An automated approach for identifying potential vulnerabilities in software

Author

Ghosh, Anup K. ; O´Connor, Tom ; McGraw, Gary

Author_Institution

Reliable Software Technol. Corp., Sterling, VA, USA

fYear

1998

fDate

3-6 May 1998

Firstpage

104

Lastpage

114

Abstract

The paper presents results from analyzing the vulnerability of security-critical software applications to malicious threats and anomalous events using an automated fault injection analysis approach. The work is based on the well understood premise that a large proportion of security violations result from errors in software source code and configuration. The methodology employs software fault injection to force anomalous program states during the execution of software and observes their corresponding effects on system security. If insecure behaviour is detected, the perturbed location that resulted in the violation is isolated for further analysis and possibly retrofitting with fault tolerant mechanisms

Keywords

safety-critical software; security of data; software fault tolerance; system monitoring; anomalous events; anomalous program states; automated approach; automated fault injection analysis approach; fault tolerant mechanisms; insecure behaviour detection; malicious threats; perturbed location; potential software vulnerabilities; security violations; security-critical software applications; software fault injection; software source code; system security; Application software; Capability maturity model; Computer security; Performance analysis; Protocols; Software debugging; Software performance; Software quality; Software testing; Software tools;

fLanguage

English

Publisher

ieee

Conference_Titel

Security and Privacy, 1998. Proceedings. 1998 IEEE Symposium on

Conference_Location

Oakland, CA

ISSN

1081-6011

Print_ISBN

0-8186-8386-4

Type

conf

DOI

10.1109/SECPRI.1998.674827

Filename

674827