Token-based scanning of source code for security problems

Viega, John; Bloch, J. T.; Kohno, Tadayoshi; McGraw, Gary

doi:10.1145/545186.545188

Cited by 31 publications

(25 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Rather than describing the differences between these tools and ours in every case, we we briefly discuss ITS4, developed by Viega et al [37], and representative of the many other static code scanners. Viega et al's requirement was to have a tool that is fast enough to be used as real-time feedback during the development process, and precise enough so that programmers would not ignore it.…”

Section: Related Workmentioning

confidence: 99%

Predicting vulnerable software components

Neuhaus

Zimmermann

Holler

et al. 2007

Proceedings of the 14th ACM Conference on Computer and Communications Security

332

215

View full text Add to dashboard Cite

Where do most vulnerabilities occur in software? Our Vulture tool automatically mines existing vulnerability databases and version archives to map past vulnerabilities to components. The resulting ranking of the most vulnerable components is a perfect base for further investigations on what makes components vulnerable.In an investigation of the Mozilla vulnerability history, we surprisingly found that components that had a single vulnerability in the past were generally not likely to have further vulnerabilities. However, components that had similar imports or function calls were likely to be vulnerable.Based on this observation, we were able to extend Vulture by a simple predictor that correctly predicts about half of all vulnerable components, and about two thirds of all predictions are correct. This allows developers and project managers to focus their their efforts where it is needed most: "We should look at nsXPInstallManager because it is likely to contain yet unknown vulnerabilities."

show abstract

Section: Related Workmentioning

confidence: 99%

Predicting vulnerable software components

Neuhaus

Zimmermann

Holler

et al. 2007

Proceedings of the 14th ACM Conference on Computer and Communications Security

332

215

View full text Add to dashboard Cite

show abstract

“…Secure Coding Practices [27,37,50] Lexical Analysis [9,10,49,54] Data-Flow Analysis [17,30] Context Free Grammars [52,53] New APIs [13,36] Learning [15,32,48] Query Modification [4,7,46] Runtime Tainting [22,29,42,56] Data-Flow Analysis [51] Hybrid [24,25,35] Syntax Embeddings [5] Intrusion Set Randomization [3,28,31] The most straightforward and sensible approach is the adoption of secure coding practices [27,50,37], like the ones we mentioned above to prevent sql code injection. However, this does not always happen, as programmers may not be aware of them, or time schedules may be tight, encouraging sloppy practices instead.…”

Section: Static Methods Dynamic Methodsmentioning

confidence: 99%

“…Then, the resulting tokens are associated with vulnerable function calls susceptible to buffer overflows like gets, strcpy and scanf. This approach is taken by security utilities like its4, 4 Flawfinder 5 and rats 6 [54,10,9,49]. However, these tools suffer from several false positive and negative reports [11,14].…”

Section: Static Methods Dynamic Methodsmentioning

confidence: 99%

Countering code injection attacks: a unified approach

Mitropoulos

Karakoidas

Λουρίδας

et al. 2011

Information Management &Amp; Computer Security

View full text Add to dashboard Cite

Code injection exploits a software vulnerability through which a malicious user can make an application run unauthorized code. Server applications frequently employ dynamic and domain-specific languages, which are used as vectors for the attack. We propose a generic approach that prevents the class of injection attacks involving these vectors: our scheme detects attacks by using location-specific signatures to validate code statements. The signatures are unique identifiers that represent specific characteristics of a statement's execution. We have applied our approach successfully to defend against attacks targeting sql, xpath and JavaScript.

show abstract

“…The lexical analysis approach is implemented by security utilities such as BOON (Wagner et al, 2000), PScan (Johnson, 2006;Heffley & Meunier, 2004;Chen & Wagner, 2007), ITS4 (Viega et al, 2002;Viega et al, 2000;Wilander & Kamkar, 2002), Flawfinder (http://www.dwheeler.com/flawfinder/) (Wilander & Kamkar, 2002) and RATS (http: //www.security-database.com/toolswatch/RATS-v2-3-Rough-Auditing-Tool-for.html) (Kong et al, 2007;Chess & McGraw, 2004;Wilander & Kamkar, 2002). For the most part, these tools scan source code pointing out unsafe calls of string-handling functions that could lead to a CIA.…”

Section: Lexical Analysismentioning

confidence: 99%

Fatal injection: a survey of modern code injection attack countermeasures

Mitropoulos

Spinellis

2017

PeerJ Computer Science

View full text Add to dashboard Cite

With a code injection attack (CIA) an attacker can introduce malicious code into a computer program or system that fails to properly encode data that comes from an untrusted source. A CIA can have different forms depending on the execution context of the application and the location of the programming flaw that leads to the attack. Currently, CIAs are considered one of the most damaging classes of application attacks since they can severely affect an organisation's infrastructure and cause financial and reputational damage to it. In this paper we examine and categorize the countermeasures developed to detect the various attack forms. In particular, we identify two distinct categories. The first incorporates static program analysis tools used to eliminate flaws that can lead to such attacks during the development of the system. The second involves the use of dynamic detection safeguards that prevent code injection attacks while the system is in production mode. Our analysis is based on nonfunctional characteristics that are considered critical when creating security mechanisms. Such characteristics involve usability, overhead, implementation dependencies, false positives and false negatives. Our categorization and analysis can help both researchers and practitioners either to develop novel approaches, or use the appropriate mechanisms according to their needs. Subjects Security and Privacy

show abstract

Token-based scanning of source code for security problems

Cited by 31 publications

References 5 publications

Predicting vulnerable software components

Predicting vulnerable software components

Countering code injection attacks: a unified approach

Fatal injection: a survey of modern code injection attack countermeasures

Contact Info

Product

Resources

About