A model for security vulnerability pattern

Authors:
Hyungwoo Kang;Kibom Kim;Soonjwa Hong;Dong Hoon Lee
Affiliations:
National Security Research Institute, Daejeon, Korea;National Security Research Institute, Daejeon, Korea;National Security Research Institute, Daejeon, Korea;Center for Information Security Technologies(CIST), Korea University, Seoul, Korea
Venue:
ICCSA'06 Proceedings of the 2006 international conference on Computational Science and Its Applications - Volume Part III
Year:
2006

Citing 10
Cited 1

Objective ML: an effective object-oriented extension to ML

Theory and Practice of Object Systems - Third workshop on foundations of object-oriented languages (FOOL 3)
Automatic predicate abstraction of C programs

Proceedings of the ACM SIGPLAN 2001 conference on Programming language design and implementation
The SLAM project: debugging system software via static analysis

POPL '02 Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Introduction To Automata Theory, Languages, And Computation

Introduction To Automata Theory, Languages, And Computation
MOPS: an infrastructure for examining security properties of software

Proceedings of the 9th ACM conference on Computer and communications security
Relative Completeness of Abstraction Refinement for Software Model Checking

TACAS '02 Proceedings of the 8th International Conference on Tools and Algorithms for the Construction and Analysis of Systems
Setuid Demystified

Proceedings of the 11th USENIX Security Symposium
CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs

CC '02 Proceedings of the 11th International Conference on Compiler Construction
Type qualifiers: lightweight specifications to improve software quality

Type qualifiers: lightweight specifications to improve software quality
Testing static analysis tools using exploitable buffer overflows from open source code

Proceedings of the 12th ACM SIGSOFT twelfth international symposium on Foundations of software engineering

Security Assessment Framework Using Static Analysis and Fault Injection

ICIC '08 Proceedings of the 4th international conference on Intelligent Computing: Advanced Intelligent Computing Theories and Applications - with Aspects of Theoretical and Methodological Issues

Quantified Score

Hi-index	0.00

Visualization

Abstract

Static analysis technology is used to find programming errors before run time. Unlike dynamic analysis technique which looks at the application state while it is being executed, static analysis technique does not require the application to be executed. In this paper, we classify security vulnerability patterns in source code and design a model to express various security vulnerability patterns by making use of pushdown automata. On the basis of the model, it is possible to find a security vulnerability by making use of Abstract Syntax Tree (AST) based pattern matching technique in parsing level.