A case study in detecting software security vulnerabilities using constraint optimization

Proceedings - 1st IEEE International Workshop on Source Code Analysis and Manipulation

Volumn , Issue , 2001, Pages 1-11

  Weber, M ^a   Shah, V ^a   Ren, C ^a  

^a Cigital   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

BUFFER STORAGE; C (PROGRAMMING LANGUAGE); CONSTRAINED OPTIMIZATION; JAVA PROGRAMMING LANGUAGE;

ANALYSIS TECHNIQUES; BUFFER OVERFLOWS; C PROGRAMS; CONSTRAINT OPTIMIZATIONS; PROCESS FLOWS; SOFTWARE SECURITY; STATIC METHOD;

STATIC ANALYSIS;

EID: 84963808166     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SCAM.2001.972661     Document Type: Conference Paper

References (9)

1. C. Cowan, P. Wagle, C. Pu, S. Beattie, and J. Walpole. Buffer overflows: Attacks and defenses for the vulnerability of the decade. In Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX2000), Los Alamitos, CA, January 25-27 2000. DARPA, IEEE Computer Society. Crowne Plaza, Hilton Head, S.C.
2. J. Ferrante, K. J. Ottenstein, and J. D. Watson. The program dependency graph and its use in optimization. ACM Transactions on Programming Languages and Systems, 9(3), July 1987.
3. M. Hind and A. Pioli. Which pointer analysis should I use. In ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2000), Portland, OR, August 2000.
4. S. Horowitz, T. Reps, and D. Binkley. Interprocedural slicing using dependency graphs. ACM Transactions on Programming Languages and Systems, 12(1), January 1990.
5. W. Landi. Undecidability of static analysis. ACM Letters on Programming Languages and Systems, 1(4):323-337, December 1992.
6. C. C. Michael, G. E. McGraw, and M. A. Schatz. Opportunism and diversity in automated software test data generation. In Proc. Automated Software Engineering '98, pages 136-146, 1998.
7. J. Viega, J. T. Bloch, Y. Kohno, and G. McGraw. ITS4: A static vulnerability scanner for C and C++ code. In Sixteenth Annual Computer Security Applications Conference, pages 257-267, December 2000.
8. D. Wagner, J.Foster, E.Brewer, and A. Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In Network and Distributed System Security Symposium (NDSS 2000), pages 3-17, San Diego, CA, April 2000. Internet Society.
9. T. J. Walls, V. Shah, and A. K. Ghosh. Towards certifying software for security. In International Software Assurance Certification Conference (ISACC 2000), Reston, VA, September 2000.