Movatterモバイル変換

[0]ホーム
URL:

Skip to main content

Advertisement

Springer Nature Link
Log in

Using Testing Techniques for Vulnerability Detection in C Programs

  • Conference paper

Part of the book series:Lecture Notes in Computer Science ((LNPSE,volume 7019))

Included in the following conference series:

  • 992Accesses

Abstract

This paper presents a technique for vulnerability detection in C programs. It is based on a vulnerability formal model called “Vulnerability Detection Conditions” (VDCs). This model is used together with passive testing techniques for the automatic detection of vulnerabilities. The proposed technique has been implemented in a dynamic code analysis tool, TestInv-Code, which detects the presence of vulnerabilities on a given code, by checking dynamically the VDCs on the execution traces of the given program. The tool has been applied to several C applications containing some well known vulnerabilities to illustrate its effectiveness. It has also been compared with existing tools in the market, showing promising performances.

The research leading to these results has received funding from the European ITEA-2 project DIAMONDS.

Similar content being viewed by others

Keywords

References

  1. Alcalde, B., Cavalli, A.R., Chen, D., Khuu, D., Lee, D.: Network Protocol System Passive Testing for Fault Management: A Backward Checking Approach. In: de Frutos-Escrig, D., Núñez, M. (eds.) FORTE 2004. LNCS, vol. 3235, pp. 150–166. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  2. Balzarotti, D., Cova, M., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In: IEEE Symposium on Security & Privacy, pp. 387–401 (2008)

    Google Scholar 

  3. Bardin, S., Herrmann, P., Leroux, J., Ly, O., Tabary, R., Vincent, A.: The BINCOA Framework for Binary Code Analysis. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 165–170. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  4. Bayse, E., Cavalli, A., Núnez, M., Zaidi, F.: A Passive Testing Approach Based on Invariants: Application to the Wap. Computer Networks and ISDN Systems 48(2), 247–266 (2005)

    MATH  Google Scholar 

  5. Cavalli, A.R., Gervy, C., Prokopenko, S.: New Approaches for Passive Testing using an Extended Finite State Machine Specification. Information & Software Technology 45(12), 837–852 (2003)

    Article  Google Scholar 

  6. Cavalli, A.R., Vieira, D.: An Enhanced Passive Testing Approach for Network Protocols. In: ICN, ICONS, MCL, pp. 169–169 (2006)

    Google Scholar 

  7. CERT Coordination Center. CERT/CC statistics (accessed October 2007)

    Google Scholar 

  8. Chess, B., West, J.: Dynamic Taint Propagation: Finding Vulnerabilities without Attacking. Information Security Technical Report 13(1), 33–39 (2008)

    Article  Google Scholar 

  9. Coverity. Prevent (accessed September 2008)

    Google Scholar 

  10. Du, W., Mathur, A.: Vulnerability Testing of Software System using Fault Injection. In: Proceedings of the International Conference on Dependable Systems and Networks (DSN 2000), Workshop on Dependability Versis Malicious Faults (2000)

    Google Scholar 

  11. Fenz, S., Ekelhart, A.: Verification, Validation, and Evaluation in Information Security Risk Management. IEEE Security and Privacy (IEEESP) 9(2), 58–65 (2011)

    Article  Google Scholar 

  12. Fortify Software. Fortify SCA (accessed September 2008)

    Google Scholar 

  13. Hadjidj, R., Yang, X., Tlili, S., Debbabi, M.: Model Checking for Software Vulnerabilities Detection with Multi-Language Support. In: Sixth Annual Conference on Privacy, Security and Trust, pp. 133–142 (2008)

    Google Scholar 

  14. Howard, M.: Inside the Windows Security Push. In: IEEE Symposium on Security & Privacy, pp. 57–61 (2003)

    Google Scholar 

  15. Klocwork. K7 (accessed September 2008)

    Google Scholar 

  16. Kuang, C., Miao, Q., Chen, H.: Analysis of Software Vulnerability. In: ISP 2006: Proceedings of the 5th WSEAS International Conference on Information Security and Privacy, pp. 218–223. World Scientific and Engineering Academy and Society (WSEAS), Stevens Point (2006)

    Google Scholar 

  17. Lee, D., Netravali, A.N., Sabnani, K.K., Sugla, B., John, A.: Passive Testing and Applications to Network Management. In: Proceedings of the 1997 International Conference on Network Protocols (ICNP 1997). IEEE Computer Society, Washington, DC (1997)

    Google Scholar 

  18. Mallouli, W., Bessayah, F., Cavalli, A., Benameur, A.: Security Rules Specification and Analysis Based on Passive Testing. In: The IEEE Global Communications Conference, GLOBECOM 2008 (2008)

    Google Scholar 

  19. Miller, R.E., Arisha, K.A.: Fault Identification in Networks by Passive Testing. In: Advanced Simulation Technologies Conference (ASTC), pp. 277–284. IEEE Computer Society, Los Alamitos (2001)

    Google Scholar 

  20. Redwine, S., Davis, N.: Processes to Produce Secure Software (2004); Task Force on Security Across the Software Development Lifecycle, Appendix A

    Google Scholar 

  21. SHIELDS: Detecting Known Security Vulnerabilities from within Design and Development Tools. D1.4 Final SHIELDS approach guide

    Google Scholar 

  22. Thompson, H.: Application of Penetration Testing. In: IEEE Symposium on Security & Privacy, pp. 66–69 (2005)

    Google Scholar 

  23. Wang, L., Zhang, Q., Zhao, P.: Automated Detection of Code Vulnerabilities Based on Program Analysis and Model Checking. In: Eighth IEEE International Working Conference on Source Code Analysis and Manipulation, pp. 165–173 (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Télécom SudParis, SAMOVAR, 9 rue Charles Fourier, 91011, Evry Cedex, France

    Amel Mammar, Ana Cavalli & Willy Jimenez

  2. Montimage, 39 rue Bobillot, Paris, 75013, France

    Wissam Mallouli & Edgardo Montes de Oca

Authors
  1. Amel Mammar

    You can also search for this author inPubMed Google Scholar

  2. Ana Cavalli

    You can also search for this author inPubMed Google Scholar

  3. Willy Jimenez

    You can also search for this author inPubMed Google Scholar

  4. Wissam Mallouli

    You can also search for this author inPubMed Google Scholar

  5. Edgardo Montes de Oca

    You can also search for this author inPubMed Google Scholar

Editor information

Editors and Affiliations

  1. Université Paris-Sud, LRI UMR 8623 CNRS, 91405, Orsay Cedex, France

    Burkhart Wolff  & Fatiha Zaïdi  & 

Rights and permissions

Copyright information

© 2011 IFIP International Federation for Information Processing

About this paper

Cite this paper

Mammar, A., Cavalli, A., Jimenez, W., Mallouli, W., de Oca, E.M. (2011). Using Testing Techniques for Vulnerability Detection in C Programs. In: Wolff, B., Zaïdi, F. (eds) Testing Software and Systems. ICTSS 2011. Lecture Notes in Computer Science, vol 7019. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-24580-0_7

Download citation

Publish with us

[8]ページ先頭
©2009-2025 Movatter.jp