A system and language for building system-specific, static analyses
PLDI '02 Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation
Runtime verification of authorization hook placement for the linux security modules framework
Proceedings of the 9th ACM conference on Computer and communications security
MOPS: an infrastructure for examining security properties of software
Proceedings of the 9th ACM conference on Computer and communications security
Using redundancies to find errors
Proceedings of the 10th ACM SIGSOFT symposium on Foundations of software engineering
Using redundancies to find errors
ACM SIGSOFT Software Engineering Notes
Using CQUAL for Static Analysis of Authorization Hook Placement
Proceedings of the 11th USENIX Security Symposium
BlueBoX: A policy-driven, host-based intrusion detection system
ACM Transactions on Information and System Security (TISSEC)
Anomaly Detection Using Call Stack Information
SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
ReVirt: enabling intrusion analysis through virtual-machine logging and replay
ACM SIGOPS Operating Systems Review - OSDI '02: Proceedings of the 5th symposium on Operating systems design and implementation
Protecting C programs from attacks via invalid pointer dereferences
Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering
ARCHER: using symbolic, path-sensitive analysis to detect memory access errors
Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering
Terra: a virtual machine-based platform for trusted computing
SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
MECA: an extensible, expressive system and language for statically checking security properties
Proceedings of the 10th ACM conference on Computer and communications security
Securing web application code by static analysis and runtime protection
Proceedings of the 13th international conference on World Wide Web
Verifying safety properties using separation and heterogeneous abstractions
Proceedings of the ACM SIGPLAN 2004 conference on Programming language design and implementation
Consistency analysis of authorization hook placement in the Linux security modules framework
ACM Transactions on Information and System Security (TISSEC)
Software validation via scalable path-sensitive value flow analysis
ISSTA '04 Proceedings of the 2004 ACM SIGSOFT international symposium on Software testing and analysis
IEEE Security and Privacy
ACM Transactions on Computer Systems (TOCS)
ACM SIGPLAN Notices
ReVirt: enabling intrusion analysis through virtual-machine logging and replay
OSDI '02 Proceedings of the 5th symposium on Operating systems design and implementationCopyright restrictions prevent ACM from being able to make the PDFs for this conference available for downloading
Symmetric behavior-based trust: a new paradigm for internet computing
NSPW '04 Proceedings of the 2004 workshop on New security paradigms
Automatic Mining of Source Code Repositories to Improve Bug Finding Techniques
IEEE Transactions on Software Engineering
A software flaw taxonomy: aiming tools at security
SESS '05 Proceedings of the 2005 workshop on Software engineering for secure systems—building trustworthy applications
Combining static analysis and runtime monitoring to counter SQL-injection attacks
WODA '05 Proceedings of the third international workshop on Dynamic analysis
Typestate verification: abstraction techniques and complexity results
Science of Computer Programming - Special issue: Static analysis symposium (SAS 2003)
Modular checking for buffer overflows in the large
Proceedings of the 28th international conference on Software engineering
Applying flow-sensitive CQUAL to verify MINIX authorization check placement
Proceedings of the 2006 workshop on Programming languages and analysis for security
Precise alias analysis for static detection of web application vulnerabilities
Proceedings of the 2006 workshop on Programming languages and analysis for security
Condate: a proto-language at the confluence between checking and compiling
Proceedings of the 8th ACM SIGPLAN international conference on Principles and practice of declarative programming
NetHost-sensor: Monitoring a target host's application via system calls
Information Security Tech. Report
High coverage detection of input-related security facults
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Static analysis of executables to detect malicious patterns
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Understanding data lifetime via whole system simulation
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Securing software by enforcing data-flow integrity
OSDI '06 Proceedings of the 7th symposium on Operating systems design and implementation
Flow-insensitive static analysis for detecting integer anomalies in programs
SE'07 Proceedings of the 25th conference on IASTED International Multi-Conference: Software Engineering
Effective typestate verification in the presence of aliasing
ACM Transactions on Software Engineering and Methodology (TOSEM)
Portably solving file TOCTTOU races with hardness amplification
FAST'08 Proceedings of the 6th USENIX Conference on File and Storage Technologies
CMV: automatic verification of complete mediation for java virtual machines
Proceedings of the 2008 ACM symposium on Information, computer and communications security
Portably solving file races with hardness amplification
ACM Transactions on Storage (TOS)
Automatic Verification of Strongly Dynamic Software Systems
Verified Software: Theories, Tools, Experiments
Characterizing Bots' Remote Control Behavior
DIMVA '07 Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Efficient and extensible security enforcement using dynamic data flow analysis
Proceedings of the 15th ACM conference on Computer and communications security
Interprocedural and Flow-Sensitive Type Analysis for Memory and Type Safety of C Code
Journal of Automated Reasoning
TAJ: effective taint analysis of web applications
Proceedings of the 2009 ACM SIGPLAN conference on Programming language design and implementation
Empirical Software Engineering
Finding bugs in exceptional situations of JNI programs
Proceedings of the 16th ACM conference on Computer and communications security
Verification of CERT Secure Coding Rules: Case Studies
OTM '09 Proceedings of the Confederated International Conferences, CoopIS, DOA, IS, and ODBASE 2009 on On the Move to Meaningful Internet Systems: Part II
SherLog: error diagnosis by connecting clues from run-time logs
Proceedings of the fifteenth edition of ASPLOS on Architectural support for programming languages and operating systems
Typestate verification: abstraction techniques and complexity results
SAS'03 Proceedings of the 10th international conference on Static analysis
Prevention of cross-site scripting attacks on current web applications
OTM'07 Proceedings of the 2007 OTM confederated international conference on On the move to meaningful internet systems: CoopIS, DOA, ODBASE, GADA, and IS - Volume Part II
Graph queries through datalog optimizations
Proceedings of the 12th international ACM SIGPLAN symposium on Principles and practice of declarative programming
Static analysis for detecting taint-style vulnerabilities in web applications
Journal of Computer Security
Review of software security defects taxonomy
RSKT'10 Proceedings of the 5th international conference on Rough set and knowledge technology
Determining malicious executable distinguishing attributes and low-complexity detection
Journal in Computer Virology
Saving the world wide web from vulnerable JavaScript
Proceedings of the 2011 International Symposium on Software Testing and Analysis
A study of android application security
SEC'11 Proceedings of the 20th USENIX conference on Security
An 'explicit type enforcement' program transformation tool for preventing integer vulnerabiliites
Proceedings of the ACM international conference companion on Object oriented programming systems languages and applications companion
Using type qualifiers to analyze untrusted integers and detecting security flaws in c programs
DIMVA'06 Proceedings of the Third international conference on Detection of Intrusions and Malware & Vulnerability Assessment
Using static program analysis to aid intrusion detection
DIMVA'06 Proceedings of the Third international conference on Detection of Intrusions and Malware & Vulnerability Assessment
Linux kernel vulnerabilities: state-of-the-art defenses and open problems
Proceedings of the Second Asia-Pacific Workshop on Systems
Interprocedural analysis for privileged code placement and tainted variable detection
ECOOP'05 Proceedings of the 19th European conference on Object-Oriented Programming
Automatic incrementalization of prolog based static analyses
PADL'07 Proceedings of the 9th international conference on Practical Aspects of Declarative Languages
A survey on detection techniques to prevent cross-site scripting attacks on current web applications
CRITIS'07 Proceedings of the Second international conference on Critical Information Infrastructures Security
Idea: opcode-sequence-based malware detection
ESSoS'10 Proceedings of the Second international conference on Engineering Secure Software and Systems
Idea: towards architecture-centric security analysis of software
ESSoS'10 Proceedings of the Second international conference on Engineering Secure Software and Systems
Mitigating program security vulnerabilities: Approaches and challenges
ACM Computing Surveys (CSUR)
Improving integer security for systems with KINT
OSDI'12 Proceedings of the 10th USENIX conference on Operating Systems Design and Implementation
THAPS: automated vulnerability scanning of PHP applications
NordSec'12 Proceedings of the 17th Nordic conference on Secure IT Systems
ANDROMEDA: accurate and scalable security analysis of web applications
FASE'13 Proceedings of the 16th international conference on Fundamental Approaches to Software Engineering
Finding your way in the testing jungle: a learning approach to web security testing
Proceedings of the 2013 International Symposium on Software Testing and Analysis
Program transformations to fix C integers
Proceedings of the 2013 International Conference on Software Engineering
| Hi-index | 0.00 |
This paper shows how system-specific static analysis can find securityerrors that violate rules such as ``integers from untrusted sourcesmust be sanitized before use'' and ``do not dereference user-suppliedpointers.''In our approach, programmers write system-specificextensions that are linked into the compiler and check their code forerrors.We demonstrate the approach's effectiveness by using it tofind over 100 security errors in Linux and OpenBSD, over 50 of whichhave led to kernel patches.An unusual feature of our approach is theuse of methods to automatically detect when we miss code actions thatshould be checked.