While there is a wide variety of both open source and proprietary sourcecodestatic analyzers available in the market, each of them usually performs better in a small set of problems, making it hard to choose one sin...
详细信息
While there is a wide variety of both open source and proprietary sourcecodestatic analyzers available in the market, each of them usually performs better in a small set of problems, making it hard to choose one single tool to rely on when examining a program. Combining the analysis of different tools may reduce the number of false negatives, but yields a corresponding increase in the number of false positives (which is already high for many tools). An interesting solution, then, is to filter these results to identify the issues least likely to be false positives. This work presents kiskadee, a system to support the usage of staticanalysis during software development by providing carefully ranked staticanalysis reports. First, it runs multiple static analyzers on the sourcecode. Then, using a classification model, the potential bugs detected by the static analyzers are ranked based on their importance, with critical flaws ranked first, and potential false positives ranked last. To train kiskadee's classification model, we post-analyze the reports generated by three tools on synthetic test cases provided by the US National Institute of Standards and Technology. To make our technique as general as possible, we limit our data to the reports themselves, excluding other information such as change histories or code metrics. The features extracted from these reports are used to train a set of decision trees using AdaBoost to create a stronger classifier, achieving 0.8 classification accuracy (the combined false positive rate from the used tools was 0.61). Finally, we use this classifier to rank static analyzer alarms based on the probability of a given alarm being an actual bug. Our experimental results show that, on average, when inspecting warnings ranked by kiskadee, one hits 5. 2 times less false positives before each bug than when using a randomly sorted warning list.
Certification through auditing allows to ensure that critical embedded systems are secure. This entails reviewing their critical components and checking for dangerous execution paths. This latter task requires the use...
详细信息
Certification through auditing allows to ensure that critical embedded systems are secure. This entails reviewing their critical components and checking for dangerous execution paths. This latter task requires the use of specialized tools which allow to explore and replay executions but are also difficult to use effectively within the context of the audit, where time and knowledge of the code are limited. Fault analysis is especially tricky as the attacker may actively influence execution, rendering some common methods unusable and increasing the number of possible execution paths exponentially. In this work, we present a new method which mitigates these issues by reducing the number of fault injection points considered to only the most relevant ones relatively to some security properties. We use fast and robust staticanalysis to detect injection points and assert their impactfulness. A more precise dynamic/symbolic method is then employed to validate attack paths. This way the insight required to find attacks is reduced and dynamic methods can better scale to realistically sized programs. Our method is implemented into a toolchain based on Frama-C and KLEE and validated on WooKey, a case study proposed by the National Cybersecurity Agency of France.
While there is a wide variety of both open source and proprietary sourcecodestatic analyzers available in the market, each of them usually performs better in a small set of problems, making it hard to choose one sin...
详细信息
ISBN:
(纸本)9781450363198
While there is a wide variety of both open source and proprietary sourcecodestatic analyzers available in the market, each of them usually performs better in a small set of problems, making it hard to choose one single tool to rely on when examining a program looking for bugs in the sourcecode. Combining the analysis of different tools may reduce the number of false negatives, but yields a corresponding increase in the absolute number of false positives (which is already high for many tools). A possible solution, then, is to filter these results to identify the issues least likely to be false positives. In this study, we post-analyze the reports generated by three tools on synthetic test cases provided by the US National Institute of Standards and Technology. In order to make our technique as general as possible, we limit our data to the reports themselves, excluding other information such as change histories or code metrics. The features extracted from these reports are used to train a set of decision trees using AdaBoost to create a stronger classifier, achieving 0.8 classification accuracy (the combined false positive rate from the used tools was 0.61). Finally, we use this classifier to rank static analyzer alarms based on the probability of a given alarm being an actual bug in the sourcecode.
Due to the constant evolution of technology, each day brings new programming languages, development paradigms, and ways of evaluating processes. This is no different with sourcecode metrics, where there is always new...
详细信息
ISBN:
(纸本)9781509050475
Due to the constant evolution of technology, each day brings new programming languages, development paradigms, and ways of evaluating processes. This is no different with sourcecode metrics, where there is always new metric classes. To use a software metric to support decisions, it is necessary to understand how to perform the metric collection, calculation, interpretation, and analysis. The tasks of collecting and calculating sourcecode metrics are most often automated, but how should we monitor them during the software development cycle? Our research aims to assist the software engineer to monitor metrics of vulnerability threats present in the sourcecode through a reference prediction model, considering that real world software have non-functional security requirements, which implies the need to know how to monitor these requirements during the software development cycle. As a first result, this paper presents an empirical study on the evolution of the Linux project. Based on staticanalysis data, we propose low complexity models to study flaws in the Linux sourcecode. About 391 versions of the project were analyzed by mining the official Linux repository using an approach that can be reproduced to perform similar studies. Our results show that it is possible to predict the number of warnings triggered by a static analyzer for a given software project revision as long as the software is continuously monitored.
For over two decades, the web has been evolving from a simple set of hypermedia documents to a complex ecosystem of web applications that are supported by various frameworks. This paradigm shift has been promoting a s...
详细信息
For over two decades, the web has been evolving from a simple set of hypermedia documents to a complex ecosystem of web applications that are supported by various frameworks. This paradigm shift has been promoting a series of practices that lead to an increasing number of vulnerabilities, which can compromise the security of web appli- cations. One of the main contributing factors lies in vulnerable sourcecode, written in unsafe languages such as PHP. In order to mitigate the problem, a large research effort on web application security has occurred over the past years. source code static analysis tools perform the task of finding program vulnerabilities in an automated fashion. These tools offer superior code coverage, easier integration into the application development cycle, and do not require the actual code to be executed. They instead perform sourcecodeanalysis, looking for poten- tial bugs while inspecting the program code. However, the analysis performed by these tools depends on their knowledge of the classes of vulnerabilities and the implementation of analysis techniques, such as taint analysis. This means that, on one hand, the tools only search for vulnerabilities in the sourcecode that they hold knowledge of, being unable to find other kinds of problems. On the other hand, the tools may generate false positives and false negatives, due to the limitations and incompleteness of implemented analysis techniques. One of such tools is the Web Application Protection (WAP). The main objective of this dissertation is to identify problems with WAP and improve its vulnerability detec- tion capabilities, when processing open source PHP code. Four staticanalysis tools - WAP, Pixy, phpSAFE and RIPS - are evaluated against a set of WordPress plugins that are known to be vulnerable, in order to collect examples of incorrect processing of the tools which lead, for instance, to false negatives. Additionally, we define and evaluate several use cases for a common foun
6Although a large research effort on web application security has been going on for more than a decade, the security of web applications continues to be a challenging problem. An important part of that problem derives...
详细信息
6Although a large research effort on web application security has been going on for more than a decade, the security of web applications continues to be a challenging problem. An important part of that problem derives from vulnerable sourcecode, often written in unsafe languages like PHP. source code static analysis tools are a solution to find vulnerabilities, but they tend to generate false positives, and require considerable effort for programmers to manually fix the code. We explore the use of a combination of methods to discover vulnerabilities in sourcecode with fewer false positives. We combine taint analysis, which finds candidate vulnerabilities, with data mining, to predict the existence of false positives. This approach brings together two approaches that are apparently orthogonal: humans coding the knowledge about vulnerabilities (for taint analysis), joined with the seemingly orthogonal approach of automatically obtaining that knowledge (with machine learning, for data mining). Given this enhanced form of detection, we propose doing automatic code correction by inserting fixes in the sourcecode. Our approach was implemented in the WAP tool, and an experimental evaluation was performed with a large set of PHP applications. Our tool found 388 vulnerabilities in 1.4 million lines of code. Its accuracy and precision were approximately 5% better than PhpMinerII's and 45% better than Pixy's.
With water, we trust that qualities harmful to its intended use aren't present. To avoid a regulatory solution to problems with contaminants that endanger software's intended use, the industry needs to impleme...
详细信息
With water, we trust that qualities harmful to its intended use aren't present. To avoid a regulatory solution to problems with contaminants that endanger software's intended use, the industry needs to implement processes and technical methods for examining software for the contaminants that are most dangerous given its intended use. By finding systematic and verifiable ways to identify remove, and verify contaminated software, software providers can improve customers' confidence in systems and possibly avoid regulatory solutions.
Coupling metrics play an important role in empirical software engineering research as well as in industrial measurement programs. The existing coupling metrics have usually been defined in a way that they can be compu...
详细信息
ISBN:
(纸本)9780769541785
Coupling metrics play an important role in empirical software engineering research as well as in industrial measurement programs. The existing coupling metrics have usually been defined in a way that they can be computed from a staticanalysis of the sourcecode. However, modern programs extensively use dynamic language features such as polymorphism and dynamic class loading that are difficult to capture by staticanalysis. Consequently, the derived metric values might not accurately reflect the state of a program. In this paper, we express existing definitions of coupling metrics using call graphs. We then compare the results of four different call graph construction algorithms with standard tool implementations of these metrics in an empirical study. Our results show important variations in coupling between standard and call graph-based calculations due to the support of dynamic features.
暂无评论