Logo image
Back
Static security analysis based on input-related software faults
Conference proceeding

Static security analysis based on input-related software faults

Csaba Nagy and Spiros Mancoridis
13TH EUROPEAN CONFERENCE ON SOFTWARE MAINTENANCE AND REENGINEERING: CSMR 2009, PROCEEDINGS
01 Jan 2009
DOI: https://doi.org/10.1109/CSMR.2009.51

Abstract

Computer Science Computer Science, Software Engineering Engineering Engineering, Electrical & Electronic Science & Technology Technology
It is important to focus on security aspects during the development cycle to deliver reliable software. However, locating security faults in complex systems is difficult and there are only a few effective automatic tools available to help developers. In this paper we present an approach to help developers locate vulnerabilities by marking parts of the source code that involve user input. We focus on input-related code, since an attacker can usually take advantage of vulnerabilities by passing malformed input to the application. The main contributions of this work are two metrics to help locate faults during a code review, and algorithms to locate buffer overflow and format string vulnerabilities in C source code. We implemented our approach as a plugin to the Grammatech CodeSurfer tool. We tested and validated our technique on open source projects and we found faults in software that includes Pidgin and cyrus-imapd.

Metrics

9 Record Views
4 citations in Web of Science
10 citations in Scopus

Details

InCites Highlights

Data related to this publication, from InCites Benchmarking & Analytics tool:

Collaboration types
Domestic collaboration
International collaboration
Web of Science research areas
Computer Science, Software Engineering
Engineering, Electrical & Electronic
Logo image