A survey of static analysis methods for identifying security vulnerabilities in software systems

IBM Systems Journal

Volumn 46, Issue 2, 2007, Pages 265-288

  Pistoia, Marco ^a   Chandra, Satish ^a   Fink, Stephen J ^a   Yahav, Eran ^a  

^a IBM T J WATSON RESEARCH CENTER   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

ACCESS CONTROL; INTERFACES (COMPUTER); SECURITY OF DATA; STATIC ANALYSIS;

APPLICATION-PROGRAMMING-INTERFACE CONFORMANCE; ROLE-BASED ACCESS CONTROL; SECURITY VULNERABILITIES; STACK-BASED ACCESS CONTROL;

COMPUTER SOFTWARE;

EID: 34250305947     PISSN: 00188670     EISSN: None     Source Type: Journal    
DOI: 10.1147/sj.462.0265     Document Type: Article

References (87)

1. J. H. Saltzer and M. D. Schroeder, "The Protection of Information in Computer Systems," Proceedings of the IEEE 63, No. 9, 1278-1308 (September 1975).
2. Common Criteria, http://www.commoncriteriaportal.org.
3. Sun Microsystems, Security Code Guidelines, http://java.sun.com/security/ seccodeguide.html.
4. Open Web Application Security Project, http://www.owasp.org.
5. U.S. Department of Homeland Security, http://www.dhs.gov.
6. National Vulnerability Database, National Institute of Standards and Technology, U.S. Commerce Department, http://nvd.nist.gov.
7. SecurityFocus, Symantec Corporation, http://www.securityfocus.com.
8. L. Gong, M. Mueller, H. Prafullchandra, and R. Schemers, "Going Beyond the Sandbox: An Overview of the New Security Architecture in the Java Development Kit 1.2," USENIX Symposium on Internet Technologies and Systems, Monterey, CA, USA (December 1997).
9. M. Pistoia, D. Reller, D. Gupta, M. Nagnur, and A. K. Ramani, Java 2 Network Security, 2nd ed., Upper Saddle River, NJ, USA, Prentice Hall PTR (August 1999).
10. D. F. Ferraiolo and D. R. Kuhn, "Role-Based Access Controls," Proceedings of the 15th NIST-NCSC National Computer Security Conference, Baltimore, MD, USA (October 1992), pp. 554-563.
11. M. Pistoia, N. Nagaratnam, L. Koved, and A. Nadalin, Enterprise Java Security, Reading, MA, USA, Addison-Wesley (February 2004).
12. A. Freeman and A. Jones, Programming .NET Security, Sebastopol, CA, USA, O'Reilly & Associates, Inc. (June 2003).
13. G. Naumovich and P. Centonze, "Static Analysis of Role-Based Access Control in J2EE Applications," SIGSOFT Software Engineering Notes 29, No. 5, 1-10 (September 2004).
14. P. Centonze, G. Naumovich, S. J. Fink, and M. Pistoia, "Role-Based Access Control Consistency Validation," Proceedings of the International Symposium on Software Testing and Analysis (ISSTA '06), Portland, Maine, USA (July 2006), pp. 121-132.
15. H. Chen, D. Wagner, and D. Dean, "Setuid Demystified," Proceedings of the 11th USENIX Security Symposium, Berkeley, CA, USA, USENIX Association (August 2002), pp. 171-190.
16. F. Schneider, G. Morrisett, and R. Harper, "A Language-Based Approach to Security," Cornell University, Ithaca, NY, USA, Technical Report TR2000-1825 (November 2000).
17. D. S. Wallach, A. W. Appel, and E. W. Felten, "SAFKASI: A Security Mechanism for Language-Based Systems," ACM Transactions on Software Engineering and Methodology (TOSEM) 9, No. 4, 341-378 (2000).
18. D. S. Wallach and E. W. Felten, "Understanding Java Stack Inspection," Proceedings of the 1998 IEEE Symposium on Security and Privacy, Oakland, CA, USA, IEEE Computer Society Press (May 1998), pp. 52-63.
19. F. Pottier, C. Skalka, and S. F. Smith, "A Systematic Approach to Static Access Control," Proceedings of the 10th European Symposium on Programming Languages and Systems, Springer-Verlag (2001), pp. 30-45.
20. T. P. Jensen, D. L. Métayer, and T. Thorn, "Verification of Control Flow Based Security Properties," Proceedings of the 1999 IEEE Symposium on Security and Privacy, Oakland, CA, USA (May 1999) pp. 89-103.
21. M. Bartoletti, P. Degano, and G. L. Ferrari, "Static Analysis for Stack Inspection," Proceedings of International Workshop on Concurrency and Coordination, Electronic Notes in Theoretical Computer Science 54, Amsterdam, The Netherlands, Elsevier (2001), pp. 69-80.
22. A. Banerjee and D. A. Naumann, "A Simple Semantics and Static Analysis for Java Security," Stevens Institute of Technology, Hoboken, NJ, USA, Technical Report CS2001-1 (July 2001).
23. U. Erlingsson and F. B. Schneider, "IRM Enforcement of Java Stack Inspection," Proceedings of the 2000 IEEE Symposium on Security and Privacy, Oakland, CA, USA, IEEE Computer Society (May 2000), pp. 246-255.
24. B. G. Ryder, "Dimensions of Precision in Reference Analysis of Object-Oriented Languages," Proceedings of the 12th International Conference on Compiler Construction, Warsaw, Poland (April 2003), pp. 126-137, invited paper.
25. C. Lai, L. Gong, L. Koved, A. J. Nadalin, and R. Schemers, "User Authentication and Authorization in the Java™ Platform," Proceedings of the 15th Annual Computer Security Applications Conference, Scottsdale, AZ, USA, IEEE Computer Security (December 1999), pp. 285-290.
26. M. Pistoia, "A Unified Mathematical Model for Stack- and Role-Based Authorization Systems," Ph.D. dissertation, Polytechnic University, Brooklyn, NY, USA (May 2005).
27. M. Pistoia, R. J. Flynn, L. Koved, and V. C. Sreedhar, "Interprocedural Analysis for Privileged Code Placement and Tainted Variable Detection," Proceedings of the 9th European Conference on Object-Oriented Programming, Glasgow, Scotland, UK, Springer-Verlag (July 2005).
28. IBM Corporation, Security Workbench Development Environment for Java (SWORD4J), http://www.alphaworks.ibm.com/tech/sword4j/.
29. G. A. Kildall, "A Unified Approach to Global Program Optimization," Proceedings of the 1st Annual ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages. Boston, MA, USA, ACM Press (1973), pp. 194-206.
30. R. Sandhu, E. Coyne, H. Feinstein, and C. Youman, "Role-Based Access Control Models," IEEE Computer 29, No. 2, 38-47 (February 1996).
31. A. Schaad and J. D. Moffett, "A Lightweight Approach to Specification and Analysis of Role-Based Access Control Extensions," Proceedings of the 7th ACM Symposium on Access Control Models and Technologies, Monterey, CA, USA, ACM Press (2002), pp. 13-22.
32. D. Jackson, "Alloy: A Lightweight Object Modelling Notation," ACM Transactions of Software Engineering Methodologies 11, No. 2, 256-290 (2002).
33. D. Jackson, I. Schechter, and H. Shlyahter, "Alcoa: The Alloy Constraint Analyzer," Proceedings of the 22nd International Conference on Software Engineering, Limerick, Ireland, ACM Press (2000), pp. 730-733.
34. E. Damiani, S. De Capitani di Vimercati, S. Paraboschi, and P. Samarati, "A Fine-Grained Access Control System for XML Documents," ACM Transactions on Information Systems Security 5, No. 2, 169-202 (2002).
35. M. Kudo and S. Hada, "XML Document Security Based on Provisional Authorization," Proceedings of the 7th ACM Conference on Computer and Communications Security, Athens, Greece, ACM Press (November 2000), pp. 87-96.
36. M. Murata, A. Tozawa, M. Kudo, and S. Hada, "XML Access Control Using Static Analysis," Proceedings of the 10th ACM Conference on Computer and Communications Security, Washington, DC, USA, ACM Press (October 2003), pp. 73-84.
37. F. Ricca and P. Tonella, "Analysis and Testing of Web Applications," Proceedings of the 23rd International Conference on Software Engineering, Toronto, ON, Canada, IEEE Computer Society (2001), pp. 25-34.
38. D. Clarke, M. Richmond, and J. Noble, "Saving the World from Bad Beans: Deployment-Time Confinement Checking," Proceedings of the 18th Annual ACM SIGPLAN Conference on Object-Oriented Programing, Systems, Languages, and Applications, Anaheim, CA, USA, ACM Press (2003), pp. 374-387.
39. M. Pistoia, S. J. Fink, R. J. Flynn, and E. Yahav, "When Role Models Have Flaws: Static Validation of Enterprise Security Policies," Proceedings of the International Conference on Software Engineering (ICSE 2007), Minneapolis, MN, USA (forthcoming, May 2007).
40. D. E. Denning and P. J. Denning, "Certification of Programs for Secure Information Flow," Communications of the ACM 20, No. 7, 504-513 (July 1977).
41. D. E. Denning, "A Lattice Model of Secure Information Flow," Communications of the ACM 19, No. 5, 236-243 (May 1976).
42. G. Grätzer, General Lattice Theory, 2nd ed., Boston, MA, USA, Birkhäuser (January 2003).
43. J. A. Goguen and J. Meseguer, "Security Policies and Security Models," Proceedings of the 1982 IEEE Symposium on Security and Privacy, Oakland, CA, USA, IEEE Computer Society Press (May 1982), pp. 11-20.
44. J. Newsome and D. Song, "Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software," Proceedings of the 12th Annual Network and Distributed System Security Symposium, San Diego, CA, USA, IEEE Computer Society (February 2005), http://jimnewsome.net/papers/taintcheck.pdf.
45. K. Ashcraft and D. Engler, "Using Programmer-Written Compiler Extensions to Catch Security Holes," Proceedings of the 2002 IEEE Symposium on Security and Privacy, Oakland, CA, USA, IEEE Computer Society (May 2002), pp. 143-159.
46. A. Sabelfeld and A. Myers, "Language-Based Information-Flow Security," IEEE Journal on Selected Areas in Communications 21, No. 1, 5-19 (January 2003).
47. D. Volpano, C. Irvine, and G. Smith, "A Sound Type System for Secure Flow Analysis," Journal of Computer Security 4, Nos. 2-3, 167-187 (January 1996).
48. A. C. Myers and B. Liskov, "A Decentralized Model for Information Flow Control," Proceedings of the 16th ACM Symposium on Operating Systems Principles, Saint Malo, France, ACM Press (October 1997), pp. 129-142.
49. J. F. Koegel, R. M. Koegel, Z. Li, and D. T. Miruke, "A Security Analysis of VAX VMS," ACM '85: Proceedings of the 1985 ACM Annual Conference on the Range of Computing: Mid-80's Perspective, ACM Press (1985), pp. 381-386.
50. L. Wall, T. Christiansen, and J. Orwant, Programming Perl, 3rd ed., Sebastopol, CA, USA, O'Reilly and Associates, Inc. (July 2000).
51. U. Shankar, K. Talwar, J. S. Foster, and D. Wagner, "Detecting Format String Vulnerabilities with Type Qualifiers," Proceedings of the 10th USENIX Security Symposium, Washington, DC, USA (August 2001), pp. 201-220.
52. J. S. Foster, T. Terauchi, and A. Aiken, "Flow-Sensitive Type Qualifiers," Proceedings of the 2002 ACM SIGPLAN Conference on Programming Language Design and Implementation, Berlin, Germany (June 2002), pp. 1-12.
53. G. Snelting, T. Robschink, and J. Krinke, "Efficient Path Conditions in Dependence Graphs for Software Safety Analysis," ACM Transactions on Software Engineering and Methodology 15, No. 4, 410-457 (2006).
54. C. Hammer, J. Krinke, and G. Snelting, "Information Flow Control for Java Based on Path Conditions in Dependence Graphs," Proceedings of IEEE International Symposium on Secure Software Engineering, Arlington, Virginia, USA (2006), pp. 87-96.
55. M. Sridharan and R. Bodik, "Refinement-Based Context-Sensitive Points-To Analysis for Java," Proceedings of ACM Conference on Programming Language Design and Implementation (2006), pp. 387-400.
56. V. B. Livshits and M. S. Lam, "Finding Security Vulnerabilities in Java Applications with Static Analysis," Usenix Security Symposium (2005).
57. J. Whaley and M. S. Lam, "Cloning Based Context-Sensitive Pointer Alias Analysis Using BDDs," Proceedings of ACM Conference on Programming Language Design and Implementation (2004), pp. 131-144.
58. D. Hovemeyer and W. Pugh, "Finding Bugs Is Easy," OOPSLA '04: Companion to the 19th Annual ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages, and Applications, New York, NY, USA, ACM Press (2004), pp. 132-136.
59. PMD, http://sourceforge.net/projects/pmd/.
60. G. Begic and B. Higgins, "Overview of Static Analysis in IBM Rational Application Developer 6.0," http://www-128.ibm. com /developerworks/rational/library/05/higgins.
61. R. E. Strom and S. Yemini, "Typestate: A Programming Language Concept for Enhancing Software Reliability," IEEE Transactions on Software Engineering 12, No. 1, pp. 157-171 (1986).
62. J. Whaley, M. C. Martin, and M. S. Lam, "Automatic Extraction of Object-Oriented Component Interfaces," Proceedings of the International Symposium on Software Testing and Analysis (July 2002), pp. 218-228, http://citeseer.ist.psu.edu/525755.html.
63. R. Alur, P. Cerny, P. Madhusudan, and W. Nam, "Synthesis of Interface Specifications for Java Classes," SIGPLAN Notices 40, No. 1, pp. 98-109 (2005).
64. R. E. Strom and D. M. Yellin, "Extending Typestate Checking Using Conditional Liveness Analysis," IEEE Transactions on Software Engineering 19, No. 5, 478-485 (May 1993).
65. R. DeLine and M. Fähndrich, "Enforcing High-Level Protocols in Low-Level Software," Proceedings of ACM Conference on Programming Language Design and Implementation (June 2001), pp. 59-69.
66. R. DeLine and M. Fähndrich, "Adoption and Focus: Practical Linear Types for Imperative Programming," Proceedings of ACM Conference on Programming Language Design and Implementation, Berlin (June 2002), pp. 13-24.
67. J. S. Foster, T. Terauchi, and A. Aiken, "Flow-Sensitive Type Qualifiers," Proceedings of ACM Conference on Programming Language Design and Implementation, Berlin (June 2002), pp. 1-12.
68. C. Flanagan, K. R. M. Leino, M. Lillibridge, G. Nelson, J. B. Saxe, and R. Stata, "Extended Static Checking for Java," Proceedings of ACM Conference on Programming Language Design and Implementation, Berlin (June 2002), pp. 234-245.
69. V. Kuncak, P. Lam, and M. Rinard, "Role Analysis," Proceedings of ACM Symposium on Principles of Programming Languages, Portland, Maine (January 2002), pp. 17-32.
70. A. Aiken, J. S. Foster, J. Kodumal, and T. Terauchi, "Checking and Inferring Local Non-aliasing," ACM SIGPLAN Notices 38, No. 5, 129-140 (May 2003), in Conference on Programming Language Design and Implementation (PLDI).
71. J. C. Corbett, M. Dwyer, J. Hatcliff, C. Pasareanu, Robby, S. Laubach, and H. Zheng, "Bandera: Extracting Finite-State Models from Java Source Code," Proceedings of International Conference on Software Engineering (June 2000), pp. 439-448.
72. T. Ball and S. K. Rajamani, "Automatically Validating Temporal Safety Properties of Interfaces," Proceedings of 8th International SPIN Workshop of Model Checking of Software (SPIN 2001), in Lecture Notes in Computer Science 2057, 103-122 (2001).
73. K. Ashcraft and D. Engler, "Using Programmer-Written Compiler Extensions to Catch Security Holes," Proceedings of IEEE Symposium on Security and Privacy, Oakland, CA (May 2002).
74. M. Das, S. Lerner, and M. Seigle, "ESP: Path-Sensitive Program Verification in Polynomial Time," ACM SIG PLAN Notices 37, No. 5, 57-68 (May 2002), in Conference on Programming Language Design and Implementation (PLDI).
75. N. Dor, S. Adams, M. Das, and Z. Yang, "Software Validation via Scalable Path-Sensitive Value Flow Analysis," Proceedings of the ACM SIGSOFT International Symposium on Software Testing and Analysis (2004), pp. 12-22, http://doi.acm.org/10.1145/1007515.
76. S. Fink, E. Yahav, G. Ramalingam, N. Dor, and E. Geay, "Effective Typestate Verification in the Presence of Aliasing," Proceedings of the International Symposium on Software Testing and Analysis (2006), pp. 133-144.
77. J. Field, D. Goyal, G. Ramalingam, and E. Yahav, "Typestate Verification: Abstraction Techniques and Complexity Results," Proceedings of Static Analysis Symposium (SAS'03), in Lecture Notes in Computer Science 2694, 439-462 (June 2003).
78. G. Ramalingam, A. Warshavsky, J. Field, D. Goyal, and M. Sagiv, "Deriving Specialized Program Analyses for Certifying Component-Client Conformance," Proceedings of ACM Conference on Programming Language Design and Implementation, ACM SIGPLAN Notices 37, No. 5, 83-94, New York: ACM Press (June 17-19 2002).
79. R. Shaham, E. Yahav, E. Kolodner, and M. Sagiv, "Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management," Proceedings of Static Analysis Symposium (2003), pp. 483-503, http://link.springer.de/link/service/series/0558 /bibs/2694/26940483.htm.
80. T. Ball, R. Majumdar, T. Millstein, and S. Rajamani, "Automatic Predicate Abstraction of C Programs," Proceedings of ACM Conference on Programming Language Design and Implementation (June 2001), pp. 203-213.
81. M. Sagiv, T. Reps, and R. Wilhelm, "Parametric Shape Analysis via 3-Valued Logic," Transactions on Programming Languages and Systems (TOPLAS) 24, No. 3, 217-298 (May 2002).
82. E. Yahav and G. Ramalingam, "Verifying Safety Properties Using Separation and Heterogeneous Abstractions," Proceedings of the ACM SIGPLAN 2004 Conference on Programming Language Design and Implementation, ACM Press (2004), pp. 25-34.
83. T. Ball and S. K. Rajamani, "The SLAM Project: Debugging System Software via Static Analysis," ACM SIGPLAN Notices 37, No. 1, pp. 1-3 (Jan. 2002).
84. T. A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre, "Lazy Abstraction," Proceedings of ACM Symposium on Principles of Programming Languages (2002), pp. 58-70.
85. R. DeLine and M. Fähndrich, "Typestates for Objects," 18th European Conference on Object-Oriented Programming (ECOOP), in Lecture Notes in Computer Science 3086, (June 2004), 465-490.
86. M. Fähndrich and R. DeLine, "Adoption and Focus: Practical Linear Types for Imperative Programming," ACM SIGPLAN Notices 37, No. 5, 13-24 (May 2002), in Conference on Programming Language Design and Implementation (PLDI).
87. P. Cousot and R. Cousot, "Systematic Design of Program Analysis Frameworks," Proceedings of ACM Symposium on Principles of Programming Languages, New York, NY, ACM Press (1979), pp. 269-282.