J. Viega, J.T. Bloch, T. Kohno, and G. McGraw. ITS4: A static vulnerability scanner for C and C++ code. In Annual Computer Security Applications Conference, 2000.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....a system that uses global information to detect time of checkto time of use (TOCTTOU) race conditions in privileged Unix applications. More recently, there has been work on finding information leaks [12] intrusion detection [17] and a lot of attention paid to detecting buffer overflows [6, 11, 13, 16, 18]. More generally many projects have embedded hard wired application level information in compilers to find errors [1, 2, 3, 7, 14, 18] At a low level, our checkers find different error types than this prior work. At a higher level, these projects find a fixed set of errors, whereas we show that a ....

J. Viega, J.T. Bloch, T. Kohno, and G. McGraw. ITS4: A static vulnerability scanner for C and C++ code. In Annual Computer Security Applications Conference, 2000.

....program correctness but requires the creation of a complete specification of the program, a difficult and often impractical undertaking. Recent work has focused on automatic systems designed to detect errors with minimal or no manual intervention. Such systems include lexical techniques [18], enhanced type systems [17, 20] and compiler based approaches that use finite state machines [9] or model checking [1] All of these approaches have problems that limit their usefulness. Lexical approaches detect only superficial errors. The type based approach requires manual intervention and ....

J. Viega, J. Bloch, T. Kohno, and G. McGraw. ITS4: a static vulnerability scanner for C and C++ code. In 16 th Annual Computer Security Applications Conference, December 2000.

....thus demonstrating that open source software can indeed produce industrial strength software. As outlined in [Sch00a] open source software is a good way to achieve reliability and secure IT systems supporting the business needs of many companies. In fact, a source code analysis of MICO with ITS4 [VBKM00] revealed that MICO does not contain very security critical code. As MICO provides only a C language mapping, we decided to show interoperability of the MICOsec prototype with another CORBAsec product. Adiron s ORBAsec SL2 [Adi00] which is based on Java, was chosen as the peer security service ....

John Viega, J.T. Bloch, Tadayoshi Kohno, and Gary McGraw. ITS4 : A Static Vulnerability Scanner for C and C++ Code. ftp://ftp.rstcorp.com/pub/papers/its4.pdf, 2000. c 9 2000 Springer-Verlag, Informatik aktuell , http://www.springer.de/comp-de/inf akt/index.html

....tools generally are concerned with taking preexisting source code, and identifying potentially dangerous constructs based on a database and some static analysis. Currently, the only publicly available tool for source code analysis is ITS4, which scans C and C code for over 100 potential problems[9]. Wagner has a bufferoverflow scanner that performs a more sophisticated analysis; however it is not publically available, and is limited in scope[10] Similar tools exist that are general purpose, and may catch some security bugs, including lint tools such as LCLint [3] Previous work has also ....

J. Viega, J.T. Bloch, T. Kohno, and G. McGraw. Its4: A static vulnerability scanner for C and C++ code. In Submitted to USENIX Security, 2000.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC