John Viega
Abstract
We describe ITS4, a tool for statically scanning C and C++ source code for security vulnerabilities. Compared to other approaches, our scanning technique stakes out a new middle ground between accuracy and efficiency. This method is efficient enough to offer real-time feedback to developers during coding while producing few false negatives. Unlike other techniques, our method is also simple enough to scan C++ code despite the complexities inherent in the language. Using ITS4, we found new remotely exploitable vulnerabilities in a widely distributed software package as well as in a major piece of e-commerce software.We also describe functionality in more recent tools modeled after ITS4, and discuss algorithms that could easily be used to augment these kinds of tools. Particularly, we describe a solution we have prototyped that allows for more rigorous analysis of C and C++ source code, without failing to analyze parts of the program due to preprocessor conditionals.
- Aho, A., Sethi, R., and Ullman, J. 1986. Compilers: Principles, Techniques and Tools. Addison Wesley, Reading, Mass.]] Google Scholar
Digital Library
- Bishop, M. and Dilger, M. 1996. Checking for race conditions in file accesses. Comput. Syst. 9, 2, 131--152.]]Google Scholar
- Evans, D., Guttag, J., Horning, J., and Tan, Y. 1994. LCLint: A tool for using specifications to check code. In Proceedings of the ACM SIGSOFT '94 Symposium on the Foundations of Software Engineering. ACM, New York, 87--96.]] Google ScholarDigital Library
- Garfinkel, S., and Spafford, G. 1996. Practical Unix and Internet Security. O'Reilly and Associates, Cambridge, Mass.]] Google ScholarDigital Library
- Landi, W. and Ryder, B. 1992. A safe approximation algorithm for interprocedural pointer aliasing. In Proceedings of the SIGPLAN '92 Conference on Programming Language Design and Implementation. ACM, New York, 235--248.]] Google ScholarDigital Library
- Larochelle, D. and Evans, D. 2001. Statically detecting likely buffer overflow vulnerabilities. In Proceedings of the 2001 USENIX Security Symposium.]] Google ScholarDigital Library
- Myers, A. 1999. JFLOW: Practical, mostly-static information flow control. In Proceedings of the ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (San Antonio, Tex.), 228--241.]] Google ScholarDigital Library
- Shankar, U., Kunal, T., Foster, J., and Wagner, D. 2001. Detecting format string vulnerabilities with type qualifiers. In Proceedings of the 2001 USENIX Security Symposium.]] Google ScholarDigital Library
- Viega, J. and Mcgraw, G. 2001. Building Secure Software. Addison-Wesley, Reading, Mass.]]Google Scholar
- Wagner, D., Foster, J., Brewer, E., and Aiken, A. 2000. A first step towards automated detection of buffer overrun vulnerabilities. In Proceedings of the Year 2000 Network and Distributed System Security Symposium (San Diego, Calif.), 3--17.]]Google Scholar
Index Terms
- Token-based scanning of source code for security problems
Recommendations
Detect Related Bugs from Source Code Using Bug Information
COMPSAC '10: Proceedings of the 2010 IEEE 34th Annual Computer Software and Applications ConferenceOpen source projects often maintain open bug repositories during development and maintenance, and the reporters often point out straightly or implicitly the reasons why bugs occur when they submit them. The comments about a bug are very valuable for ...
Do bugs lead to unnaturalness of source code?
ESEC/FSE 2022: Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software EngineeringTexts in natural languages are highly repetitive and predictable because of the naturalness of natural languages. Recent research validated that source code in programming languages is also repetitive and predictable, and naturalness is an inherent ...
Code Analysis for Software and System Security Using Open Source Tools
Software security helps in identifying and managing risks. One of the effective ways to identify software vulnerabilities is to analyze its code. Code analysis Chess & West, 2007 helps in catching common coding mistakes such as buffer overflow, unused ...
Comments