Improving network applications security: a new heuristic to generate stress testing data
GECCO '05 Proceedings of the 7th annual conference on Genetic and evolutionary computation
Measuring the attack surfaces of two FTP daemons
Proceedings of the 2nd ACM workshop on Quality of protection
New Frontiers of Reverse Engineering
FOSE '07 2007 Future of Software Engineering
Tracking system bugs: why are buffer overruns still around?
Proceedings of the 35th annual ACM SIGUCCS fall conference
Predicting vulnerable software components
Proceedings of the 14th ACM conference on Computer and communications security
Detecting buffer overflow via automatic test input data generation
Computers and Operations Research
Impact of inheritance on vulnerability propagation at design phase
ACM SIGSOFT Software Engineering Notes
The life and death of statically detected vulnerabilities: An empirical study
Information and Software Technology
SUDS: an infrastructure for creating dynamic software defect detection tools
Automated Software Engineering
Comparing and applying attack surface metrics
Proceedings of the 4th international workshop on Security measurements and metrics
| Hi-index | 0.00 |
Software maintainers and auditors would benefit from atool to help them focus their attention on functions that arelikely to be the source of security vulnerabilities. However,the existence of such a tool is predicated on the ability tocharacterize a function's 'security vulnerability likelihood.'Our hypothesis is that functions near a source of inputare most likely to contain a security vulnerability. Thesefunctions should be a small percentage of the total numberof functions in the system. To validate this hypothesis, weperformed an experiment involving thirty one vulnerabilitiesin thirty open source systems. This paper describes theexperiment, its outcome, and the tools used to conduct it.It also describes the FLF Finder, which is a tool that wasdeveloped using knowledge gathered from the outcome ofthe experiment. This tool automates the detection of high-riskfunctions. To demonstrate the effectiveness of the FLFFinder, three open source applications with known vulnerabilitieswere tested. In addition to this test, a case study wasperformed on the privilege separation code in the OpenSSHserver daemon.