Runtime verification of authorization hook placement for the linux security modules framework
Proceedings of the 9th ACM conference on Computer and communications security
SKETHIC: Secure Kernel Extension against Trojan Horses with Information-Carrying Codes
ACISP '01 Proceedings of the 6th Australasian Conference on Information Security and Privacy
AMAST '02 Proceedings of the 9th International Conference on Algebraic Methodology and Software Technology
Encoding Function Pointers and Memory Arrangement Checking against Buffer Overflow Attack
ICICS '02 Proceedings of the 4th International Conference on Information and Communications Security
Software Security for Open-Source Systems
IEEE Security and Privacy
From the Ground Up: The DIMACS Software Security Workshop
IEEE Security and Privacy
MECA: an extensible, expressive system and language for statically checking security properties
Proceedings of the 10th ACM conference on Computer and communications security
Securing web application code by static analysis and runtime protection
Proceedings of the 13th international conference on World Wide Web
Consistency analysis of authorization hook placement in the Linux security modules framework
ACM Transactions on Information and System Security (TISSEC)
SABER: smart analysis based error reduction
ISSTA '04 Proceedings of the 2004 ACM SIGSOFT international symposium on Software testing and analysis
Validating structural properties of nested objects
OOPSLA '04 Companion to the 19th annual ACM SIGPLAN conference on Object-oriented programming systems, languages, and applications
Knowledge for Software Security
IEEE Security and Privacy
Towards agile security assurance
NSPW '04 Proceedings of the 2004 workshop on New security paradigms
Improving network applications security: a new heuristic to generate stress testing data
GECCO '05 Proceedings of the 7th annual conference on Genetic and evolutionary computation
Static Analysis Method for Detecting Buffer Overflow Vulnerabilities
Programming and Computing Software
Application invariants: Design by Contract augmented with deployment correctness logic
Software—Practice & Experience
Flow-insensitive type qualifiers
ACM Transactions on Programming Languages and Systems (TOPLAS)
SSVChecker: unifying static security vulnerability detection tools in an Eclipse plug-in
eclipse '06 Proceedings of the 2006 OOPSLA workshop on eclipse technology eXchange
A framework for the static verification of api calls
Journal of Systems and Software
Statically detecting likely buffer overflow vulnerabilities
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Detecting format string vulnerabilities with type qualifiers
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Dynamic detection and prevention of race conditions in file accesses
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Finding user/kernel pointer bugs with type inference
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Statically detecting likely buffer overflow vulnerabilities
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Detecting format string vulnerabilities with type qualifiers
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Detecting buffer overflow via automatic test input data generation
Computers and Operations Research
Portably solving file TOCTTOU races with hardness amplification
FAST'08 Proceedings of the 6th USENIX Conference on File and Storage Technologies
ISA: a source code static vulnerability detection system based on data fusion
Proceedings of the 2nd international conference on Scalable information systems
Portably solving file races with hardness amplification
ACM Transactions on Storage (TOS)
An empirical security study of the native code in the JDK
SS'08 Proceedings of the 17th conference on Security symposium
Systematically Eradicating Data Injection Attacks Using Security-Oriented Program Transformations
ESSoS '09 Proceedings of the 1st International Symposium on Engineering Secure Software and Systems
Impact of inheritance on vulnerability propagation at design phase
ACM SIGSOFT Software Engineering Notes
Common Criteria Approach to J2ME CLDC Security Requirements
Proceedings of the 2006 conference on New Trends in Software Methodologies, Tools and Techniques: Proceedings of the fifth SoMeT_06
Measurement Analysis and Fault Proneness Indication in Product Line Applications (PLA)
Proceedings of the 2007 conference on New Trends in Software Methodologies, Tools and Techniques: Proceedings of the sixth SoMeT_07
The life and death of statically detected vulnerabilities: An empirical study
Information and Software Technology
Verification of CERT Secure Coding Rules: Case Studies
OTM '09 Proceedings of the Confederated International Conferences, CoopIS, DOA, IS, and ODBASE 2009 on On the Move to Meaningful Internet Systems: Part II
Information and Software Technology
Vulnerability extrapolation: assisted discovery of vulnerabilities using machine learning
WOOT'11 Proceedings of the 5th USENIX conference on Offensive technologies
SimFuzz: Test case similarity directed deep fuzzing
Journal of Systems and Software
Static analysis of string manipulations in critical embedded c programs
SAS'06 Proceedings of the 13th international conference on Static Analysis
Protecting applications against TOCTTOU races by user-space caching of file metadata
VEE '12 Proceedings of the 8th ACM SIGPLAN/SIGOPS conference on Virtual Execution Environments
STING: finding name resolution vulnerabilities in programs
Security'12 Proceedings of the 21st USENIX conference on Security symposium
TrustBus'07 Proceedings of the 4th international conference on Trust, Privacy and Security in Digital Business
Generalized vulnerability extrapolation using abstract syntax trees
Proceedings of the 28th Annual Computer Security Applications Conference
Security Evaluation of Service-Oriented Systems Using the SiSOA Method
International Journal of Secure Software Engineering
Chucky: exposing missing checks in source code for vulnerability discovery
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
A distributed framework for demand-driven software vulnerability detection
Journal of Systems and Software
Hi-index | 0.00 |
We describe ITS4, a tool for statically scanning security-critical C source code for vulnerabilities. Compared to other approaches, our scanning technique stakes out a new middle ground between accuracy and efficiency. This method is efficient enough to offer real-time feedback to developers during coding while producing few false negatives. Unlike other techniques, our method is also simple enough to scan C++ code despite the complexities inherent in the language. Using ITS4 we found new remotely-exploitable vulnerabilities in a widely distributed software package as well as in a major piece of e-commerce software. The ITS4 source distribution is available at http://www.rstcorp.com/its4.