Abstract
Static analysis technologies and tools have been widely adopted in detecting software bugs and vulnerabilities. However, traditional approaches have their limitations on extensibility and reusability due to their methodologies, and are unsuitable to describe subtle vulnerabilities under complex and unaccountable contexts. This paper proposes an approach of static analysis based on ontology model enhanced by program slicing technology for detecting software vulnerabilities. We use Ontology Web Language (OWL) to model the source code and Semantic Web Rule Language (SWRL) to describe the bug and vulnerability patterns. Program slicing criteria can be automatically extracted from the SWRL rules and adopted to slice the source code. A prototype of security vulnerability detection (SVD) tool is developed to show the validity of the proposed approach.
Chapter PDF
Similar content being viewed by others
References
Yu, L., Zhou, J., Yi, Y., Li, P., Wang, Q.: Ontology Model-Based Static Analysis on Java Programs. In: Proceedings of the 2008 32nd Annual IEEE International Computer Software and Applications Conference, July 28-August 01, pp. 92–99 (2008)
Weiser, M.: Program slices: formal, psychological, and practical investigations of an automatic program abstraction method. PhD thesis, University of Michigan, Ann Arbor (1979)
Ferrante, J., Ottenstein, K., Warren, J.: The program dependence graph and its use in optimization. ACM Transactions on Programming Languages and Systems 9(3), 319–349 (1987)
Java System Dependence Graph API, http://www4.comp.polyu.edu.hk/~cscllo/teaching/SDGAPI/
ASM, http://asm.ow2.org/
Binkley, D.: Source Code Analysis: A Road Map. In: 2007 Future of Software Engineering (FOSE 2007), pp. 104–119. IEEE Computer Society, Washington, DC, USA (2007), doi:10.1109/FOSE.2007.27
Cordy, J., Dean, T., Malton, A., Schneider, K.: Source transformation in software engineering using the TXL transformation system. Information and Software Technology 44(13) (2002)
Edison Design Group. Compiler front ends (2006)
Moonen, L.: Generating robust parsers using island grammars. In: Working Conference on Reverse Engineering (2001)
Cytron, R., Ferrante, J., Rosen, B., Wegman, M., Zadeck, K.: Efficiently computing static single assignment form and the control dependence graph. ACM Trans. Prog. Lang. Syst. 13(4) (1991)
Weise, D., Crew, R.F., Ernst, M., Steensgaard, B.: Valuedependence graphs: Representation without taxation. In: Conference Record of POPL 1994: 21st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. ACM SIGACT and SIGPLAN, ACM Press (1994)
Qian, F., Hendren, L.: Towards dynamic interprocedural analysis in jvms. In: Proc. of the 3rd Virtual Machine Research and Technology Symposium, San Jose, USA. Usenix (May 2004)
Pheng, S., Verbrugge, C.: Dynamic data structure analysis for Java programs. In: ICPC 2006: Proc. of the 14th IEEE International Conference on Program Comprehension. IEEE Computer Society (2006)
Cobleigh, J., Clarke, L., Osterweil, L.: Flavers: A finite state verification technique for software systems. IBM Systems Journal – Software Testing and Verification 41(1) (2002)
Schmidt, D.: Structure-preserving Binary Relations for Program Abstraction. In: Mogensen, T.Æ., Schmidt, D.A., Sudborough, I.H. (eds.) The Essence of Computation. LNCS, vol. 2566, pp. 245–265. Springer, Heidelberg (2002)
Ryder, B.: Dimensions of Precision in Reference Analysis of Object-oriented Programming Languages. In: Hedin, G. (ed.) CC 2003. LNCS, vol. 2622, pp. 126–137. Springer, Heidelberg (2003)
Landi, W., Ryder, B.G.: Pointer-induced aliasing: A problem classification. In: Conference Record of the Eighteenth Annual ACM Symposium on Principles of Programming Languages, Orlando, FL. ACM Press (January 1991)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Yu, L., Wu, SZ., Guo, T., Dong, GW., Wan, CC., Jing, YH. (2011). Ontology Model-Based Static Analysis of Security Vulnerabilities. In: Qing, S., Susilo, W., Wang, G., Liu, D. (eds) Information and Communications Security. ICICS 2011. Lecture Notes in Computer Science, vol 7043. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-25243-3_27
Download citation
DOI: https://doi.org/10.1007/978-3-642-25243-3_27
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-25242-6
Online ISBN: 978-3-642-25243-3
eBook Packages: Computer ScienceComputer Science (R0)