Static Security Analysis Based on Input-Related Software Faults
It is important to focus on security aspects during the development cycle to deliver reliable software. However, locating security faults in complex systems is difficult and there are only a few effective automatic tools available to help developers. In this paper we present an approach to help deve...
Saved in:
| Published in: | 2009 13th European Conference on Software Maintenance and Reengineering pp. 37 - 46 |
|---|---|
| Main Authors: | , |
| Format: | Conference Proceeding |
| Language: | English |
| Published: |
IEEE
01.03.2009
|
| Subjects: | |
| ISBN: | 1424437555, 0769535895, 9781424437559, 9780769535890 |
| ISSN: | 1534-5351 |
| Online Access: | Get full text |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Summary: | It is important to focus on security aspects during the development cycle to deliver reliable software. However, locating security faults in complex systems is difficult and there are only a few effective automatic tools available to help developers. In this paper we present an approach to help developers locate vulnerabilities by marking parts of the source code that involve user input. We focus on input-related code, since an attacker can usually take advantage of vulnerabilities by passing malformed input to the application. The main contributions of this work are two metrics to help locate faults during a code review, and algorithms to locate buffer overflow and format string vulnerabilities in C source code. We implemented our approach as a plug in to the Grammatech CodeSurfer tool. We tested and validated our technique on open source projects and we found faults in software that includes Pidgin and cyrus-imapd. |
|---|---|
| ISBN: | 1424437555 0769535895 9781424437559 9780769535890 |
| ISSN: | 1534-5351 |
| DOI: | 10.1109/CSMR.2009.51 |