ABSTRACT
This paper is devoted to static analysis of the software code security. We suggest using heuristic static code analysis to detect a full spectrum of vulnerabilities, including backdoors. Production rules are suggested for use to formalize heuristics for detection of vulnerabilities. We developed a conceptual system of production models for detection of a full spectrum of vulnerabilities in the software code. This paper provides examples of heuristic formalization for detection of certain vulnerabilities classified subject to CWE register. It also provides a brief statistics of application of the suggested heuristic analysis in the study of the software code security.
- Ayewah, N., Hovemeyer, D., Morgenthaler, J. D., Penix, J., Pugh, W. 2008. Using Static Analysis to Find Bugs. IEEE Software. 25, 5 (Sep./Oct. 2008), 22-29. DOI=http://dx.doi.org/10.1109/MS.2008.130. Google ScholarDigital Library
- Boulanger, J. L. (Ed.). 2011. Static Analysis of Software: The Abstract Interpretation. Wiley-ISTE.Google Scholar
- Chen, H., Wagner, D. 2002. MOPS: an infrastructure for examining security properties of software. In Proceedings of the 9th ACM conference on Computer and communications security. CCS'02. New York, NY, 235-244. Google ScholarDigital Library
- Hovemeyer, D., Spacco, J., Pugh, W. 2006. Evaluating and tuning a static analysis to find null pointer bugs. CM SIGSOFT Software Engineering Notes. 31, 1 (Jan. 2006), 13-19. DOI= http://dx.doi.org/10.1145/1108768.1108798. Google ScholarDigital Library
- Logozzo, F., Fähndrich, M., 2008. On the Relative Completeness of Bytecode Analysis Versus Source Code Analysis. LNCS. 4959, 197-212. Google ScholarDigital Library
- Markov, A., Luchin, D., Rautkin, Y., Tsirlov, V. 2015. Evolution of a Radio Telecommunication Hardware-Software Certification Paradigm in Accordance with Information Security Requirements, In Proceedings of the 11th International Siberian Conference on Control and Communications (Omsk, Russia, May 21-23, 2015). SIBCON-2015. IEEE, Omsk, Russia, 1-4. DOI = http://dx.doi.org/10.1109/SIBCON.2015.7147139.Google ScholarCross Ref
- Medvedev, N. V., Markov, A. S., Fadin, A. A. 2012. Primenenie metoda staticheskogo signaturnogo analiza dlya vyyavleniya defektov bezopasnosti veb-prilozheniy. Nauka i obrazovanie: nauchnoe izdanie MGTU im. N.E. Baumana. 9 (Sep. 2012), 21. DOI=http://dx.doi.org/10.7463/0912.0461281.Google Scholar
- Markov, A. S., Tsirlov, V. L. 2013. Experience in identifying vulnerabilities in software. Voprosy kiberbezopasnosti (Cybersecurity Issues. In Russia). 1(1) (Dec. 2013), 42-48.Google Scholar
- Reber, G., Malmquist, K., Shcherbakov, A. 2014. Mapping the Application Security Terrain. Voprosy kiberbezopasnosti (Cybersecurity Issues. In Russia). 1(2) (Jan. 2014), 36-39.Google Scholar
- Seacord, R. C. 2008. The CERT C Secure Coding Standard. Addison-Wesley Professional. Google ScholarDigital Library
- Seoa, S.-H., Guptaa, A., Sallama, A. M., Bertinoa, E., Yimb, K. 2014. Detecting mobile malware threats to homeland security through static analysis. Journal of Network and Computer Applications. 38 (Feb. 2014), 43-53. DOI= http://dx.doi.org/10.1016/j.jnca.2013.05.008. Google ScholarDigital Library
- Stanley, W., Laski, J. 2009. Software Verification and Analysis. Springer. Google ScholarDigital Library
- Zhu, F., Wei, J. 2014. Static analysis based invariant detection for commodity operating systems. Computers and Security. 43, 49-63. DOI= http://dx.doi.org/10.1016/j.cose.2014.02.00.Google ScholarCross Ref
Recommendations
Discovering software vulnerabilities using data-flow analysis and machine learning
ARES '18: Proceedings of the 13th International Conference on Availability, Reliability and SecurityWe present a novel method for static analysis in which we combine data-flow analysis with machine learning to detect SQL injection (SQLi) and Cross-Site Scripting (XSS) vulnerabilities in PHP applications. We assembled a dataset from the National ...
High false positive detection of security vulnerabilities: a case study
ACM-SE '12: Proceedings of the 50th Annual Southeast Regional ConferenceStatic code analysis is an emerging technique for secure software development that analyzes large software code bases without execution to reveal potential vulnerabilities present in the code. These vulnerabilities include but are not limited to SQL ...
Source Code Patterns of SQL Injection Vulnerabilities
ARES '17: Proceedings of the 12th International Conference on Availability, Reliability and SecurityMany secure software development methods and tools are well-known and understood. Still, the same software security vulnerabilities keep occurring. To find out if new source code patterns evolved or the same patterns are reoccurring, we investigate SQL ...
Comments