A Comparison of Publicly Available Tools for Static Intrusion Prevention

A Comparison of Publicly Available Tools for Static Intrusion Prevention (2002)

Cached

Download Links

[www.ida.liu.se]

by John Wilander , Mariam Kamkar

Citations:

20 - 0 self

BibTeX

@MISC{Wilander02acomparison,
    author = {John Wilander and Mariam Kamkar},
    title = {A Comparison of Publicly Available Tools for Static Intrusion Prevention},
    year = {2002}
}

Years of Citing Articles

Bookmark

OpenURL

Abstract

The size and complexity of today's software systems is growing, increasing the number of bugs and thus the possibility of security vulnerabilities. Two common attacks against such vulnerabilities are buffer overflow and format string attacks. In this paper we implement a testbed of 44 function calls in C to empirically compare five publicly available tools for static analysis aiming to stop these attacks. The results show very high rates of false positives for the tools building on lexical analysis and very low rates of true positives for the tools building on syntactical and semantical analysis.

Citations

314	A first step towards automated detection of buffer overrun vulnerabilities - Wagner, Foster, et al. - 2000
158	Statically detecting likely buffer overflow vulnerabilities - Larochelle, Evans - 2001
146	Improving security using extensible lightweight static analysis - Evans, Larochelle, et al. - 2002
120	FormatGuard: Automatic protection from printf format string vulnerabilities - Cowan - 2001
119	Building Secure Software: How to Avoid Security Problems The Right Way - Viega, McGraw - 2002
104	LCLint: A tool for using specifications to check code - Evans, Guttag, et al. - 1994
64	Software Fault Injection: Inoculating Programs Against Errors - Voas, McGraw - 1997
32	An Automated Approach for Identifying Potential Vulnerabilities - Ghosh, O‘Connor, et al. - 1998
21	Checking for race conditions in file accesses. Computing Systems Spring - Bishop, Dilger - 1996
20	AINT Misbehaving: A Taxonomy of Anti-Intrusion Techniques”, http://www.sans.org/newlook/resources/IDFAQ/aint.htm, (accessed: 10 - Halme, Bauer - 2000
17	Libsafe: Protecting Critical Elements of Stacks.” Bell Labs. December 25 - Baratloo - 1999
16	Vulnerability Testing of Software System Using Fault Injection - Du, Mathur - 1998
15	and w00w00 Security Team: w00w00 on heap overflows. http://www.w00w00.org/files/articles/heaptut.txt - Conover - 1999
13	Automated detection of format-string vulnerabilities using type qualifiers - Shankar, Talwar, et al. - 2001
12	Team Teso. Exploiting format string vulnerabilities - Scut - 2001
9	The Tao of Windows Buffer Overflow. http://www.cultdeadcow.com/ cDc_files/cDc-351 - “DilDog” - 1998
8	Building software securely from the ground up - Ghosh, Howell, et al. - 2002
6	A comparison of static analysis and fault injection techniques for developing robust system services - Broadwell, Ong - 2002
5	An analysis of how buffer overflow attacks work. IBM developerWorks: Security: Security articles http://www-106.ibm.com/ developerworks/security/library/smash. html?dwzon%e=security - McGraw, Viega - 2000
5	Request for comments: 2828, Internet security glossary. http://www.faqs.org/rfcs/ rfc2828.html - Shirey - 2000
3	Format string attacks. White Paper http://www.guardent.com/ rd_whtpr_formatNewsham.html - Newsham - 2000
3	Pramode and C E Gopakumar. Static checking of C programs with LCLint. Linux Gazette, 51 http://www. linuxgazette. com/issue51/pramode .html - E - 2000
3	Web page http://www.dwheeler.com/ flawfinder - Flawfinder - 2001
3	Secure programming for Linux and Unix HOWTO v2.89. http: //www.dwheeler. com/secure-programs - Wheeler - 2001
2	a C program checker. AT&T Bell Laboratories - Lint - 1978
2	Source code scanners for better code. The Linux Journal http: //www. linuxjournal. com/article.php?sid=5673 - Nazario - 2002
2	id 1387, Wu-Ftpd remote format string stack overwrite vulnerability. http://www. securityfocus. cora/bid/1387 - Bugtraq - 2000
1	Companies on the hook for security. http://news.cora.cora - Bowman - 2002
1	Cert/cc statistics 1988-2001. http://w. cert. org/ stats - Center - 2002
1	Project pedantic--source code analysis tool(s). http://pedantic. sourceforge.net - Nazario - 2002
1	Software security law call. http://news. bbc. co.uk/hi/englistt/sci/ tech/newsid_1762000/1762261.stm - News - 2002
1	Smashing the stack for fun and profit. http://irmnunix.org/ StackGuard/profit.html - One - 1996
1	ITS4: A static vulnerability scanner for C and C-I--I- code - Viega, Bloch, et al. - 2000
1	Security intrusions and intrusion - Wilander