sheckman | Shared With: Everyone - Dec 29 2006 | reference, static analysis, security, tools- sheckman | Shared With: Everyone - Nov 14 2006 | research, reference, static analysis, schilling
- sheckman | Shared With: Everyone - Nov 13 2006 | research, static analysis, reference
Finding Security Vulnerabilities in Java Applications
with Static Analysis by V. Benjamin Livshits and Monica S. LamThis paper proposes a static analysis technique for detecting many recently discovered application vulnerabilities such as SQL injections, cross-site scripting, and HTTP splitting attacks. These vulnerabilities stem from unchecked input, which is widely recognized as the most common source of security vulnerabilities in Web applications. We propose a static analysis approach based on a scalable and precise points-to analysis. In our system, user-provided specifications of vulnerabilities are automatically translated into static analyzers. Our approach finds all vulnerabilities matching a specification in the statically analyzed code. Results of our static analysis are presented to the user for assessment in an auditing interface integrated within Eclipse, a popular Java development environment.
Our static analysis found 29 security vulnerabilities in nine large, popular open-source applications, with two of the vulnerabilities residing in widely-used Java libraries. In fact, all but one application in our benchmark suite had at least one vulnerability.Context sensitivity, combined with improved object naming, proved instrumental in keeping the number of false positives low. Our approach yielded very few false positives in our experiments: in fact, only one of our benchmarks suffered from false alarms. - sheckman | Shared With: Everyone - Nov 13 2006 | reference, research, static analysis
Statically Detecting Likely Buffer Overflow Vulnerabilities by David Larochelle and David Evans
Buffer overflow attacks may be today’s single most important security threat. This paper presents a new approach to mitigating buffer overflow vulnerabilities by detecting likely vulnerabilities through an analysis of the program source code. Our approach exploits information provided in semantic comments and uses lightweight and efficient static analyses. This paper describes an implementation of our approach that extends the LCLint annotation-assisted static checking tool. Our tool is as fast as a compiler and nearly as easy to use. We present experience using our approach to detect buffer overflow vulnerabilities in two security-sensitive programs.
- sheckman | Shared With: Everyone - Nov 09 2006 | static analysis, research, reference, researcher
- sheckman | Shared With: Everyone - Sep 07 2006 | static analysis, research, reference, researcher
- sheckman | Shared With: Everyone - Sep 07 2006 | static analysis, research, researcher, reference
- sheckman | Shared With: Everyone - Mar 21 2006 | reference, static analysis, pql
OOPSLA 2005
Related Content from Around Faves
reference
-
Need to go but don't want to suffer?
The best maps mashup that i have ever seen.
1 FaverViewed: 3 Times - gpmedia - Sep 24 20062 FaversViewed: 47 Times
- ujwala - May 11 20062 FaversViewed: 31 Times
research
-
The DOE Data Explorer (DDE) locates scientific research data - such as computer simulations, numeric data files, figures and plots, interactive maps, multimedia, and scientific images - generated by DOE-sponsored research in various science disciplines. The DOE Data Explorer includes a database of citations prepared by the Office of Scientific and Technical Information (OSTI). It is intended for students, the public, and to researchers who are looking for experimental or observational data outside their normal field of expertise.
1 FaverViewed: 7 Times - drewsaylor4 - Jul 15 200819 FaversViewed: 4 Times
- cltg3006 - Jul 24 20081 FaverViewed: 10 Times
