• DocumentCode
    2822908
  • Title

    ITS4: a static vulnerability scanner for C and C++ code

  • Author

    Viega, John ; Bloch, J.T. ; Kohno, Yoshi ; McGraw, Gary

  • Author_Institution
    Reliable Software Technol., Dulles, VA, USA
  • fYear
    2000
  • fDate
    36861
  • Firstpage
    257
  • Lastpage
    267
  • Abstract
    We describe ITS4, a tool for statically scanning security-critical C source code for vulnerabilities. Compared to other approaches, our scanning technique stakes out a new middle ground between accuracy and efficiency. This method is efficient enough to offer real-time feedback to developers during coding while producing few false negatives. Unlike other techniques, our method is also simple enough to scan C++ code despite the complexities inherent in the language. Using ITS4 we found new remotely-exploitable vulnerabilities in a widely distributed software package as well as in a major piece of e-commerce software. The ITS4 source distribution is available at http://www.rstcorp.com/its4
  • Keywords
    C language; C++ language; security of data; software packages; software tools; C code; C++ code; ITS4; e-commerce software; real-time feedback; security-critical source code; software package; software vulnerabilities; static vulnerability scanner; Buffer overflow; Computer languages; Data security; Feedback; Information security; Libraries; Programming profession; Software packages; Software tools; Writing;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Computer Security Applications, 2000. ACSAC '00. 16th Annual Conference
  • Conference_Location
    New Orleans, LA
  • Print_ISBN
    0-7695-0859-6
  • Type

    conf

  • DOI
    10.1109/ACSAC.2000.898880
  • Filename
    898880
    • Link To Document
    https://search.isc.ac/dl/search/defaultta.aspx?DTC=49&DC=2822908