-
- John Viega
- Virginia Tech, Falls Church, VA
-
- J. T. Bloch
- University of Chicago, Chicago, IL
-
- Tadayoshi Kohno
- University of California, San Diego, CA
-
- Gary McGraw
- Cigital, Dulles, VA
この論文をさがす
説明
<jats:p> We describe <jats:bold>ITS4</jats:bold> , a tool for statically scanning C and C++ source code for security vulnerabilities. Compared to other approaches, our scanning technique stakes out a new middle ground between accuracy and efficiency. This method is efficient enough to offer real-time feedback to developers during coding while producing few false negatives. Unlike other techniques, our method is also simple enough to scan C++ code despite the complexities inherent in the language. Using <jats:bold>ITS4</jats:bold> , we found new remotely exploitable vulnerabilities in a widely distributed software package as well as in a major piece of e-commerce software.We also describe functionality in more recent tools modeled after <jats:bold>ITS4</jats:bold> , and discuss algorithms that could easily be used to augment these kinds of tools. Particularly, we describe a solution we have prototyped that allows for more rigorous analysis of C and C++ source code, without failing to analyze parts of the program due to preprocessor conditionals. </jats:p>
収録刊行物
-
- ACM Transactions on Information and System Security
-
ACM Transactions on Information and System Security 5 (3), 238-261, 2002-08
Association for Computing Machinery (ACM)