sheckman | Shared With: Everyone - Dec 29 2006 | reference, static analysis, security, tools- sheckman | Shared With: Everyone - Nov 14 2006 | research, reference, static analysis, schilling
- sheckman | Shared With: Everyone - Nov 13 2006 | research, static analysis, reference
Finding Security Vulnerabilities in Java Applications
with Static Analysis by V. Benjamin Livshits and Monica S. LamThis paper proposes a static analysis technique for detecting many recently discovered application vulnerabilities such as SQL injections, cross-site scripting, and HTTP splitting attacks. These vulnerabilities stem from unchecked input, which is widely recognized as the most common source of security vulnerabilities in Web applications. We propose a static analysis approach based on a scalable and precise points-to analysis. In our system, user-provided specifications of vulnerabilities are automatically translated into static analyzers. Our approach finds all vulnerabilities matching a specification in the statically analyzed code. Results of our static analysis are presented to the user for assessment in an auditing interface integrated within Eclipse, a popular Java development environment.
Our static analysis found 29 security vulnerabilities in nine large, popular open-source applications, with two of the vulnerabilities residing in widely-used Java libraries. In fact, all but one application in our benchmark suite had at least one vulnerability.Context sensitivity, combined with improved object naming, proved instrumental in keeping the number of false positives low. Our approach yielded very few false positives in our experiments: in fact, only one of our benchmarks suffered from false alarms. - sheckman | Shared With: Everyone - Nov 13 2006 | reference, research, static analysis
Statically Detecting Likely Buffer Overflow Vulnerabilities by David Larochelle and David Evans
Buffer overflow attacks may be today’s single most important security threat. This paper presents a new approach to mitigating buffer overflow vulnerabilities by detecting likely vulnerabilities through an analysis of the program source code. Our approach exploits information provided in semantic comments and uses lightweight and efficient static analyses. This paper describes an implementation of our approach that extends the LCLint annotation-assisted static checking tool. Our tool is as fast as a compiler and nearly as easy to use. We present experience using our approach to detect buffer overflow vulnerabilities in two security-sensitive programs.
- sheckman | Shared With: Everyone - Nov 09 2006 | static analysis, research, reference, researcher
- sheckman | Shared With: Everyone - Sep 07 2006 | static analysis, research, reference, researcher
- sheckman | Shared With: Everyone - Sep 07 2006 | static analysis, research, researcher, reference
- sheckman | Shared With: Everyone - Mar 21 2006 | research, reference
- sheckman | Shared With: Everyone - Mar 21 2006 | reference, static analysis, pql
OOPSLA 2005
Related Content from Around Faves
reference
-
Operations on Python dictionaries (mapping objects).
1 FaverViewed: 5 Times - phillosophicflat - Oct 27 20062 FaversViewed: 40 Times
- narisa - Jun 20 20068 FaversViewed: 89 Times
research
-
Quoted: Many a professor dreams of revolution. But Norman T. Uphoff, working in a leafy corner of the Cornell University campus, is leading an inconspicuous one centered on solving the global food crisis. The secret, he says, is a new way of growing rice.
Originally developed by a French Jesuit priest based in Madagascar.
1 FaverViewed: 3 Times - gutzeit - May 30 20071 FaverViewed: 11 Times
- DataShare - 28 days ago1 FaverViewed: 2 Times
