Abstract
Static and dynamic program analysis tools mostly focus on the detection of a priori defined defect patterns and security vulnerabilities. Automated detection of logical errors, due to a faulty implementation of applications’ functionality is a relatively uncharted territory. Automation can be based on profiling the intended behavior behind the source code. In this paper, we present a new code profiling method that combines the crosschecking of dynamic program invariants with symbolic execution, an information flow analysis, and the use of fuzzy logic. Our goal is to detect logical errors and exploitable vulnerabilities. The theoretical underpinnings and the practical implementation of our approach are discussed. We test the APP_LogGIC tool that implements the proposed analysis on two real-world applications. The results show that profiling the intended program behavior is feasible in diverse applications. We discuss the heuristics used to overcome the problem of state space explosion and of the large data sets. Code metrics and test results are provided to demonstrate the effectiveness of the approach.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Dobbins, J.: Inspections as an Up-Front Quality Technique. In: Handbook of Software Quality Assurance, pp. 217–252. Prentice Hall, New York (1998)
McLaughlin, B.: Building Java Enterprise Applications. Architecture, vol. 1. O’ Reilly, Sebastopol (2002)
Peng, W. Wallace, D.: Software Error Analysis. In: NIST Special Publication 500-209. NIST, Gaithersburg, pp. 7–10 (1993)
Kimura, M.: Software vulnerability, definition, modeling, and practical evaluation for e-mail transfer software. Int. J. Pressure Vessels Pip. 83(4), 256–261 (2006)
Felmetsger, V., Cavedon, L., Kruegel, C., Vigna, J.: Toward automated detection of logic vulnerabilities in web applications. In: Proceedings of the 19th USENIX Symposium, USA, p. 10 (2010)
Stergiopoulos, G., Tsoumas, B., Gritzalis, D.: Hunting application-level logical errors. In: Barthe, G., Livshits, B., Scandariato, R. (eds.) ESSoS 2012. LNCS, vol. 7159, pp. 135–142. Springer, Heidelberg (2012)
Stergiopoulos, G., Tsoumas, B., Gritzalis, D.: On business logic vulnerabilities hunting: the APP_LogGIC framework. In: Lopez, J., Huang, X., Sandhu, R. (eds.) NSS 2013. LNCS, vol. 7873, pp. 236–249. Springer, Heidelberg (2013)
Păsăreanu, C.S., Visser, W.: Verification of Java programs using symbolic execution and invariant generation. In: Graf, S., Mounier, L. (eds.) SPIN 2004. LNCS, vol. 2989, pp. 164–181. Springer, Heidelberg (2004)
The Java PathFinder tool, NASA Ames Research Center, US. http://babelfish.arc.nasa.gov/trac/jpf/
Doupe, A., Boe, B., Vigna, G.: Fear the EAR: discovering and mitigating execution after redirect vulnerabilities. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 251–262. ACM (2011)
Balzarotti, D., Cova, M., Felmetsger, V., Vigna, G.: Multi-module vulnerability analysis of web-based applications. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 25–35. ACM (2007)
Ernst, M., Perkins, J., Guo, P., McCamant, S., Pacheco, C., Tschantz, M., Xiao, C.: The Daikon system for dynamic detection of likely invariants. Sci. Comput. Program. 69, 35–45 (2007)
The Daikon Invariant Detector Manual. http://groups.csail.mit.edu/pag/daikon/
Brumley, D., Newsome, J., Song, D., Wang, H., Jha, S.: Towards automatic generation of vulnerability-based signatures. In: IEEE Symposium on Security and Privacy (2006)
Natella, R., Cotronneo, D., Duraes, J., Madeira, H.: On fault representativeness of software fault injection. IEEE Trans. Softw. Eng. 39(1), 80–96 (2013)
Foundations of Fuzzy Logic, Fuzzy Operators, Mathworks. http://www.mathworks.com/help/toolbox/fuzzy/bp78l6_-1.html
Systems Engineering Fundamentals: Supplementary text prepared by the Defense Acquisition University Press, Defense Acquisition University, USA (2001)
JSCH SSH framework, JCraft. http://www.jcraft.com/jsch/
Cingolani, P., Alcala-Fdez, J.: jFuzzyLogic: a robust and flexible fuzzy-logic inference system language implementation. In: Proceedings of the IEEE International Conference on Fuzzy Systems, pp. 1–8. IEEE (2012)
Leekwijck, W., Kerre, E.: Defuzzification: criteria and classification. Fuzzy Sets Syst. 108(2), 159–178 (1999)
Stoneburner G., Goguen, A.: SP 800-30. Risk management guide for information technology systems. Technical report. NIST, USA (2002)
Burns, A., Burns, R.: Basic Marketing Research. Pearson Education, p. 245 (2008)
Fenton, N., Pfleeger, S.: Software Metrics: A Rigorous and Practical Approach. PWS, Boston (1998)
Giannakopoulou, D., Pasareanu, C., Cobleigh, J.: Assume-guarantee verification of source code with design-level assumptions. In: Proceedings of the 26th International Conference on Software Engineering, pp. 211–220. IEEE (2004)
The OWASP Risk Rating Methodology, www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
Theoharidou, M., Kotzanikolaou, P., Gritzalis, D.: Risk assessment methodology for interdependent critical infrastructures. Int. J. Risk Assess. Manage. 15(2/3), 128–148 (2011)
Kandias M., Mitrou L., Stavrou V., Gritzalis, D.: Which side are you on? A new Panopticon vs. privacy. In: Proceedings of 10th International Conference on Security and Cryptography, pp. 98–110. SciTePress (2013)
Albaum, G.: The Likert scale revisited. J. Market res. soc. 39, 331–348 (1997)
Mylonas A., Dritsas, S., Tsoumas V., Gritzalis, D.: Smartphone security evaluation - the malware attack case. In: Proceedings of the 8th International Conference on Security and Cryptography, pp. 25–36. SciTepress, (2011)
Theoharidou, M., Mylonas, A., Gritzalis, D.: A risk assessment method for smartphones. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IFIP AICT, vol. 376, pp. 443–456. Springer, Heidelberg (2012)
Chatzieleftheriou, G., Katsaros, P.: Test driving static analysis tools in search of C code vulnerabilities. In: Proceedings of the 35th IEEE Computer Software and Applications Conference on Workshops (COMPSACW), Munich, Germany, pp. 96–103. IEEE Computer Society (2011)
Acknowledgment
This research has been co-financed by the European Union (European Social Fund ESF) and Greek national funds through the Operational Program “Education and Lifelong Learning” of the National Strategic Reference Framework (NSRF) - Research Funding Program: Thalis Athens University of Economics and Business - Software Engineering Research Platform.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Stergiopoulos, G., Katsaros, P., Gritzalis, D. (2015). Automated Detection of Logical Errors in Programs. In: Lopez, J., Ray, I., Crispo, B. (eds) Risks and Security of Internet and Systems. CRiSIS 2014. Lecture Notes in Computer Science(), vol 8924. Springer, Cham. https://doi.org/10.1007/978-3-319-17127-2_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-17127-2_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-17126-5
Online ISBN: 978-3-319-17127-2
eBook Packages: Computer ScienceComputer Science (R0)