Security benchmarking using partial verification

Authors:
Thomas E. Hart;Marsha Chechik;David Lie
Affiliations:
Department of Computer Science, University of Toronto;Department of Computer Science, University of Toronto;Department of Electrical and Computer Engineering, University of Toronto
Venue:
HOTSEC'08 Proceedings of the 3rd conference on Hot topics in security
Year:
2008

Citing 21
Cited 0

Typestate: A programming language concept for enhancing software reliability

IEEE Transactions on Software Engineering
Software metrics (2nd ed.): a rigorous and practical approach

Software metrics (2nd ed.): a rigorous and practical approach
Proof-carrying code

Proceedings of the 24th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Model checking

Model checking
Enforceable security policies

ACM Transactions on Information and System Security (TISSEC)
Letters to the editor: go to statement considered harmful

Communications of the ACM
An axiomatic basis for computer programming

Communications of the ACM
A system and language for building system-specific, static analyses

PLDI '02 Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation
Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints

POPL '77 Proceedings of the 4th ACM SIGACT-SIGPLAN symposium on Principles of programming languages
Setuid Demystified

Proceedings of the 11th USENIX Security Symposium
CSSV: towards a realistic tool for statically detecting all buffer overflows in C

PLDI '03 Proceedings of the ACM SIGPLAN 2003 conference on Programming language design and implementation
Precise and efficient static array bound checking for large embedded C programs

Proceedings of the ACM SIGPLAN 2004 conference on Programming language design and implementation
CCured: type-safe retrofitting of legacy software

ACM Transactions on Programming Languages and Systems (TOPLAS)
Modular checking for buffer overflows in the large

Proceedings of the 28th international conference on Software engineering
Software Measurement and Estimation: A Practical Approach (Quantitative Software Engineering Series)

Software Measurement and Estimation: A Practical Approach (Quantitative Software Engineering Series)
Thorough static analysis of device drivers

Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006
Sound and precise analysis of web applications for injection vulnerabilities

Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation
Static detection of cross-site scripting vulnerabilities

Proceedings of the 30th international conference on Software engineering
Secure programming with static analysis

Secure programming with static analysis
Precise analysis of string expressions

SAS'03 Proceedings of the 10th international conference on Static analysis
F-SOFT: software verification platform

CAV'05 Proceedings of the 17th international conference on Computer Aided Verification

Quantified Score

Hi-index	0.00

Visualization

Abstract

Implementation-level vulnerabilities are a persistent threat to the security of computing systems. We propose using the results of partially-successful verification attempts to place a numerical upper bound on the insecurity of systems, in order to motivate improvement.