Type qualifiers: lightweight specifications to improve software quality
Type qualifiers: lightweight specifications to improve software quality
Static detection of security vulnerabilities in scripting languages
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Hi-index | 0.00 |
1. Much of the blame for security violations goes to bad software and that too at the coding level. Even the best security algorithms can be broken due to incorrect programs. The firstpublished reports of format string bugs appeared in 2000, followed by the rapid discovery of similar vulnerabilities in most high-profile software projects. These includethe Apache web server, wu-ftpd FTP server, OpenBSD kerneland many others. There is a need to find the vulnerabilities like variable buffer overflow, stack traces, control flows, string format syntaxes etc in software before it is deployed. If one can give the facility to verify the presence of these vulnerabilities at the time the program is written, that helps the developer in correcting it then and there. We have developed "checkers" using codan which is a light-weight static analysis framework in CDT(Eclipse's C/C++ Development Tooling project). Our checkers perform real time analysis using Abstract Syntax Tree on the code to find some of the format string vulnerabilities in C language. The method is explained in the paper.