Skip to main content
SpringerLink
Log in

A Model for Security Vulnerability Pattern

  • Conference paper
Computational Science and Its Applications - ICCSA 2006 (ICCSA 2006)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 3982))

Included in the following conference series:

Abstract

Static analysis technology is used to find programming errors before run time. Unlike dynamic analysis technique which looks at the application state while it is being executed, static analysis technique does not require the application to be executed. In this paper, we classify security vulnerability patterns in source code and design a model to express various security vulnerability patterns by making use of pushdown automata. On the basis of the model, it is possible to find a security vulnerability by making use of Abstract Syntax Tree (AST) based pattern matching technique in parsing level.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 139.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Aleph One: Smashing the stack for fun and profit. Phrack 49-14 (1996)

    Google Scholar 

  2. Wheeler, D.A.: Flawfinder, http://www.dwheeler.com/flawfinder/

  3. RATS, http://www.securesw.com/rats/

  4. Viega, J., Bloch, J.T., Kohno, T., McGraw, G.: ITS4: A static vulnerability scanner for C and C++ code. ACM Transactions on Information and System Security 5(2) (2002)

    Google Scholar 

  5. Wagner, D., Foster, J.S., Brewer, E.A., Aiken, A.: A first step towards automated detection of buffer overrun vulnerabilities. In: Network and distributed system security symposium, San Diego, CA, pp. 3–17 (2000)

    Google Scholar 

  6. Foster, J.: Type qualifiers: Lightweight specifications to improve soft-ware quality. Ph.D. thesis. University of California, Berkeley (2002)

    Google Scholar 

  7. Evans, D.: SPLINT, http://www.splint.org/

  8. Blanchet, B., Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Mine, A., Monniaux, D., Rival, X.: A Static Analyzer for Large Safety-Critical Software (2003)

    Google Scholar 

  9. Abstract interpretation (2001), http://www.polyspace.com/downloads.htm

  10. Zitser, M., Lippmann, R., Leek, T.: Testing Static Analysis Tools using Exploitable Buffer Overflows from Open Source Code. In: SIGSOFT 2004, pp. 97–106 (2004)

    Google Scholar 

  11. Ball, T., Majumdar, R., Millstein, T., Rajamani, S.: Automatic predicate abstraction of C programs. PLDI. ACM SIGPLAN Not. 36(5), 203–213 (2001)

    Article  Google Scholar 

  12. Ball, T., Podelski, A., Rajamani, S.: Relative completeness of abstraction refinement for software model checking. In: Katoen, J.-P., Stevens, P. (eds.) TACAS 2002. LNCS, vol. 2280, pp. 158–172. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  13. Ball, T., Rajamani, S.: The SLAM project: debugging system software via static analysis. In: 29th ACM POPL. LNCS, vol. 1254, pp. 72–83. Springer, Heidelberg (2002)

    Google Scholar 

  14. Chen, H., Wagner, D.: MOPS: an infrastructure for examining security properties of software. In: Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS), Washington, DC (2002)

    Google Scholar 

  15. Chen, H., Wagner, D., Dean, D.: Setuid demystified. In: Proceedings of the Eleventh Usenix Security Symposium, San Francisco, CA (2002)

    Google Scholar 

  16. Microsoft Security Bulletin MS03-007, http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx.Microsoft (2003)

  17. Microsoft Security Bulletin MS03-026, http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx.Microsoft (2003)

  18. Hopcroft, J., Ullman, J.: Introduction to automata theory, languages, and computation. Addison-Wesley, Reading (1979)

    MATH  Google Scholar 

  19. Necula, G.C., McPeak, S., Rahul, S.P., Weimer, W.: CIL: Intermediate language and tools for analysis and transformation of C programs. In: Horspool, R.N. (ed.) CC 2002. LNCS, vol. 2304, p. 213. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  20. Rémy, D., Vouillon, J.: Objective ML: An effective object-oriented extension of ML. Theory and Practice of Object Systems 4(1), 27–52 (1998)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. National Security Research Institute, 161Gajeong-dong, Yuseong-gu, Daejeon, 305-350, Korea

    Hyungwoo Kang, Kibom Kim & Soonjwa Hong

  2. Center for Information Security Technologies(CIST), Korea University, Seoul, 136-704, Korea

    Dong Hoon Lee

Authors
  1. Hyungwoo Kang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kibom Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Soonjwa Hong
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Dong Hoon Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, University of Calgary, 2500 University Drive N.W., T2N 1N4, Calgary, AB, Canada

    Marina Gavrilova

  2. Department of Mathematics and Computer Science, University of Perugia, via Vanvitelli, 1, I-06123, Perugia, Italy

    Osvaldo Gervasi

  3. William Norris Professor, Head of the Computer Science and Engineering Department, University of Minnesota, USA

    Vipin Kumar

  4. OptimaNumerics Ltd., Cathedral House, 23-31 Waring Street, BT1 2DX, Belfast, UK

    C. J. Kenneth Tan

  5. Clayton School of IT, Monash University, 3800, Clayton, Australia

    David Taniar

  6. Department of Chemistry, University of Perugia, Via Elce di Sotto, 8, I-06123, Perugia, Italy

    Antonio Laganá

  7. School of Computing, Soongsil University, Seoul, Korea

    Youngsong Mun

  8. School of Information and Communication Engineering, Sungkyunkwan University, Korea

    Hyunseung Choo

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Kang, H., Kim, K., Hong, S., Lee, D.H. (2006). A Model for Security Vulnerability Pattern. In: Gavrilova, M., et al. Computational Science and Its Applications - ICCSA 2006. ICCSA 2006. Lecture Notes in Computer Science, vol 3982. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11751595_42

Download citation

  • DOI: https://doi.org/10.1007/11751595_42

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-34075-1

  • Online ISBN: 978-3-540-34076-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation