sheckman | Shared With: Everyone - Nov 14 2006 | research, reference, static analysis, schilling- sheckman | Shared With: Everyone - Nov 13 2006 | research, static analysis, reference
Finding Security Vulnerabilities in Java Applications
with Static Analysis by V. Benjamin Livshits and Monica S. LamThis paper proposes a static analysis technique for detecting many recently discovered application vulnerabilities such as SQL injections, cross-site scripting, and HTTP splitting attacks. These vulnerabilities stem from unchecked input, which is widely recognized as the most common source of security vulnerabilities in Web applications. We propose a static analysis approach based on a scalable and precise points-to analysis. In our system, user-provided specifications of vulnerabilities are automatically translated into static analyzers. Our approach finds all vulnerabilities matching a specification in the statically analyzed code. Results of our static analysis are presented to the user for assessment in an auditing interface integrated within Eclipse, a popular Java development environment.
Our static analysis found 29 security vulnerabilities in nine large, popular open-source applications, with two of the vulnerabilities residing in widely-used Java libraries. In fact, all but one application in our benchmark suite had at least one vulnerability.Context sensitivity, combined with improved object naming, proved instrumental in keeping the number of false positives low. Our approach yielded very few false positives in our experiments: in fact, only one of our benchmarks suffered from false alarms. - sheckman | Shared With: Everyone - Nov 13 2006 | reference, research, static analysis
Statically Detecting Likely Buffer Overflow Vulnerabilities by David Larochelle and David Evans
Buffer overflow attacks may be today’s single most important security threat. This paper presents a new approach to mitigating buffer overflow vulnerabilities by detecting likely vulnerabilities through an analysis of the program source code. Our approach exploits information provided in semantic comments and uses lightweight and efficient static analyses. This paper describes an implementation of our approach that extends the LCLint annotation-assisted static checking tool. Our tool is as fast as a compiler and nearly as easy to use. We present experience using our approach to detect buffer overflow vulnerabilities in two security-sensitive programs.
- sheckman | Shared With: Everyone - Nov 09 2006 | static analysis, research, reference, researcher
- sheckman | Shared With: Everyone - Sep 07 2006 | static analysis, research, reference, researcher
- sheckman | Shared With: Everyone - Sep 07 2006 | static analysis, research, researcher, reference
- sheckman | Shared With: Everyone - Mar 21 2006 | research, reference
Related Content from Around Faves
reference
-
1 FaverViewed: 12 TimesQuoted: Need to override an operator in your Python class? Ever wonder what all those double-underscore class methods do? Here's your answer. Note that this is a work in progress, feel free to add to it -- the list of methods & properties that I know about is at the bottom.
- mike - Jun 17 20081 FaverViewed: 5 Times
- gaikokujinkyofusho - May 31 20071 FaverViewed: 25 Times
research
-
The DOE Data Explorer (DDE) locates scientific research data - such as computer simulations, numeric data files, figures and plots, interactive maps, multimedia, and scientific images - generated by DOE-sponsored research in various science disciplines. The DOE Data Explorer includes a database of citations prepared by the Office of Scientific and Technical Information (OSTI). It is intended for students, the public, and to researchers who are looking for experimental or observational data outside their normal field of expertise.
1 FaverViewed: 5 Times - ross - 22 days ago1 FaverViewed: 3 Times
- buggia - 30 days ago1 FaverViewed: 8 Times
