Comparing Lexical Analysis Tools for Buffer Overflow Detection in Network Software

Pozza, Davide; Sisto, Riccardo; Durante, Luca; Valenzano, Adriano

doi:10.1109/comswa.2006.1665217

Cited by 17 publications

(5 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Take most common tools with high efficiency (Its4, Rats, Flawfinder) for example, David Pozza's research indicated [6] that, when being tested with the same software package, Flawfinder found the most vulnerabilities, but did not totally cover those found by Rats and Its4; numbers of vulnerabilities found by Rats and Its4 are close, but many of them are not the same. Thus if each static analysis tool's advantages can be made full use of, and output data of these tools' analysis results can be fused in a proper way, to let the vulnerabilities sets verify and complement each other, and surely a better result comes out.…”

Section: The Reason For This Methodsmentioning

confidence: 99%

ISA: A Source Code Static Vulnerability Detection System Based on Data Fusion

Kong¹,

Zheng²,

Chen³

et al. 2007

Proceedings of the 2nd International ICST Conference on Scalable Information Systems

View full text Add to dashboard Cite

Static analysis is a kind of effective method to detect the vulnerabilities in the software. Without running the programs, static analysis tools can be used to automatically discover unknown bugs. To cope with the problem of high false positives and false negatives in source code static analysis methods, this paper presents a source code static analysis technology for vulnerability detection based on data fusion. By parsing and making data fusion on the outcome of different static analysis methods, this technology lets different results validate each other, which greatly decreases the false positives and false negatives. Brief explanations are given to support this method. A prototype system of scalable source code analysis system (ISA for short) is designed and implemented which also can automatically search for the best result based on feedback of the user interaction. The whole system is scalable and platform-independent. It is proved by experiment that this method has a better performance with lower false positives and false negatives and higher efficiency compared with one single method.

show abstract

Section: The Reason For This Methodsmentioning

confidence: 99%

ISA: A Source Code Static Vulnerability Detection System Based on Data Fusion

Kong¹,

Zheng²,

Chen³

et al. 2007

Proceedings of the 2nd International ICST Conference on Scalable Information Systems

View full text Add to dashboard Cite

show abstract

“…According to the literatures, it is pointed that flaw finder finds most of vulnerabilities, but not completely includes vulnerabilities found by RATS and ITS4 aimed to the same software package. The quantity of vulnerabilities found by RATS and ITS4 have a smaller difference, but with many disjoint sets [8]. Splint is adopted to detect modular for the C language [9].…”

Section: A the Main Ideamentioning

confidence: 99%

A Static Comprehensive Analytical Method for Buffer Overflow Vulnerability Detection

Shao¹,

Yan²,

Genqing³

et al. 2016

Proceedings of the 2016 International Conference on Computer Science and Electronic Technology

View full text Add to dashboard Cite

Abstract-Buffer overflow vulnerability is a widespread and dangerous security problem. Detecting buffer overflow vulnerability has great research value in information security area. This paper proposes a static comprehensive analytical method for buffer overflow vulnerability detection. Firstly, this method adopts many kinds of static detection tools for detecting the source codes and producing their own detecting reports. Secondly, comprehensive analysis is implemented to evaluate the reliability weights of detecting tools by training process with detection results, and further optimize the detection results. This training process can improve the efficiency of discovering buffer overflow vulnerabilities with lower rate of omissions and misstatements. The experimental results show that compared with single static detection methods, the rates of both false alert and missed alert decrease significantly.

show abstract

“…Moreover, programming languages, which are likely to make the programming task easier, are still frequent to error prawn. This is because of either the new languages' features do not exclude all the causes of errors or C, C++, etc like some old languages are in use [4,7,9].…”

Section: Optimization Issuesmentioning

confidence: 99%

“…For grammatically incorrect input string, the parser declares the detection of syntax error. No parse tree [7] in this case is generated. As an alternative to parsing, based on the repetitive application of regular expressions using a shortest-match strategy, we may apply an iterative lexical technique.…”

Section: Parser Generatormentioning

confidence: 99%

A New Approach of Complier Design in Context of Lexical Analyzer and Parser Generation for NextGen Languages

Bhowmik¹,

Kumar²,

Jha³

et al. 2010

IJCA

View full text Add to dashboard Cite

A compiler translates and/or compiles a program written in a suitable source language into an equivalent target language through a number of stages. Starting with recognition of token through target code generation provide a basis for communication interface between a user and a processor in significant amount of time. A new approach GLAP model for design and time complexity analysis of lexical analyzer is proposed in this paper. In the model different steps of tokenizer (generation of tokens) through lexemes, and better input system implementation have been introduced. Disk access and state machine driven Lex are also reflected in the model towards its complete utility. The model also introduces generation of parser. Implementation of symbol table and its interface using stack is another innovation of the model in acceptance with both theoretically and in implementation widely. General TermsCompiler, Language Processor.

show abstract

Comparing Lexical Analysis Tools for Buffer Overflow Detection in Network Software

Cited by 17 publications

References 6 publications

ISA: A Source Code Static Vulnerability Detection System Based on Data Fusion

ISA: A Source Code Static Vulnerability Detection System Based on Data Fusion

A Static Comprehensive Analytical Method for Buffer Overflow Vulnerability Detection

A New Approach of Complier Design in Context of Lexical Analyzer and Parser Generation for NextGen Languages

Contact Info

Product

Resources

About