- 【Updated on May 12, 2025】 Integration of CiNii Dissertations and CiNii Books into CiNii Research
- Trial version of CiNii Research Knowledge Graph Search feature is available on CiNii Labs
- Suspension and deletion of data provided by Nikkei BP
- Regarding the recording of “Research Data” and “Evidence Data”
Token-based scanning of source code for security problems
-
- John Viega
- Virginia Tech, Falls Church, VA
-
- J. T. Bloch
- University of Chicago, Chicago, IL
-
- Tadayoshi Kohno
- University of California, San Diego, CA
-
- Gary McGraw
- Cigital, Dulles, VA
Search this article
Description
<jats:p> We describe <jats:bold>ITS4</jats:bold> , a tool for statically scanning C and C++ source code for security vulnerabilities. Compared to other approaches, our scanning technique stakes out a new middle ground between accuracy and efficiency. This method is efficient enough to offer real-time feedback to developers during coding while producing few false negatives. Unlike other techniques, our method is also simple enough to scan C++ code despite the complexities inherent in the language. Using <jats:bold>ITS4</jats:bold> , we found new remotely exploitable vulnerabilities in a widely distributed software package as well as in a major piece of e-commerce software.We also describe functionality in more recent tools modeled after <jats:bold>ITS4</jats:bold> , and discuss algorithms that could easily be used to augment these kinds of tools. Particularly, we describe a solution we have prototyped that allows for more rigorous analysis of C and C++ source code, without failing to analyze parts of the program due to preprocessor conditionals. </jats:p>
Journal
-
- ACM Transactions on Information and System Security
-
ACM Transactions on Information and System Security 5 (3), 238-261, 2002-08
Association for Computing Machinery (ACM)
- Tweet
Details 詳細情報について
-
- CRID
- 1362544421011581312
-
- ISSN
- 15577406
- 10949224
-
- Data Source
-
- Crossref