Improving software security with a C pointer analysis.

This paper presents a context-sensitive, inclusion-based, field-sensitive points-to analysis for C and uses the analysis to detect and prevent security vulnerabilities in programs. ... This paper uses the proposed pointer alias analyses to infer the types of variables in C programs and shows that most C variables are used in a manner consistent with their declared types. ... This paper explores the use of more advanced pointer alias analysis to create practical tools for improving software security. ...

doi:10.1145/1062455.1062520 dblp:conf/icse/AvotsDLL05 fatcat:sovay67qjfdmzkhtj54ccpuvxi

The most important objective of PSSS security process is to improve the effectiveness of software security projects. ... The overall objective of this paper is to evaluate the security analysis of the given software and return a security report which allows programmers to take certain action based upon the outcomes. ... SDL can be characterized as follows [7] :  Security as a supporting quality: The primary goal of SDL is to increase the quality of functionality driven software by improving its security posture. ...

doi:10.5120/17354-7855 fatcat:csxfgjnz4bfj7ltnir2irqbwti

software security, and software engineering. ... reduction: A pointer-analysis-based static approach for detecting [24] C. Cadar, D. Dunbar, D. R. ...

doi:10.1109/tse.2021.3121994 fatcat:35opzmr2gbg67mnftjkdedm7y4

Open Access

Future work will implement this approach in a prototype, and validate it on real memory leaks found in complex software. ... Nevertheless, it is still difficult to deal with bugs located in OTS software, since developers lack the source code and/or knowledge about their internals to fix these bugs. ... Second-Write [20] is a binary rewriting tool aimed at retrofitting security checks in binary COTS software. ...

doi:10.1109/issrew.2014.44 dblp:conf/issre/CotroneoN14 fatcat:6igeq33vgjhc5a4q4znu2wevrm

For example, to determine if violations of property 3 are amenable to source code analysis, we might start with a known security hole. ... At statement D, the analysis recognizes an illegal de-reference of a pointer with value 0, and an error is reported. ...

doi:10.1145/966712.966722 fatcat:mb4ypsvrxbgfzdbzmhvgmiqnm4

The lack of memory safety in many popular programming languages, including C and C++, has been a cause for great concern in the realm of software reliability, verification, and more recently, system security ... Our approach is completely automated, and applicable to any C program, making it a promising and practical approach for addressing the growing security and reliability concerns in embedded software. ... The security risks faced by unsafe C software have inspired many countermeasures aimed at preventing buffer overflows. ...

doi:10.1145/1176254.1176281 dblp:conf/codes/AroraRRJ06 fatcat:o6vwhg4gprg3zdtpajzjyp7esm

This paper describes the design and implementation of a security tool for C programs that addresses all these issues: it has a low runtime overhead, does not require source code modification by the programmer ... The tool uses static analysis to identify potentially dangerous pointer dereferences, and memory locations that are legitimate targets of these pointers. ... We thank George Necula for help with CCured, and the anonymous reviewers for their useful suggestions. ...

doi:10.1145/940071.940113 dblp:conf/sigsoft/YongH03 fatcat:qlzir2on3nbdtmxsf4ntssvlci

MISRA C is a coding standard defining a subset of the C language, initially targeted at the automotive sector, but now adopted across all industry sectors that develop C software in safety-and/or security-critical ... We also outline the role of static analysis in the automatic checking of compliance with respect to MISRA C, and the role of the MISRA C language subset in enabling a wider application of formal methods ... We are grateful to the following people who helped in proofreading the paper and provided useful comments and advice: Fulvio Baccaglini (PRQA -a Perforce Company, MISRA C Working Group), Dave Banham (Rolls-Royce ...

doi:10.1007/978-3-319-99725-4_2 fatcat:6phmdyfq4bde7lvwdch5q2aizm

A hardware reference monitor enforces a security manifest of memory access permissions for the currently executing component. ... In this paper we discuss how automation tools can help software developers to create the security manifest that configures hardware containers. ... Software developers can use security annotations to denote the expected ranges and permissions for memory that such pointers should access. ...

doi:10.1109/safeconfig.2011.6111677 dblp:conf/safeconfig/LeontieBS11 fatcat:6jmxj7ghnbhfznplzr3g6mqjxe

Instead, security must be supported from the ground up, starting with the tools used to build software. ... A randomly assigned modifier-or a nonce-would require the modifier to be securely tracked or otherwise associated with the correct pointer. ...

doi:10.1145/3342559.3365336 dblp:conf/sosp/LiljestrandGNEA19 fatcat:nrvxdisehbau7kd3ojbkuhtxeu

with the aim of making C programs (more) secure. ... e.g., the CERT C Secure Coding standard or the MISRA (the Motor Industry Software Reliability Assocation) C standard. ... In an effort to improve the quality of security critical C programs, the US CERT 1 organisation is maintaining and developing a set of rules and recommendations, called the CERT C Secure Coding Standard ...

doi:10.14279/tuj.eceasst.33.455 dblp:journals/eceasst/OlesenHLP10 fatcat:xmjadtfl4jhyhc2xevgaambiz4

DOAJ OJS Szczepanski

Gurindar, Efficient detection of all pointer and array access errors, in: In this paper, we propose a hardware/software method to optimize the performance of array & pointer boundary checking by designing ... a special boundary checking instruction. ... In [14, 13] , we propose a hardware/software codesign method with special secure instructions to defend against buffer overflow attacks. ...

doi:10.1016/j.jpdc.2006.04.010 fatcat:o2l2a3hsprddtkazchsdzwxu7y

In order to improve the ability to accurately detect software security vulnerabilities, this study proposes a new approach based on a technique of analyzing and standardizing software code and the random ... ; ii) behavior analysis-based detection using classification algorithms, i.e., methods based on analyzing the software code. ... Refs. [27] [28] [29] [30] [31] proposed methods combining deep learning with graph analysis for the task of detecting software security vulnerabilities using C, C++, Java, etc. 3 The Method for Detecting ...

doi:10.5614/itbj.ict.res.appl.2022.16.1.5 fatcat:5u235bxcerhm5cezwc3tzdedca

DOAJ OJS

Rust is a new system programming language that offers a practical and safe alternative to C. ... We show three examples of such capabilities: zero-copy software fault isolation, efficient static information flow analysis, and automatic checkpointing. ... Even worse, pervasive use of pointer aliasing, pointer arithmetic, and unsafe type casts keeps modern systems beyond the reach of software verification tools. Why are we still using C? ...

doi:10.1145/3139645.3139660 fatcat:h2brz34d7fgrzalvbjqy2a7mse

It can be used as an assistant tool for security analysis of Java bytecode from unknown softwares which will be used as extern LIBs. ... So a novel method to check the bugs in Java bytecode based on points-to dataflow analysis is in need, which is different to the common analysis techniques base on the vulnerability pattern check. ... The following subsections describe the improved pointed-to dataflow analysis. A. ...

doi:10.5281/zenodo.1082355 fatcat:flwiigcfqvhqzg5smpvnwlho5q

Open Access

Improving software security with a C pointer analysis

Preserved Fulltext

Improved Security Evaluation of the Software by using PSSS based Security Analyzer

Preserved Fulltext

Automated Use-After-Free Detection and Exploit Mitigation: How Far Have We Gone

Preserved Fulltext

Towards Patching Memory Leak Bugs in Off-The-Shelf Software

Preserved Fulltext

Uprooting Software Defects at the Source

Preserved Fulltext

Architectural support for safe software execution on embedded processors

Preserved Fulltext

Protecting C programs from attacks via invalid pointer dereferences

Preserved Fulltext

The MISRA C Coding Standard and its Role in the Development and Analysis of Safety- and Security-Critical Embedded Software [chapter]

Preserved Fulltext

Automation for creating and configuring security manifests for hardware containers

Preserved Fulltext

Protecting the stack with PACed canaries

Preserved Fulltext

Clang and Coccinelle: Synergising program analysis tools for CERT C Secure Coding Standard certification

Preserved Fulltext

Hardware/software optimization for array & pointer boundary checking against buffer overflow attacks

Preserved Fulltext

Automatically Detect Software Security Vulnerabilities Based on Natural Language Processing Techniques and Machine Learning Algorithms

Preserved Fulltext

System Programming in Rust

Preserved Fulltext

The Vulnerability Analysis Of Java Bytecode Based On Points-To Dataflow

Preserved Fulltext