Improving security using extensible lightweight static analysis

被引:182
作者
Evans, D [1 ]
Larochelle, D [1 ]
机构
[1] Univ Virginia, Sch Engn & Appl Sci, Dept Comp Sci, Charlottesville, VA 22904 USA
来源
IEEE SOFTWARE | 2002年 / 19卷 / 01期
基金
美国国家航空航天局; 美国国家科学基金会;
关键词
Authentication protocols - Legacy code - Lightweight static analysis;
D O I
10.1109/52.976940
中图分类号
TP31 [计算机软件];
学科分类号
081202 ; 0835 ;
摘要
By David Evans and David Larochelle, pp. 42-51. Most security attacks exploit instances of well-known classes of implementation flaws. Developers could detect and eliminate many of these flaws before deploying the software, yet these problems persist with disturbing frequency-not because the security community doesn't sufficiently understand them but because techniques for preventing them have not been integrated into the software development process. This article describes an extensible tool that uses lightweight static analysis to detect common security vulnerabilities (including buffer overflows and format string vulnerabilities).
引用
收藏
页码:42 / +
页数:11
相关论文
共 18 条
[1]  
[Anonymous], STAT DETECTION DYNAM
[2]  
BARATLOO A, 2000, P 9 US SEC S US ASS
[3]  
BARKER C, 2001, THESIS U VIRGINIA CH
[4]  
COWAN C, 1998, P 7 US SEC S US ASS
[5]  
COWAN C, 2001, P 10 US SEC S US ASS
[6]  
Ernst M. D., 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002), P213, DOI 10.1109/ICSE.1999.841011
[7]   Flexible policy-directed code safety [J].
Evans, D ;
Twyman, A .
PROCEEDINGS OF THE 1999 IEEE SYMPOSIUM ON SECURITY AND PRIVACY, 1999, :32-45
[8]  
EVANS D, 1994, SIGSOFT S FDN SOFTW
[9]  
GOLDBERG I, 1996, P 6 US SEC S US ASS
[10]  
LAROCHELLE D, 2001, P 10 US SEC S US ASS
12