Top

Wireless Personal Communications

Published in:

01-08-2016

Software Vulnerability Detection Methodology Combined with Static and Dynamic Analysis

Authors: Seokmo Kim, R. Young Chul Kim, Young B. Park

Published in: Wireless Personal Communications | Issue 3/2016

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Software vulnerability is the attack surface. Therefore, vulnerabilities innate in software should be detected for software security assurance. Vulnerability detection method can be divided into static vulnerability detection and dynamic vulnerability detection. Static vulnerability detection is more commonly used for vulnerability detection. This method has many benefits, but it also creates false positives. Therefore, this paper proposes a method to combine static and dynamic detection to reduce false positives created from static vulnerability detection. The proposed method verifies the vulnerability by implanting a fault, based on the information received from static code analysis.

previous article A Study on the Authentication and Security of Financial Settlement Using the Finger Vein Technology in Wireless Internet Environment

next article A New Performance Assessment Modeling and Development of a Performance Assessment System for a Cloud Service

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

National Institute of Standards and Technology (NIST). (2014). National vulnerability database. Retrieved September 28, 2014. http://nvd.nist.gov.

Dhamankar, R., Dausin, M., Eisenbarth, M., King, J., Kandek, W., Ullrich, J., & Lee, R. (2009). The top cyber security risks. Tipping Point, Qualys, the Internet Storm Center and the SANS Institute faculty, Tech. Rep.

Gopalakrishna, R., Spafford, E., & Vitek, J. (2005). Vulnerability likelihood: A probabilistic approach to software assurance. CERIAS, Purdue Univeristy Tech. Rep, 6, 2005.

Vassilaras, S., & Yovanof, G. S. (2010). Wireless innovations as enablers for complex & dynamic artificial systems. Wireless Personal Communications, 53(3), 365–393.CrossRef

Garitano, I., Fayyad, S., & Noll, J. (2015). Multi-metrics approach for security, privacy and dependability in embedded systems. Wireless Personal Communications, 81(4), 1359–1376.CrossRef

Gladisch, A., Daher, R., & Tavangarian, D. (2014). Survey on mobility and multihoming in future internet. Wireless Personal Communications, 74(1), 45–81.CrossRef

McGraw, G. (2006). Software security: Building security in (Vol. 1). Boston: Addison-Wesley Professional.

Chess, B., & McGraw, G. (2004). Static analysis for security. IEEE Security and Privacy, 6, 76–79.CrossRef

Wheeler, D. (2006). Flawfinder home page. Web page: http://www.dwheeler.com/flawfinder.

10.

Viega, J., Bloch, J. T., Kohno, Y., & McGraw, G. (2000). ITS4: A static vulnerability scanner for C and C++ code. In Computer Security Applications, 2000. ACSAC’00. 16th Annual Conference (pp. 257–267). IEEE.

11.

Copeland, T. (2005). PMD applied. https://pmd.github.io. Accessed 19 Aug 2015.

12.

Zhang, J. (2011). A mobile agent-based tool supporting web services testing. Wireless Personal Communications, 56(1), 147–172.CrossRef

13.

Hsueh, M. C., Tsai, T. K., & Iyer, R. K. (1997). Fault injection techniques and tools. Computer, 30(4), 75–82.CrossRef

14.

Source code instrumentation overview at IBM website, http://www-01.ibm.com/support/knowledgecenter/#!/SSSHUF_8.0.0/com.ibm.rational.testrt.doc/topics/cinstruovw.html.

15.

Huang, J. C. (1978). Program instrumentation and software testing. Computer, 4, 25–32.CrossRef

16.

Introduction to instrumentation and tracing at Microsoft developer network website, https://msdn.microsoft.com/en-us/library/aa983649(VS.71).aspx.

17.

Luk, C. K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., & Hazelwood, K. (2005). Pin: Building customized program analysis tools with dynamic instrumentation. In ACM Sigplan Notices (Vol. 40, No. 6, pp. 190–200). ACM.

18.

Bala, V., Duesterwald, E., & Banerjia, S. (2000). Dynamo: A transparent dynamic optimization system. In ACM SIGPLAN Notices (Vol. 35, No. 5, pp. 1–12). ACM.

19.

Mens, T., & Van Gorp, P. (2006). A taxonomy of model transformation. Electronic Notes in Theoretical Computer Science, 152, 125–142.CrossRef

20.

Object Management Group. http://www.omg.org.

21.

Mell, P., Scarfone, K., & Romanosky, S. (2006). Common vulnerability scoring system. Security & Privacy, IEEE, 4(6), 85–89.CrossRef

22.

Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., & Vigna, G. (2008). Saner: Composing static and dynamic analysis to validate sanitization in web applications. In Security and Privacy, 2008. SP 2008. IEEE Symposium on (pp. 387–401). IEEE.

23.

Halfond, W. G. J., Choudhary, S. R., & Orso, A. (2011). Improving penetration testing through static and dynamic analysis. Software Testing, Verification and Reliability, 21(3), 195–214.CrossRef

24.

Rawat, S., Ceara, D., Mounier, L., & Potet, M. L. (2013). Combining static and dynamic analysis for vulnerability detection. arXiv preprint arXiv:1305.3883.

25.

Eclipse. https://www.eclipse.org/.

26.

Acceleo, Eclipse plugin. http://www.eclipse.org/acceleo/.

27.

MOFM2T. http://www.omg.org/spec/MOFM2T/1.0/.

28.

Thomas, S., & Williams, L. (2007). Using automated fix generation to secure SQL statements. In Proceedings of the Third International Workshop on Software Engineering for Secure Systems (p. 9). IEEE Computer Society.

Title: Software Vulnerability Detection Methodology Combined with Static and Dynamic Analysis
Authors: Seokmo Kim
R. Young Chul Kim
Young B. Park
Publication date: 01-08-2016
Publisher: Springer US
Published in: Wireless Personal Communications / Issue 3/2016
Print ISSN: 0929-6212
Electronic ISSN: 1572-834X
DOI: https://doi.org/10.1007/s11277-015-3152-1

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 3/2016

Information Interoperability System Using Multi-agent with Security

Variability Change Management Using the Orthogonal Variability Model-Based Traceability

Voice Activity Detection Using an Improved Unvoiced Feature Normalization Process in Noisy Environments

Algorithm of a Perspective Transform-Based PDF417 Barcode Recognition

Cyber Physical System-Based Convergence Operation of Data Intensive Computing Resources

Convergence Interaction for Communication