A Synergy between Static and Dynamic Analysis for the Detection of Software Security Vulnerabilities

被引:0
|
作者
Hanna, Aiman [1 ]
Ling, Hai Zhou [1 ]
Yang, XiaoChun [1 ]
Debbabi, Mourad [1 ]
机构
[1] Concordia Univ, Concordia Inst Informat Syst Engn, Comp Secur Lab, Montreal, PQ, Canada
来源
ON THE MOVE TO MEANINGFUL INTERNET SYSTEMS: OTM 2009, PT 2 | 2009年 / 5871卷
关键词
Security Automata; Security Testing; Static Analysis; Dynamic Analysis; Test-Data Generation;
D O I
暂无
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
The main contribution of this paper is a framework for security testing. The key components of this framework are twofold: First, a static analyzer that automatically identifies suspicious sites of security vulnerabilities in a control flow graph. Second, a test-data generator. The intent is to attempt proving/disproving whether, or not, the suspicious sites are actual vulnerabilities. The paper introduces the static-dynamic hybrid vulnerability detection system, a system that targets the automation of security vulnerability detection in software. The system combines the detection powers of both static and dynamic analysis. Various components compose tins model, namely Static Vulnerability Revealer, Goal-Path-oriented System, and Dynamic Vulnerability Detector.
引用
收藏
页码:815 / 832
页数:18
相关论文
共 50 条
  • [1] On the Detection and Analysis of Software Security Vulnerabilities
    Wijesiriwardana, Chaman
    Wimalaratne, Prasad
    [J]. 2017 IEEE INTERNATIONAL CONFERENCE ON IOT AND ITS APPLICATIONS (IEEE ICIOT), 2017,
  • [2] LAPSE plus Static Analysis Security Software: Vulnerabilities Detection in Java']Java EE Applications
    Martin Perez, Pablo
    Filipiak, Joanna
    Maria Sierra, Jose
    [J]. FUTURE INFORMATION TECHNOLOGY, PT 1, 2011, 184 : 148 - 156
  • [3] A survey of static analysis methods for identifying security vulnerabilities in software systems
    Pistoia, M.
    Chandra, S.
    Fink, S. J.
    Yahav, E.
    [J]. IBM SYSTEMS JOURNAL, 2007, 46 (02) : 265 - 288
  • [4] A survey of static code analysis methods for security vulnerabilities detection
    Kulenovic, Melina
    Donko, Dzenana
    [J]. 2014 37TH INTERNATIONAL CONVENTION ON INFORMATION AND COMMUNICATION TECHNOLOGY, ELECTRONICS AND MICROELECTRONICS (MIPRO), 2014, : 1381 - 1386
  • [5] Static Code Analysis to Detect Software Security Vulnerabilities - Does Experience Matter?
    Baca, Dejan
    Petersen, Kai
    Carlsson, Bengt
    Lundberg, Lars
    [J]. 2009 INTERNATIONAL CONFERENCE ON AVAILABILITY, RELIABILITY, AND SECURITY (ARES), VOLS 1 AND 2, 2009, : 804 - +
  • [6] Static detection of security vulnerabilities in scripting languages
    Xie, Yichen
    Aiken, Alex
    [J]. USENIX Association Proceedings of the 15th USENIX Security Symposium, 2006, : 179 - 192
  • [7] Automation of Detection of Security Vulnerabilities in Web Services using Dynamic Analysis
    Kumar, Rahul
    Indraveni, K.
    Goel, Aakash Kumar
    [J]. 2014 9TH INTERNATIONAL CONFERENCE FOR INTERNET TECHNOLOGY AND SECURED TRANSACTIONS (ICITST), 2014, : 334 - 336
  • [8] On the capability of static code analysis to detect security vulnerabilities
    Goseva-Popstojanova, Katerina
    Perhinschi, Andrei
    [J]. INFORMATION AND SOFTWARE TECHNOLOGY, 2015, 68 : 18 - 33
  • [9] Detecting Software Vulnerabilities in Android Using Static Analysis
    Dhaya, R.
    Poongodi, M.
    [J]. 2014 INTERNATIONAL CONFERENCE ON ADVANCED COMMUNICATION CONTROL AND COMPUTING TECHNOLOGIES (ICACCCT), 2014, : 915 - 918
  • [10] Integrating static and dynamic analysis for detecting vulnerabilities
    Aggarwal, Ashish
    Jalote, Pankaj
    [J]. 30TH ANNUAL INTERNATIONAL COMPUTER SOFTWARE AND APPLICATIONS CONFERENCE, VOL 1, REGULAR PAPERS/PANELS, PROCEEDINGS, 2006, : 343 - +
12345