Title :
ITS4: a static vulnerability scanner for C and C++ code
Author :
Viega, John ; Bloch, J.T. ; Kohno, Yoshi ; McGraw, Gary
Author_Institution :
Reliable Software Technol., Dulles, VA, USA
Abstract :
We describe ITS4, a tool for statically scanning security-critical C source code for vulnerabilities. Compared to other approaches, our scanning technique stakes out a new middle ground between accuracy and efficiency. This method is efficient enough to offer real-time feedback to developers during coding while producing few false negatives. Unlike other techniques, our method is also simple enough to scan C++ code despite the complexities inherent in the language. Using ITS4 we found new remotely-exploitable vulnerabilities in a widely distributed software package as well as in a major piece of e-commerce software. The ITS4 source distribution is available at http://www.rstcorp.com/its4
Keywords :
C language; C++ language; security of data; software packages; software tools; C code; C++ code; ITS4; e-commerce software; real-time feedback; security-critical source code; software package; software vulnerabilities; static vulnerability scanner; Buffer overflow; Computer languages; Data security; Feedback; Information security; Libraries; Programming profession; Software packages; Software tools; Writing;
Conference_Titel :
Computer Security Applications, 2000. ACSAC '00. 16th Annual Conference
Conference_Location :
New Orleans, LA
Print_ISBN :
0-7695-0859-6
DOI :
10.1109/ACSAC.2000.898880
