Article

Towards Practical Reactive Security Audit Using Extended Static Checkers

Authors:

Julien Vanegue,

Shuvendu K. LahiriAuthors Info & Claims

SP '13: Proceedings of the 2013 IEEE Symposium on Security and Privacy

Pages 33 - 47

https://doi.org/10.1109/SP.2013.12

Published: 19 May 2013 Publication History

Abstract

This paper describes our experience of performing reactive security audit of known security vulnerabilities in core operating system and browser COM components, using an extended static checker HAVOCLITE. We describe the extensions made to the tool to be applicable on such large C++ components, along with our experience of using an extended static checker in the large. We argue that the use of such checkers as a configurable static analysis in the hands of security auditors can be an effective tool for finding variations of known vulnerabilities. The effort has led to finding and fixing around 70 previously unknown security vulnerabilities in over 10 millions lines operating system and browser code.

Cited By

View all

Liu SMa WWang JXie XFeng RLiu YShrivastava ASui Y(2024)Enhancing Code Vulnerability Detection via Vulnerability-Preserving Data AugmentationProceedings of the 25th ACM SIGPLAN/SIGBED International Conference on Languages, Compilers, and Tools for Embedded Systems10.1145/3652032.3657564(166-177)Online publication date: 20-Jun-2024
https://dl.acm.org/doi/10.1145/3652032.3657564
Rubio-Medrano CKotak AWang WSohr KNiu JVaidya J(2024)Pairing Human and Artificial Intelligence: Enforcing Access Control Policies with LLMs and Formal SpecificationsProceedings of the 29th ACM Symposium on Access Control Models and Technologies10.1145/3649158.3657032(105-116)Online publication date: 24-Jun-2024
https://dl.acm.org/doi/10.1145/3649158.3657032
Wang PLiu SLiu AJiang W(2024)Detecting security vulnerabilities with vulnerability netsJournal of Systems and Software10.1016/j.jss.2023.111902208:COnline publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1016/j.jss.2023.111902
Show More Cited By

Index Terms

Towards Practical Reactive Security Audit Using Extended Static Checkers
1. Security and privacy

Index terms have been assigned to the content through auto-classification.

Recommendations

Faster and More Complete Extended Static Checking for the Java Modeling Language

Extended Static Checking (ESC) is a fully automated formal verification technique. Verification in ESC is achieved by translating programs and their specifications into verification conditions (VCs). Proof of a VC establishes the correctness of the ...
Extended static checking in JML4: benefits of multiple-prover support
SAC '09: Proceedings of the 2009 ACM symposium on Applied Computing

The implementations of many seemingly simple algorithms are beyond the ability of traditional Extended Static Checking (ESC) tools to verify. Not being able to verify toy examples is often enough to turn users off of the idea of using formal methods. ...
SP 800-12. An Introduction to Computer Security: the NIST Handbook

Comments

Information & Contributors

Information

Published In

SP '13: Proceedings of the 2013 IEEE Symposium on Security and Privacy

May 2013

571 pages

ISBN:9780769549774

Publisher

IEEE Computer Society

United States

Publication History

Published: 19 May 2013

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Liu SMa WWang JXie XFeng RLiu YShrivastava ASui Y(2024)Enhancing Code Vulnerability Detection via Vulnerability-Preserving Data AugmentationProceedings of the 25th ACM SIGPLAN/SIGBED International Conference on Languages, Compilers, and Tools for Embedded Systems10.1145/3652032.3657564(166-177)Online publication date: 20-Jun-2024
https://dl.acm.org/doi/10.1145/3652032.3657564
Rubio-Medrano CKotak AWang WSohr KNiu JVaidya J(2024)Pairing Human and Artificial Intelligence: Enforcing Access Control Policies with LLMs and Formal SpecificationsProceedings of the 29th ACM Symposium on Access Control Models and Technologies10.1145/3649158.3657032(105-116)Online publication date: 24-Jun-2024
https://dl.acm.org/doi/10.1145/3649158.3657032
Wang PLiu SLiu AJiang W(2024)Detecting security vulnerabilities with vulnerability netsJournal of Systems and Software10.1016/j.jss.2023.111902208:COnline publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1016/j.jss.2023.111902
Meng DGuerriero MMachiry AAghakhani HBose PContinella AKruegel CVigna GCao JHo Au MLin ZYung M(2021)Bran: Reduce Vulnerability Search Space in Large Open Source Repositories by Learning Bug SymptomsProceedings of the 2021 ACM Asia Conference on Computer and Communications Security10.1145/3433210.3453115(731-743)Online publication date: 24-May-2021
https://dl.acm.org/doi/10.1145/3433210.3453115
Xiao YChen BYu CXu ZYuan ZLi FLiu BLiu YHuo WZou WShi WCapkun SRoesner F(2020)MVPProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489278(1165-1182)Online publication date: 12-Aug-2020
https://dl.acm.org/doi/10.5555/3489212.3489278
Du XChen BLi YGuo JZhou YLiu YJiang YAtlee JBultan TWhittle J(2019)LeopardProceedings of the 41st International Conference on Software Engineering10.1109/ICSE.2019.00024(60-71)Online publication date: 25-May-2019
https://dl.acm.org/doi/10.1109/ICSE.2019.00024
He SLahiri SRakamarić Z(2018)Verifying Relative Safety, Accuracy, and Termination for Program ApproximationsJournal of Automated Reasoning10.1007/s10817-017-9421-960:1(23-42)Online publication date: 1-Jan-2018
https://dl.acm.org/doi/10.1007/s10817-017-9421-9
He SLahiri SRakamarić Z(2016)Verifying Relative Safety, Accuracy, and Termination for Program ApproximationsProceedings of the 8th International Symposium on NASA Formal Methods - Volume 969010.1007/978-3-319-40648-0_19(237-254)Online publication date: 7-Jun-2016
https://dl.acm.org/doi/10.1007/978-3-319-40648-0_19
Hermann BReif MEichberg MMezini MDi Nitto EHarman MHeymans P(2015)Getting to know you: towards a capability model for JavaProceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering10.1145/2786805.2786829(758-769)Online publication date: 30-Aug-2015
https://dl.acm.org/doi/10.1145/2786805.2786829

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Abstract

Cited By

Index Terms

Recommendations

Faster and More Complete Extended Static Checking for the Java Modeling Language

Extended static checking in JML4: benefits of multiple-prover support

SP 800-12. An Introduction to Computer Security: the NIST Handbook

Comments

Information

Published In

Publisher

Publication History

Author Tags

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Get Access

Login options

Full Access

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations