research-article

Improving Security Using Extensible Lightweight Static Analysis

Authors:

David LarochelleAuthors Info & Claims

IEEE Software, Volume 19, Issue 1

Pages 42 - 51

https://doi.org/10.1109/52.976940

Published: 01 January 2002 Publication History

Abstract

Most security attacks exploit in-stances of well-known classes of implementation flaws. Developers could detect and eliminate many of these flaws before deploying the software, yet these problems persist with disturbing frequency-not be-cause the security community doesn't sufficiently understand them but because techniques for preventing them have not been integrated into the software development process. This article describes an extensible tool that uses lightweight static analysis to detect common security vulnerabilities (including buffer overflows and format string vulnerabilities).

References

[1]

Common Vulnerabilities and Exposures, version 20010918, The Mitre Corporation, 2001; http://cve.mitre.org (current Nov. 2001).

[2]

D. Wagner, et al., "A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities," Proc. 2000 Network and Distributed System Security Symp., Internet Society, Reston, Va., 2000; www.isoc.org/ndss2000/proceedings (current Nov. 2001).

[3]

I. Goldberg, et al., "A Secure Environment for Untrusted Helper Applications: Confining the Wily Hacker," Proc. Sixth Usenix Security Symp., Usenix Assoc., Berkeley, Calif., 1996; www.cs.berkeley.edu/~daw/papers/janus-usenix96.ps (current Nov. 2001).

Digital Library

[4]

D. Evans and A. Twyman, "Flexible Policy-Directed Code Safety," IEEE Symp. Security and Privacy, IEEE CS Press, Los Alamitos, Calif., 1999, pp. 32-45.

Digital Library

[5]

A. Baratloo N. Singh and T. Tsai, "Transparent Run-Time Defense Against Stack-Smashing Attacks," Proc. Ninth Usenix Security Symp., Usenix Assoc., Berkeley, Calif., 2000; www.usenix.org/events/usenix2000/general/baratloo.html (current Nov. 2001).

Digital Library

[6]

C. Cowan, et al., "StackGuard: Automatic Adaptive Detection and Prevention of Buffer Overflow Attacks," Proc. Seventh Usenix Security Symp., Usenix Assoc., Berkeley, Calif., 1998; http://immunix.org/StackGuard/usenixsc98.pdf (current Nov. 2001).

Digital Library

[7]

D. Evans, "Static Detection of Dynamic Memory Errors," SIGPLAN Conf. Programming Language Design and Implementation, ACM Press, New York, 1996, pp. 44-53.

Digital Library

[8]

G. Ramalingam, "The Undecidability of Aliasing," ACM Trans. Programming Languages and Systems, vol. 16, no. 5, 1994, pp. 1467-1471.

Digital Library

[9]

J. Viega, et al., "ITS4 : A Static Vulnerability Scanner for C and C++ Code," Proc. Ann. Computer Security Applications Conf., IEEE CS Press, Los Alamitos, Calif., 2000; www.acsac.org/2000/abstracts/78.html (current Nov. 2001).

Digital Library

[10]

D. Larochelle and D. Evans, "Statically Detecting Likely Buffer Overflow Vulnerabilities," Proc. 10th Usenix Security Symp., Usenix Assoc., Berkeley, Calif., 2001; www.usenix.org/events/sec01/larochelle.html (current Nov. 2001).

Digital Library

[11]

C. Barker, "Static Error Checking of C Applications Ported from UNIX to WIN32 Systems Using LCLint," senior thesis, Dept. Computer Science, University of Virginia, Charlottesville, 2001.

[12]

C. Cowan, et al., "FormatGuard: Automatic Protection From printf Format String Vulnerabilities," Proc. 10th Usenix Security Symp., Usenix Assoc., Berkeley, Calif., 2001; www.usenix.org/events/sec01/cowanbarringer.html (current Nov. 2001).

Digital Library

[13]

L. Wall T. Christiansen and J. Orwant, Programming Perl, 3rd edition, O'Reilly & Associates, Sebastopol, Calif., 2000.

Digital Library

[14]

U. Shankar, et al., "Detecting Format String Vulnerabilities with Type Qualifiers," Proc. 10th Usenix Security Symp., Usenix Assoc., Berkeley, Calif., 2001; www.usenix.org/events/sec01/shankar.html (current Nov. 2001).

Digital Library

[15]

D. Evans, et al., "LCLint: A Tool for Using Specifications to Check Code," SIGSOFT Symp. Foundations of Software Eng., ACM Press, New York, 1994; www.cs.virginia.edu/~evans/sigsoft94.html (current Nov. 2001).

Digital Library

[16]

D. Santo Orcero, "The Code Analyzer LCLint," Linux Journal, May 2000; www.linuxjournal.com/article.php?sid=3599 (current Nov. 2001).

Digital Library

[17]

C.E. Pramode and C.E. Gopakumar, "Static Checking of C programs with LCLint," Linux Gazette, Mar. 2000; www.linuxgazette.com/issue51/pramode.html (current Nov. 2001).

[18]

M.D. Ernst, et al., "Dynamically Discovering Likely Program Invariants to Support Program Evolution," Proc. Int'l Conf. Software Eng., IEEE CS Press, Los Alamitos, Calif., 1999, pp. 213-224.

Digital Library

Cited By

Deiana ESuchy BWilkins MHomerding BMcMichen TDunajewski KDinda PHardavellas NCampanoni SDubach CBruening DHardekopf B(2023)Program State Element CharacterizationProceedings of the 21st ACM/IEEE International Symposium on Code Generation and Optimization10.1145/3579990.3580011(199-211)Online publication date: 17-Feb-2023
https://dl.acm.org/doi/10.1145/3579990.3580011
Medeiros NIvaki NCosta PVieira M(2023)Trustworthiness models to categorize and prioritize code for security improvementJournal of Systems and Software10.1016/j.jss.2023.111621198:COnline publication date: 1-Apr-2023
https://dl.acm.org/doi/10.1016/j.jss.2023.111621
Cheng YCui BChen CBaker TQi T(2023)Static vulnerability mining of IoT devices based on control flow graph construction and graph embedding networkComputer Communications10.1016/j.comcom.2022.10.021197:C(267-275)Online publication date: 1-Jan-2023
https://dl.acm.org/doi/10.1016/j.comcom.2022.10.021
Show More Cited By

Index Terms

Recommendations

Finding security vulnerabilities in java applications with static analysis
SSYM'05: Proceedings of the 14th conference on USENIX Security Symposium - Volume 14

This paper proposes a static analysis technique for detecting many recently discovered application vulnerabilities such as SQL injections, cross-site scripting, and HTTP splitting attacks. These vulnerabilities stem from unchecked input, which is widely ...
Static analysis of data security in java components
Improving software security with precise static and runtime analysis

Comments

Information & Contributors

Information

Published In

cover image IEEE Software

IEEE Software Volume 19, Issue 1

January 2002

102 pages

ISSN:0740-7459

Issue’s Table of Contents

Copyright © Copyright © 2002 IEEE. All Rights Reserved.

Publisher

IEEE Computer Society Press

Washington, DC, United States

Publication History

Published: 01 January 2002

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

123
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 02 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Deiana ESuchy BWilkins MHomerding BMcMichen TDunajewski KDinda PHardavellas NCampanoni SDubach CBruening DHardekopf B(2023)Program State Element CharacterizationProceedings of the 21st ACM/IEEE International Symposium on Code Generation and Optimization10.1145/3579990.3580011(199-211)Online publication date: 17-Feb-2023
https://dl.acm.org/doi/10.1145/3579990.3580011
Medeiros NIvaki NCosta PVieira M(2023)Trustworthiness models to categorize and prioritize code for security improvementJournal of Systems and Software10.1016/j.jss.2023.111621198:COnline publication date: 1-Apr-2023
https://dl.acm.org/doi/10.1016/j.jss.2023.111621
Cheng YCui BChen CBaker TQi T(2023)Static vulnerability mining of IoT devices based on control flow graph construction and graph embedding networkComputer Communications10.1016/j.comcom.2022.10.021197:C(267-275)Online publication date: 1-Jan-2023
https://dl.acm.org/doi/10.1016/j.comcom.2022.10.021
Tang FØstvold BVidoni MFerreyra NCodabux Z(2022)Assessing software privacy using the privacy flow-graphProceedings of the 1st International Workshop on Mining Software Repositories Applications for Privacy and Security10.1145/3549035.3561185(7-15)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3549035.3561185
Liu YDhar STilevich E(2022)Only pay for what you needJournal of Systems and Software10.1016/j.jss.2022.111253188:COnline publication date: 1-Jun-2022
https://dl.acm.org/doi/10.1016/j.jss.2022.111253
Fördős VAronis SBieniusa A(2021)What are the critical security flaws in my system?Proceedings of the 20th ACM SIGPLAN International Workshop on Erlang10.1145/3471871.3472965(64-71)Online publication date: 18-Aug-2021
https://dl.acm.org/doi/10.1145/3471871.3472965
Brown FStefan DEngler DCapkun SRoesner F(2020)SysProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489224(199-216)Online publication date: 12-Aug-2020
https://dl.acm.org/doi/10.5555/3489212.3489224
Júnior LBelgamo AMendonça VVincenzi A(2020)WarningsFIX: a Recommendation System for Prioritizing Warnings Generated by Automated Static AnalyzersProceedings of the XIX Brazilian Symposium on Software Quality10.1145/3439961.3439987(1-10)Online publication date: 1-Dec-2020
https://dl.acm.org/doi/10.1145/3439961.3439987
Brown CParnin C(2020)Sorry to Bother You AgainProceedings of the IEEE/ACM 42nd International Conference on Software Engineering Workshops10.1145/3387940.3391506(56-60)Online publication date: 27-Jun-2020
https://dl.acm.org/doi/10.1145/3387940.3391506
Singleton LZhao RSong MSiy HKhazanchi DSiy HGrispos GKwaku Setor T(2020)CryptoTutorProceedings of the 21st Annual Conference on Information Technology Education10.1145/3368308.3415419(403-408)Online publication date: 7-Oct-2020
https://dl.acm.org/doi/10.1145/3368308.3415419
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Issue’s Table of Contents