John Viega, J.T. Bloch, Tadayoshi Kohno, and Gary McGraw. ITS4: A Static Vulnerability Scanner for C and C++ Code. In 16th Annual Computer Security Applications Conference, December 2000. http://www.acsac.org.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....opportunity to change the underlying filesystem object between the time of the check and the time of use. The flaw presented in Section 3.2 is of just this type. Bishop and Dilger [2] built a lexical analysis tool specifically for the purpose of unearthing file access race conditions. Viega et al. [29] point out that quite a few common security problems are easy to identify in source code. For example, the presence of a call to the C library function gets almost always indicates a security problem because it is difficult to prevent buffer overflow attacks with gets. Their source code analysis ....

J. Viega, J. T. Bloch, T. Kohno, and G. McGraw. ITS4: A static vulnerability scanner for C and C++ code. In Proceedings of the Annual Computer Security Applications Conference. Applied Computer Security Associates, 2000.

....identifying bu er over ow vulnerabilities. In general, the problem is undecidable, but in practice, by limiting the type of search, it is possible to detect many such aws. 2.2. 1 ITS4 Viega et al. present a tool called ITS4, which scans C and C source code for known dangerous library calls [37]. It also does a small amount of checking on the arguments to these calls. For example, strcpy(dst, n ) would be agged with a low severity level, under the assumption that the programmer will have allocated enough space to hold a xed length string. ITS4 would also ag the following with a ....

J. Viega, J.T. Bloch, T. Kohno, and G. McGraw. ITS4: A Static Vulnerability Scanner for C and C++ Code. In Proceedings of the 16th Annual Computer Security Applications Conference, December 2000.

....Work analyzing programs for buffer overflows falls into two classes: static analysis and dynamic analysis. 2.1 Static Analysis A number of tools examine source code for buffer overflow. ITS4, typical of a large class of these tools, scans C and C source code for known dangerous library calls [22]. It also does a small amount of checking on the arguments to these calls and reports the severity of the threat. For example, library calls that copy a fixed length string into a buffer are rated as less severe than library calls that copy the contents of an array into a buffer (presumably, ....

J. Viega, J. Bloch, T. Kohno, and G. McGraw. Its4: A static vulnerability scanner for c and c++ code. In Proceedings of the 16th Annual Computer Security Applications Conference, December 2000.

....which they often do not. Many of these functions are powerful for handling strings and thus popular. More secure versions have in some cases been implemented but are not always know by programmers. There are lists of these dangerous C functions often involved in published buffer overflows [35, 30, 31]. From these lists we have chosen to take the fifteen functions considered most risky into our testbed: 1. ets( 9. sprintf ( 2. cuserid( 10. strcat( 3. scanf ( 11. strcpy( 4. fscanf( 12. streadd( 5. sscanf( 1. strecpy( 6. vscanf ( 14. vsprintf ( I. vsscanf ( 15. strtrns( 8. ....

....publicly available tools for static intrusion prevention. 3. 3 ITS4 In late 2000 researchers at Reliable Software Technologies, now Cigital, presented a static analysis tool for detecting security vulnerabilities in C and C 4 code It s the Software Stupid Security Scanner or IT for short [30]. The tool does a lexical analysis building a token stream of the code. Then the tokens are matched with known vulnerable functions in a database. The reason for not performing a deeper analysis with the help of syntactic analysis (parsing) is that such an analysis cannot be made on the fly during ....

John Viega, J.T. Bloch, Tadayoshi Kohno, and Gary McGraw. ITS4: A static vulnerability scanner for C and C-I--I- code. In Proceedings of the 16th Annual Computer Security Applications Conference, December 2000.

No context found.

John Viega, J.T. Bloch, Tadayoshi Kohno, Gary McGraw. ITS4: A Static Vulnerability Scanner for C and C++ Code. In Proceedings of Annual Computer Security Applications Conference. New Orleans, LA, December, 2000.

No context found.

John Viega, J.T. Bloch, Tadayoshi Kohno, and Gary McGraw. ITS4: A Static Vulnerability Scanner for C and C++ Code. In 16th Annual Computer Security Applications Conference, December 2000. http://www.acsac.org.

No context found.

J. Viega, J. Bloch, T. Kohno, and G. McGraw. ITS4: A Static Vulnerability Scanner for C and C++ Code. In 16th Annual Computer Security Applications Conference, Dec. 2000.

No context found.

John Viega, J. T. Bloch, Tadayoshi Kohno, and Gary McGraw. ITS4: A static vulnerability scanner for c and C++ code. In Proceedings of the Annual Computer Security Applications Conference, December 2001.

No context found.

J. Viega, J. Bloch, Y. Kohno, and G. McGraw. ITS4: A Static Vulnerability Scanner for C and C++ Code. In ACSAC 2000.

No context found.

John Viega, J.T. Bloch, Tadayoshi Kohno, and Gary McGraw. ITS4: A static vulnerability scanner for C and C++ code. In Proceedings of the 16th Annual Computer Security Applications Conference, December 2000.

No context found.

John Viega, J.T. Bloch, Tadayoshi Kohno, and Gary McGraw. ITS4: A Static Vulnerability Scanner for C and C++ Code. In 16th Annual Computer Security Applications Conference, December 2000. http://www.acsac.org.

No context found.

John Viega, J. T. Bloch, Tadayoshi Kohno, and Gary McGraw. ITS4: A static vulnerability scanner for C and C++ code. ACM Transactions on Information and System Security, 5(2), 2002.

No context found.

John Viega, J.T. Bloch, Tadayoshi Kohno, and Gary McGraw. ITS4: A Static Vulnerability Scanner for C and C++ Code. In 16th Annual Computer Security Applications Conference, New Orleans, Louisiana, U.S.A., December 2000. (Cited on pages 3, 30 and 65.)

No context found.

John Viega, J.T. Bloch, Tadayoshi Kohno, and Gary McGraw. ITS4: A Static Vulnerability Scanner for C and C++ Code. In 16th Annual Computer Security Applications Conference, December 2000. http://www.acsac.org.

No context found.

John Viega, J. T. Bloch, Tadayoshi Kohno, and Gary McGraw. ITS4: A static vulnerability scanner for c and C++ code. In Proceedings of the Annual Computer Security Applications Conference, December 2001.

No context found.

John Viega, J.T. Bloch, Tadayoshi Kohno, and Gary McGraw. ITS4: A Static Vulnerability Scanner for C and C++ Code. In 16th Annual Computer Security Applications Conference, December 2000. http://www.acsac.org.

No context found.

J. Viega, J. T. Bloch, T. Kohno, and G. McGraw. Its4: A static vulnerability scanner for c and c++ code. In Proceedings of the 16th Annual Computer Security Applications Conference, December 2000.

No context found.

John Viega, J.T. Bloch, Tadayoshi Kohno, and Gary McGraw. ITS4: A Static Vulnerability Scanner for C and C++ Code. In 16th Annual Computer Security Applications Conference, December 2000. http://www.acsac.org.

No context found.

John Viega, J.T. Bloch, Tadayoshi Kohno, and Gary McGraw. ITS4 : A Static Vulnerability Scanner for C and C++ Code. ftp://ftp.rstcorp.com/pub/papers/its4.pdf, 2000.

No context found.

J. Viega, J. Bloch, T. Kohno, and G. McGraw. ITS4: A static vulnerability scanner for C and C++ code. In Annual Computer Security Applications Conference, 2000.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC