DOI QR코드

DOI QR Code

Classification of Diagnostic Information and Analysis Methods for Weaknesses in C/C++ Programs

  • Han, Kyungsook (Dept. of Computer Engineering, Korea Polytechnic University) ;
  • Lee, Damho (Dept. of Computer Engineering, Hongik University) ;
  • Pyo, Changwoo (Dept. of Computer Engineering, Hongik University)
  • 투고 : 2017.03.09
  • 심사 : 2017.03.23
  • 발행 : 2017.03.31

초록

In this paper, we classified the weaknesses of C/C++ programs listed in CWE based on the diagnostic information produced at each stage of program compilation. Our classification identifies which stages should be responsible for analyzing the weaknesses. We also present algorithmic frameworks for detecting typical weaknesses belonging to the classes to demonstrate validness of our scheme. For the weaknesses that cannot be analyzed by using the diagnostic information, we separated them as a group that are often detectable by the analyses that simulate program execution, for instance, symbolic execution and abstract interpretation. We expect that classification of weaknesses, and diagnostic information accordingly, would contribute to systematic development of static analyzers that minimizes false positives and negatives.

키워드

참고문헌

  1. CWE, Common Weakness Enumeration, http://cwe.mitre.org/
  2. NIST, https://samate.nist.gov/
  3. SAMATE, Juliet Test Suite v1.2 for C/C++ User Guide, National Security Agency
  4. SecurityPrism, http://www.gtone.co.kr/kr/security-static-analysis-tools.php
  5. Hyun-Joon Kwon, Hyunha Kim, Kyung-Goo Doh, "Developing An Automatic Tool for Static Detection of Software Security Vulnerabilities", pp.37-40, KIISE, Vol. 28.2, Feburary 2010 (in Korean)
  6. Hyunha Kim, Tae-Hyoung Choi, Seung-Cheol Jung, Oukseh Lee, Kyung-Goo Doh, Soo-Yong Lee, "Rule-based Source-code Analysis for Detection of Security Vulnerability", WISA2009:The 10th International Workshop on Information Security Applications, Busan, South Korea, August 25-27, 2009
  7. Fortify Static Code Analyzer, https://saas.hpe.com/en-us/software/sca
  8. Alfred V. Aho, Ravi Sethi, Jeffrey D. Ullman, "Compilers: Principled, Techniques, and Tools", Addison Wesley, 1986
  9. Steven S. Muchnick, "Advanced Compiler Design and Implementation", Morgan Kaufmann, pp.169-265, 1997
  10. C. Cadar, and K. Sen, "Symbolic execution for software testing: three decades later," Communications of the ACM, 56.2, pp.82-90, July 2013. https://doi.org/10.1145/2408776.2408795
  11. P. Cousot, and R. Cousot, "Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints," Proceedings of the 4th ACM SIGACT- SIGPLAN symposium on Principles of programming languages, pp.238-252, ACM, January 1977.