Title :
Demonstration of COSAK static analysis tools
Author :
DaCosta, Dan ; Dahn, Christopher ; Mancoridis, Spiros ; Prevelakis, Vassilis
Author_Institution :
Dept. of Comput. Sci., Drexel Univ., Philadelphia, PA, USA
Abstract :
A software vulnerability is a fault in the specification, implementation, or configuration of a software system whose execution can violate an explicit or implicit security policy. Users typically focus on the functionality of software rather than its security posture. Hence, vulnerabilities often escape their attention until the software is exploited by specially written malicious code. Code auditing is one solution which has been tried with some success in systems such as the OpenBSD operating system. Code audits involve the review of source code by experts in search of vulnerabilities. These audits are reoccurring, namely each revision of the software requires reexamination, and expensive because code audits are labor intensive. Auditors would benefit from a tool which enables them to focus their attention on high-risk areas, thus reducing the amount of code that needs to be audited. The article shows how the tools developed at Drexel University can be used to direct the attention of code auditors to those components that have a high likelihood of being vulnerable.
Keywords :
auditing; configuration management; program diagnostics; security of data; COSAK static analysis tools; OpenBSD operating system; code auditing; code auditors; high-risk areas; implicit security policy; malicious code; security posture; software fault; software system; software vulnerability; source code review; Computer languages; Computer science; Costs; Large-scale systems; Open source software; Operating systems; Programming profession; Security; Software performance; Software systems;
Conference_Titel :
DARPA Information Survivability Conference and Exposition, 2003. Proceedings
Print_ISBN :
0-7695-1897-4
DOI :
10.1109/DISCEX.2003.1194898
