Static Program Analysis for Security
نویسنده
چکیده
In this chapter, we discuss static analysis of the security of a system. First, we discuss the background on what types of static analysis is feasible in principle and then move on to what is practical. We next discuss static analysis of buffer overflow and mobile code followed by access control. Finally, we discuss static analysis of information flow expressed in a language that has been annotated with flow policies.
منابع مشابه
Program Transformations under Dynamic Security Policies
A new static analysis is proposed for programming languages with access control based on stack inspection. This analysis allows for various security-aware program optimizations. A novel feature of our static analysis is that it is parametric with respect to the security policy in force, so it needs not to be recomputed when the access rights are dynamically updated.
متن کاملPrecise Scalable Static Analysis for Application-Specific Security Guarantees
This dissertation presents Pidgin, a static program analysis and understanding tool that enables the specification and enforcement of precise application-specific information security guarantees. Pidgin also allows developers to interactively explore the information flows in their applications to develop policies and investigate counter-examples. Pidgin combines program dependence graphs (PDGs)...
متن کاملStatic Analysis for Security
source-code security analysis with static analysis tools. Since ITS4's release in early 2000 (www.cigital.com/its4/), the idea of detecting security problems through source code has come of age. ITS4 is extremely simple—the tool basically scans through a file looking for syntactic matches based on several simple " rules " that might indicate possible security vulnera-bilities (for example, use ...
متن کاملA Security Domain Model for Static Analysis and Verification of Software Programs
Unauthorized information flows can result from malicious software exploiting covert channels and overt flaws in access control design. To address this problem, we present a precise, formal definition for information flow that relies on control flow dependency tracing through program execution, and extends Dennings’ and follow-on classic work in secure information flow [7][19][27]. We describe a...
متن کاملThe Need for Fourth Generation Static Analysis Tools for Security – From Bugs to Flaws
This paper discusses some of the limitations of the current (third) generation static code analyzers for security available on the market today and gives reasons for the plateau in their usefulness to a code reviewer. We further describe some of the characteristics of the next generation static analysis technology that will enable a new quantum leap in the space of static analysis with tools th...
متن کامل