A Synergy between Static and Dynamic Analysis for the Detection of Software Security Vulnerabilities

Authors:
Aiman Hanna;Hai Zhou Ling;Xiaochun Yang;Mourad Debbabi
Affiliations:
Computer Security Laboratory, Concordia Institute for Information Systems Engineering, Concordia University, Montreal, Canada;Computer Security Laboratory, Concordia Institute for Information Systems Engineering, Concordia University, Montreal, Canada;Computer Security Laboratory, Concordia Institute for Information Systems Engineering, Concordia University, Montreal, Canada;Computer Security Laboratory, Concordia Institute for Information Systems Engineering, Concordia University, Montreal, Canada
Venue:
OTM '09 Proceedings of the Confederated International Conferences, CoopIS, DOA, IS, and ODBASE 2009 on On the Move to Meaningful Internet Systems: Part II
Year:
2009

Citing 6
Cited 1

Automated Software Test Data Generation

IEEE Transactions on Software Engineering
The chaining approach for software test data generation

ACM Transactions on Software Engineering and Methodology (TOSEM)
Enforceable security policies

ACM Transactions on Information and System Security (TISSEC)
SELECT—a formal system for testing and debugging programs by symbolic execution

Proceedings of the international conference on Reliable software
A System to Generate Test Data and Symbolically Execute Programs

IEEE Transactions on Software Engineering
Automatic generation of random self-checking test cases

IBM Systems Journal

A systematic mapping study on the combination of static and dynamic quality assurance techniques

Information and Software Technology

Quantified Score

Hi-index	0.00

Visualization

Abstract

The main contribution of this paper is a framework for security testing. The key components of this framework are twofold: First, a static analyzer that automatically identifies suspicious sites of security vulnerabilities in a control flow graph. Second, a test-data generator. The intent is to attempt proving/disproving whether, or not, the suspicious sites are actual vulnerabilities. The paper introduces the static-dynamic hybrid vulnerability detection system, a system that targets the automation of security vulnerability detection in software. The system combines the detection powers of both static and dynamic analysis. Various components compose this model, namely Static Vulnerability Revealer, Goal-Path-oriented System, and Dynamic Vulnerability Detector.