Title :
Towards Practical Reactive Security Audit Using Extended Static Checkers
Author :
Vanegue, Julien ; Lahiri, S.K.
Author_Institution :
Bloomberg L.P., New York, NY, USA
Abstract :
This paper describes our experience of performing reactive security audit of known security vulnerabilities in core operating system and browser COM components, using an extended static checker HAVOCLITE. We describe the extensions made to the tool to be applicable on such large C++ components, along with our experience of using an extended static checker in the large. We argue that the use of such checkers as a configurable static analysis in the hands of security auditors can be an effective tool for finding variations of known vulnerabilities. The effort has led to finding and fixing around 70 previously unknown security vulnerabilities in over 10 millions lines operating system and browser code.
Keywords :
C++ language; formal verification; operating systems (computers); program compilers; security of data; C++ components; browser COM components; browser code; configurable static analysis; core operating system; extended static checker HAVOCLITE; extended static checkers; practical reactive security audit; security auditors; security vulnerabilities; Browsers; Contracts; Instruments; Manuals; Object oriented modeling; Security; Semantics; extended static checking; program verification; security audit; static analysis;
Conference_Titel :
Security and Privacy (SP), 2013 IEEE Symposium on
Conference_Location :
Berkeley, CA
Print_ISBN :
978-1-4673-6166-8
Electronic_ISBN :
1081-6011
