Static Security Analysis Based on Input-Related Software Faults

13 years 11 months ago
Static Security Analysis Based on Input-Related Software Faults
It is important to focus on security aspects during the development cycle to deliver reliable software. However, locating security faults in complex systems is difficult and there are only a few effective automatic tools available to help developers. In this paper we present an approach to help developers locate vulnerabilities by marking parts of the source code that involve user input. We focus on inputrelated code, since an attacker can usually take advantage of vulnerabilities by passing malformed input to the application. The main contributions of this work are two metrics to help locate faults during a code review, and algorithms to locate buffer overflow and format string vulnerabilities in C source code. We implemented our approach as a plugin to the Grammatech CodeSurfer tool. We tested and validated our technique on open source projects and we found faults in software that includes Pidgin and cyrus-imapd.
Csaba Nagy, Spiros Mancoridis
Added 20 May 2010
Updated 20 May 2010
Type Conference
Year 2009
Where CSMR
Authors Csaba Nagy, Spiros Mancoridis
Comments (0)