Title :
Static Security Analysis Based on Input-Related Software Faults
Author :
Nagy, Csaba ; Mancoridis, Spiros
Author_Institution :
Dept. of Software Eng., Univ. of Szeged, Szeged
Abstract :
It is important to focus on security aspects during the development cycle to deliver reliable software. However, locating security faults in complex systems is difficult and there are only a few effective automatic tools available to help developers. In this paper we present an approach to help developers locate vulnerabilities by marking parts of the source code that involve user input. We focus on input-related code, since an attacker can usually take advantage of vulnerabilities by passing malformed input to the application. The main contributions of this work are two metrics to help locate faults during a code review, and algorithms to locate buffer overflow and format string vulnerabilities in C source code. We implemented our approach as a plug in to the Grammatech CodeSurfer tool. We tested and validated our technique on open source projects and we found faults in software that includes Pidgin and cyrus-imapd.
Keywords :
program diagnostics; security of data; software metrics; software reliability; C source code; Grammatech CodeSurfer tool; complex systems; input-related software faults; reliable software; software development; static security analysis; Buffer overflow; Computer security; Data security; Fault diagnosis; Open source software; Performance analysis; Software algorithms; Software engineering; Software maintenance; Software systems; security analysis; static analysis;
Conference_Titel :
Software Maintenance and Reengineering, 2009. CSMR '09. 13th European Conference on
Conference_Location :
Kaiserslautern
Print_ISBN :
978-0-7695-3589-0
DOI :
10.1109/CSMR.2009.51
