In the appendix, we analyze twenty reported firewall vulnerabilities from

vulnerability databases and reports. These

include the MITRE common vulnerabilities and exposures (CVE) and CVE
candidates (CAN) databases [22], X-Force

archives [23], bugtraq archives [24], and others [25], [26], [27]. We construct
three matrices that offer different perspectives

on firewall vulnerabilities. The first matrix, given in table I, cross references

firewall operations (according to

our firewall data flow model) with vulnerability causes. We simply insert each
vulnerability tag/name in the matrix cell

that corresponds to its classification by cause and its location in our data flow
model. We will use this matrix to develop

an intuition about which errors a firewall operation is most vulnerable to. For
example, we find that the legality checks

operations are susceptible to validation errors. On the other hand, we can

also use the matrix to find the operations

in which a certain error is most often foun