Using testing techniques for vulnerability detection in C programs

Authors:
Amel Mammar;Ana Cavalli;Willy Jimenez;Wissam Mallouli;EdgardoMontes de Oca
Affiliations:
Télécom SudParis, SAMOVAR, Evry Cedex, France;Télécom SudParis, SAMOVAR, Evry Cedex, France;Télécom SudParis, SAMOVAR, Evry Cedex, France;Montimage, France;Montimage, France
Venue:
ICTSS'11 Proceedings of the 23rd IFIP WG 6.1 international conference on Testing software and systems
Year:
2011

Citing 12
Cited 0

Passive testing and applications to network management

ICNP '97 Proceedings of the 1997 International Conference on Network Protocols (ICNP '97)
Inside the Windows Security Push

IEEE Security and Privacy
Fault Identification in Networks by Passive Testing

SS '01 Proceedings of the 34th Annual Simulation Symposium (SS01)
Application Penetration Testing

IEEE Security and Privacy
A passive testing approach based on invariants: application to the WAP

Computer Networks and ISDN Systems
An Enhanced Passive Testing Approach for Network Protocols

ICNICONSMCL '06 Proceedings of the International Conference on Networking, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies
Analysis of software vulnerability

ISP'06 Proceedings of the 5th WSEAS International Conference on Information Security and Privacy
Dynamic taint propagation: Finding vulnerabilities without attacking

Information Security Tech. Report
Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications

SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Model-Checking for Software Vulnerabilities Detection with Multi-Language Support

PST '08 Proceedings of the 2008 Sixth Annual Conference on Privacy, Security and Trust
Verification, Validation, and Evaluation in Information Security Risk Management

IEEE Security and Privacy
The BINCOA framework for binary code analysis

CAV'11 Proceedings of the 23rd international conference on Computer aided verification

Quantified Score

Hi-index	0.00

Visualization

Abstract

This paper presents a technique for vulnerability detection in C programs. It is based on a vulnerability formal model called "Vulnerability Detection Conditions" (VDCs). This model is used together with passive testing techniques for the automatic detection of vulnerabilities. The proposed technique has been implemented in a dynamic code analysis tool, TestInv-Code, which detects the presence of vulnerabilities on a given code, by checking dynamically the VDCs on the execution traces of the given program. The tool has been applied to several C applications containing some well known vulnerabilities to illustrate its effectiveness. It has also been compared with existing tools in the market, showing promising performances.