Applying dataflow analysis to detecting software vulnerability

被引:0
作者
Kim, Hyunha [1 ]
Choi, Tae-Hyoung [1 ]
Jung, Seung-Cheol [1 ]
Kim, Hyoung-Cheol [1 ]
Lee, Oukseh [1 ]
Doh, Kyung-Goo [1 ]
机构
[1] Hanyang Univ, Dept Comp Sci & Engn, Seoul, South Korea
来源
10TH INTERNATIONAL CONFERENCE ON ADVANCED COMMUNICATION TECHNOLOGY, VOLS I-III: INNOVATIONS TOWARD FUTURE NETWORKS AND SERVICES | 2008年
关键词
software vulnerability; static analysis; dataflow analysis;
D O I
暂无
中图分类号
TP31 [计算机软件];
学科分类号
081202 ; 0835 ;
摘要
In this paper, we propose a software vulnerability checker which takes rules describing vulnerability patterns and a source program as input and detects locations and paths of the patterns in the program. Simple and How patterns for vulnerabilities are described as rules in the specification language we designed. The lightweight control and data flow analysis is necessary to detect flow patterns. Newly discovered vulnerability patterns can easily be added to the existing rules. We implement the detector in three parts: a pattern matcher which finds locations of vulnerabilities in source program, a flow graph constructor which extracts the control How and data flow from the program, and a flow analyzer which finds program's vulnerable execution paths.
引用
收藏
页码:255 / 258
页数:4
相关论文
共 12 条
[1]  
Blanchet Bruno, 2003, P ACM SIGPLAN 2003 C, P196, DOI [DOI 10.1145/780822.781153, 10.1145/781131.781153, DOI 10.1145/781131.781153]
[2]  
COK DR, 2004, CONSTRUCTION ANAL SA, P108
[3]  
Cousot P., 1976, P 2 INT S PROGR, P106
[4]   Improving security using extensible lightweight static analysis [J].
Evans, D ;
Larochelle, D .
IEEE SOFTWARE, 2002, 19 (01) :42-+
[5]  
*FORT SOFTW, FORT SOURC COD AN
[6]  
Gosling James, 2000, The Java Language Specification
[7]  
Holzmann G.J., 2002, INTEGRATED DESIGN PR
[8]  
IBM, RAT PUR
[9]  
Jung YB, 2005, LECT NOTES COMPUT SC, V3672, P203
[10]  
Necula Necula George C., 2002, P 29 ACM SIGPLAN SIG, P128, DOI [DOI 10.1145/503272.503286, 10.1145/503272.503286]
12