Abstract
Static analysis technology is used to find programming errors before run time. Unlike dynamic analysis technique which looks at the application state while it is being executed, static analysis technique does not require the application to be executed. In this paper, we classify security vulnerability patterns in source code and design a model to express various security vulnerability patterns by making use of pushdown automata. On the basis of the model, it is possible to find a security vulnerability by making use of Abstract Syntax Tree (AST) based pattern matching technique in parsing level.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Aleph One: Smashing the stack for fun and profit. Phrack 49-14 (1996)
Wheeler, D.A.: Flawfinder, http://www.dwheeler.com/flawfinder/
Viega, J., Bloch, J.T., Kohno, T., McGraw, G.: ITS4: A static vulnerability scanner for C and C++ code. ACM Transactions on Information and System Security 5(2) (2002)
Wagner, D., Foster, J.S., Brewer, E.A., Aiken, A.: A first step towards automated detection of buffer overrun vulnerabilities. In: Network and distributed system security symposium, San Diego, CA, pp. 3–17 (2000)
Foster, J.: Type qualifiers: Lightweight specifications to improve soft-ware quality. Ph.D. thesis. University of California, Berkeley (2002)
Evans, D.: SPLINT, http://www.splint.org/
Blanchet, B., Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Mine, A., Monniaux, D., Rival, X.: A Static Analyzer for Large Safety-Critical Software (2003)
Abstract interpretation (2001), http://www.polyspace.com/downloads.htm
Zitser, M., Lippmann, R., Leek, T.: Testing Static Analysis Tools using Exploitable Buffer Overflows from Open Source Code. In: SIGSOFT 2004, pp. 97–106 (2004)
Ball, T., Majumdar, R., Millstein, T., Rajamani, S.: Automatic predicate abstraction of C programs. PLDI. ACM SIGPLAN Not. 36(5), 203–213 (2001)
Ball, T., Podelski, A., Rajamani, S.: Relative completeness of abstraction refinement for software model checking. In: Katoen, J.-P., Stevens, P. (eds.) TACAS 2002. LNCS, vol. 2280, pp. 158–172. Springer, Heidelberg (2002)
Ball, T., Rajamani, S.: The SLAM project: debugging system software via static analysis. In: 29th ACM POPL. LNCS, vol. 1254, pp. 72–83. Springer, Heidelberg (2002)
Chen, H., Wagner, D.: MOPS: an infrastructure for examining security properties of software. In: Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS), Washington, DC (2002)
Chen, H., Wagner, D., Dean, D.: Setuid demystified. In: Proceedings of the Eleventh Usenix Security Symposium, San Francisco, CA (2002)
Microsoft Security Bulletin MS03-007, http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx.Microsoft (2003)
Microsoft Security Bulletin MS03-026, http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx.Microsoft (2003)
Hopcroft, J., Ullman, J.: Introduction to automata theory, languages, and computation. Addison-Wesley, Reading (1979)
Necula, G.C., McPeak, S., Rahul, S.P., Weimer, W.: CIL: Intermediate language and tools for analysis and transformation of C programs. In: Horspool, R.N. (ed.) CC 2002. LNCS, vol. 2304, p. 213. Springer, Heidelberg (2002)
Rémy, D., Vouillon, J.: Objective ML: An effective object-oriented extension of ML. Theory and Practice of Object Systems 4(1), 27–52 (1998)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kang, H., Kim, K., Hong, S., Lee, D.H. (2006). A Model for Security Vulnerability Pattern. In: Gavrilova, M., et al. Computational Science and Its Applications - ICCSA 2006. ICCSA 2006. Lecture Notes in Computer Science, vol 3982. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11751595_42
Download citation
DOI: https://doi.org/10.1007/11751595_42
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-34075-1
Online ISBN: 978-3-540-34076-8
eBook Packages: Computer ScienceComputer Science (R0)