Automatic Vulnerability Detection Using Static Source Code Analysis

Automatic Vulnerability Detection Using Static Source Code Analysis (2005)

Cached

Download Links

by Alexander Sotirov

Citations:

BibTeX

@TECHREPORT{Sotirov05automaticvulnerability,
    author = {Alexander Sotirov},
    title = {Automatic Vulnerability Detection Using Static Source Code Analysis},
    institution = {},
    year = {2005}
}

Bookmark

OpenURL

Abstract

We present a static source analysis technique for vulnerability detection in C programs. Our approach is based on a combination of taint analysis, a well known vulnerability detection method, and value range propagation, a technique previously used for compiler optimizations. We examine a sample set of vulnerabilities and develop a vulnerability classification based on common source code patterns. We identify three common characteristics present in most software vulnerabilities: one, data is read from an untrusted source, two, untrusted data is insufficiently validated, and three, untrusted data is used in a potentially vulnerable function or a language construct. We develop a static source analysis that is able to identify execution paths with these three characteristics and report them as potential vulnerabilities. We present an efficient implementation of our approach as an extension to the GNU C Compiler. We discuss the benefits of integrating a vulnerability detection system in a compiler. Finally, we present experimental results indicating a high level of accuracy of our technique.

Citations

914	On computable numbers, with an application to the Entscheidungsproblem - Turing - 1936
749	Efficiently computing static single assignment form and the control dependence graph - Cytron, Ferrante, et al. - 1991
315	Checking System rules using System-specific, Programmer-written Compiler Extensions - Engler, Chelf, et al. - 2000
314	A first step towards automated detection of buffer overrun vulnerabilities - Wagner, Foster, et al. - 2000
295	Constant propagation with conditional branches - Wegman, Zadeck - 1991
182	Detecting format string vulnerabilities with type qualifiers - SHANKAR, TALWAR, et al. - 2001
165	Global value numbers and redundant computations - Rosen, Wegman, et al. - 1988
129	The internet worm program: an analysis - Spafford - 1989
71	The undecidability of aliasing - RAMALINGAM - 1994
67	ITS4: A static vulnerability scanner for C and C++ code - Viega, Bloch, et al. - 2000
61	Accurate static branch prediction by value range propagation - Patterson - 1995
48	Classes of Recursively Enumerable Sets and Their Decision Problems - Rice - 1953
31	a C Program Checker - Johnson - 1977
14	An analysis framework for the McCAT compiler - Sridharan - 1992
10	Protecting from stack-smashing attacks http:// www.trl.ibm.com/projects/security/ssp/main.html - Etoh, Yoda
2	RATS – rough auditing tool for security. http://www.securesoftware.com/resources/tools.html - Software
1	Smashing the stack for fun and profit. Phrack 49–14 - One - 1996
1	Peach fuzzer framework - Eddington
1	Analysis of Perl’s taint mode - Hurst - 2004
1	SecurityFocus vulnerability archive. http://www.securityfocus.com/bid - SecurityFocus
1	Computer Emergency Rediness Team. 2004. Technical cyber security alerts. http://www.us-cert.gov/cas/techalerts - States