DocumentCode
3265360
Title
Vulnerability detector using parse tree annotation
Author
Akbari, Mohammad ; Berenji, Sarah ; Azmi, Reza
Author_Institution
Eng. Dept., Islamic Azad Univ., Tehran, Iran
Volume
4
fYear
2010
fDate
22-24 June 2010
Abstract
Static vulnerability Detection approach usually produces large amount of false positives. To achieve better result, a tool which is able to understand the analyzed source code and join it to high level programming concepts is needed. The proposed tool presents in this paper provides a novel semantic level method for detecting C language source code vulnerabilities. In a programming language each vulnerability is correlated to a valid code in point of compiler view. In other word, a written code in a particular situation may cause a vulnerability. To implement this tool, a collection of vulnerability attribute (VA) that represented a source code pattern for each vulnerability is prepared. Then the relation of these VAs in a pattern is extracted. In continue the parse tree of estimating source code was generated. Vulnerability detection is done in two general steps; first the generated parse tree is traversed by DFS and annotated, then vulnerability detection rules (VR) are performed on annotated tree to find code weaknesses. In this paper proposed tool is compared with other vulnerability detection tools. The comparison shows that the tool is useful for finding buffer overflow flaws with low false positive rate.
Keywords
C language; program compilers; software tools; C language source code vulnerability; buffer overflow flaw; high level programming language; parse tree annotation; semantic level method; source code pattern; static vulnerability detection; vulnerability attribute; vulnerability detection rules; vulnerability detection tool; vulnerability detector; Buffer overflow; Computer languages; Computer science education; Detectors; Educational technology; Program processors; Programming profession; Security; Testing; Virtual reality; Parse tree annotation; Software security; Software vulnerability; Source code analysis;
fLanguage
English
Publisher
ieee
Conference_Titel
Education Technology and Computer (ICETC), 2010 2nd International Conference on
Conference_Location
Shanghai
Print_ISBN
978-1-4244-6367-1
Type
conf
DOI
10.1109/ICETC.2010.5529688
Filename
5529688
Link To Document