Can source code auditing software identify common vulnerabilities and Be used to evaluate software security?

Proceedings of the Hawaii International Conference on System Sciences

Volumn 37, Issue , 2004, Pages 4405-4414

  Heffley, Jon ^a   Meunier, Pascal ^a  

^a PURDUE UNIVERSITY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

COMPUTATIONAL COMPLEXITY; COMPUTER SYSTEM FIREWALLS; ENCODING (SYMBOLS); QUALITY CONTROL; RISK ASSESSMENT; STANDARDS; STATISTICAL METHODS;

SOFTWARE AUDITING; SOFTWARE SECURITY; SOFTWARE VULNERABILITY; SOURCE CODE; SYMLINK ATTACKS;

SOFTWARE ENGINEERING;

EID: 12344279827     PISSN: 10603425     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/hicss.2004.1265654     Document Type: Conference Paper

References (30)

1. Blanchet B. "NWG1: Static Analysis - Summary (MPII)" http://www.mpi-sb.mpg.de/units/nwg1/summary.html
2. Static Analysis http://www.ics.uci.edu/~djr/classes/ics224/lectures/08- StaticAnalysis.pdf
3. CS 390S - Code Injection and Symlinks http://www.cs.purdue.edu/homes/ cs390s/LectureNotes/cs390sIV.pdf
4. Free Online Dictionary of Computing http://foldoc.doc.ic.ac.uk/foldoc/ index.html
5. Sardonix Security Portal, http://www.sardonix.org/
6. Security Focus home vulns discussion: Multiple Vendor FTP Conversion Vulnerability http://www.securityfocus.com/bid/2240/discussion/
7. ITS4: A Static Vulnerability Scanner for C and C++ Code http://www.cigital.com/papers/download/its4.pdf
8. CS 390S - Buffer Overflows http://www.cs.purdue.edu/homes/cs390s/ LectureNotes/cs390sBO.pdf
9. Cqual README file http://www.cs.berkeley.edu/~jfoster/equal/
10. Splint Homepage http://lclint.cs.virginia.edu/
11. FlawFinder Home Page http://www.dwheeler.com/flawfinder/
12. PC-lint/FlexeLint Product Information http://www.gimpel.com/html/ lintinfo.htm
13. Wu-Ftpd Remote Format String Stack Overwrite Vulnerability http://www.securityfocus.com/bid/1387/discussion/
14. Wu-ftpd 2.6.0 patch for format string vulnerabilities http://downloads.securityfocus.eom/vulnerabilities/patches/wu-ftpd2.6.0.diff
15. Wu-Ftpd Debug Mode Client Hostname Format String Vulnerability http://www.securityfocus.com/bid/2296/discussion/
16. Wu-ftpd patch for Debug Mode Client Hostname Format String Vulnerability ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.1/missing_format_strings. patch
17. Wu-fptd patch for Wu-Ftpd File Globbing Heap Corruption Vulnerability ftp://ftp.leo.org/pub/FreeBSD/ports/distfiles/wu-ftpd/ftpglob.patch
18. Posadis DNS Server Logging Format String Vulnerability http://www.securityfocus.com/bid/4378/discussion/
19. Multiple Vendor BSD eeprom Format String vulnerability http://www.securityfocus.com/bid/1752/discussion/
20. Patch for fixing the Multiple Vendor BSD eeprom Format String vulnerability http://www.tux.org/pub/bsd/openbsd/patches/2.7/common/ 028_format_strings.patch
21. AutoNice Daemon Program Name Format String Vulnerability http://www.securityfocus.com/bid/3580/discussion/
22. Weber, M.; Shah, V.; Ren, C.; (2001) A case study in detecting software security vulnerabilities using constraint optimization. Proceedings of First IEEE International Workshop on Source Code Analysis and Manipulation, pp. 1-11
23. Oulu University Secure Programming Group (2001) PROTOS - Security Testing of Protocol Implementations http://www.ee.oulu.fi/research/ouspg/protos/index. html
24. Hill, G., (1988) A rule-based software engineering tool for code analysis. Seventh Annual International Phoenix Conference on Computers and Communications, pp. 291-295
25. Computer Security Institute. http://www.gocsi.com/press/20020407.html
26. ICAT statistics. http://icat.nist.gov/icat.cfm?function=statistics
27. Mell P., Tracy M.C. (2002) NIST Special Publication (SP) 800-40, Procedures for Handling Security Patches.
28. Miller B.P., Fredriksen L. and So B. (1990) Study of the reliability of UNIX utilities. Communications of the ACM 33, pp 32-44
29. Frantzen M. (1999) ISIC (IP Stack Integrity Checker), http://www.nestonline.com/TrinuxPB/isic.txt
30. Blanchet B., Cousot P., Cousot R., Feret J., Mauborgne L., Miné A., Monniaux D., and Rival X. "A Static Analyzer for Large Safety-Critical Software". In ACM SIGPLAN 2003 Conference on Programming Language Design and Implementation (PLDI'03), pages 196-207, San Diego, California, June 2003. ACM.