENIX Association, Aug. 2023, pp. 6507–6524. [Online]. Available: https://www.usenix.org/conference/ usenixsecurity23/presentation/boucher

  53. [53]

    CVE-2021-0928,

    “CVE-2021-0928,” NIST National Vulnerability Database, 2021. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2021-0928

  54. [54]

    CVE-2023-20963,

    “CVE-2023-20963,” NIST National Vulnerability Database, 2023. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2023-20963

  55. [55]

    A deep dive into an NSO zero-click iMessage exploit,

    I. Beer and S. Groß, “A deep dive into an NSO zero-click iMessage exploit,” Google Project Zero Blog, 2021. [Online]. Available: https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso -zero-click.html

  56. [56]

    CVE-2024-27198,

    “CVE-2024-27198,” NIST National Vulnerability Database, 2024. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2024-27198

  57. [57]

    CVE-2024-1709,

    “CVE-2024-1709,” NIST National Vulnerability Database, 2024. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2024-1709

  58. [58]

    CVE-2023-22515,

    “CVE-2023-22515,” NIST National Vulnerability Database, 2023. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2023-22515

  59. [59]

    CVE-2023-27350,

    “CVE-2023-27350,” NIST National Vulnerability Database, 2023. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2023-27350

  60. [60]

    CVE-2023-34362,

    “CVE-2023-34362,” NIST National Vulnerability Database, 2023. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2023-34362

  61. [61]

    CVE-2022-26134,

    “CVE-2022-26134,” NIST National Vulnerability Database, 2022. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2022-26134

  62. [62]

    CVE-2023-0669,

    “CVE-2023-0669,” NIST National Vulnerability Database, 2023. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2023-0669

  63. [63]

    Apache Struts2 security bulletin S2-052 (CVE-2017-9805),

    Apache Software Foundation, “Apache Struts2 security bulletin S2-052 (CVE-2017-9805),” Apache Software Foundation, 2017. [Online]. Available: https://cwiki.apache.org/confluence/display/W W/S2-052

  64. [64]

    CVE-2022-36804,

    “CVE-2022-36804,” NIST National Vulnerability Database, 2022. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2022-36804

  65. [65]

    Critical security release: GitLab 13.10.3 (CVE-2021-22205),

    GitLab Security Team, “Critical security release: GitLab 13.10.3 (CVE-2021-22205),” GitLab Blog, 2021. [Online]. Available: https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-1 3-10-3-released/

  66. [66]

    CVE-2023-46805,

    “CVE-2023-46805,” NIST National Vulnerability Database, 2024. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2023-46805

  67. [67]

    CVE-2022-42475,

    “CVE-2022-42475,” NIST National Vulnerability Database, 2022. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2022-42475

  68. [68]

    CVE-2023-2868,

    “CVE-2023-2868,” NIST National Vulnerability Database, 2023. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2023-2868

  69. [69]

    CVE-2023-22508,

    “CVE-2023-22508,” NIST National Vulnerability Database, 2023. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2023-22508

  70. [70]

    CVE-2023-0620,

    “CVE-2023-0620,” NIST National Vulnerability Database, 2023. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2023-0620

  71. [71]

    Security advisory 2024-01-24: Arbitrary file read via CLI (CVE-2024-23897),

    Jenkins Project, “Security advisory 2024-01-24: Arbitrary file read via CLI (CVE-2024-23897),” Jenkins Security Advisories, 2024. [Online]. Available: https://www.jenkins.io/security/advisory/2024-0 1-24/ TABLE 3: MDTBSG Dimension Mapping for the 75-Incident Analysis (•= implicated; — = not implicated.) # Incident Id Sp Te In 1 SolarWinds / SUNBURST [30]•...