5,454 Hits in 5.3 sec

The Evolution and Decay of Statically Detected Source Code Vulnerabilities

Massimiliano Di Penta, Luigi Cerulo, Lerina Aversano
2008 2008 Eighth IEEE International Working Conference on Source Code Analysis and Manipulation  
Specifically, the study investigates on vulnerability evolution trends and on the decay time exhibited by different kinds of vulnerabilities.  ...  The presence of vulnerable statements in the source code is a crucial problem for maintainers: properly monitoring and, if necessary, removing them is highly desirable to ensure high security and reliability  ...  Acknowledgments The authors are partially supported by the project METAMORPHOS (MEthods and Tools for migrAting software systeMs towards web and service Oriented aRchitectures: exPerimental evaluation,  ... 
doi:10.1109/scam.2008.20 dblp:conf/scam/PentaCA08 fatcat:r3xtrmoy4ja5hl27sirodtiuim

The life and death of statically detected vulnerabilities: An empirical study

Massimiliano Di Penta, Luigi Cerulo, Lerina Aversano
2009 Information and Software Technology  
This paper reports on an empirical study, conducted across four networking systems, aimed at observing the evolution and decay of vulnerabilities detected by three freely available static analysis tools  ...  The study is performed by using a framework that traces the evolution of source code fragments across subsequent commits.  ...  Acknowledgments We would like to thank the anonymous reviewers for their very constructive comments on early versions of this manuscript.  ... 
doi:10.1016/j.infsof.2009.04.013 fatcat:j5h4ekqzpfa2tlzelpsv4kwzjm

Predicting Software Flaws with Low Complexity Models based on Static Analysis Data

Paulo Meirelles, Lucas Kanashiro, Athos Ribeiro, David Silva, Antonio Terceiro
2018 Journal of Information Systems Engineering & Management  
The tasks of collecting and calculating source code metrics are most often automated, but how should we monitor them during the software development cycle?  ...  Based on static analysis data, we propose low complexity models to study flaws in the Linux source code.  ...  ACKNOWLEDGEMENTS National Council for the Improvement of Higher Education (CAPES) for supporting Lucas Kanashiro and Athos Ribeiro during the production of this paper.  ... 
doi:10.20897/jisem.201817 fatcat:dsvuxhygvrgr7nszzbjoln7evm

Tracking Your Changes: A Language-Independent Approach

Gerardo Canfora, Luigi Cerulo, Massimiliano Di Penta
2009 IEEE Software  
The availability of powerful differencing algorithms is crucial to track the evolution of source code, for example with the purpose of monitoring clones or vulnerable statements.  ...  We show how the algorithm is able to track the evolution of code elements in real-world software systems with acceptable precision, and provide examples-such as clone tracking and vulnerability tracking-where  ...  Figure 4 -b compares the decay time of different kinds of vulnerabilities detected by Splint in the Squid Web proxy 8 source code, and indicates how vulnerabilities such as buffer overflows and memory  ... 
doi:10.1109/ms.2009.26 fatcat:plxz3h77wref7angiy5pm7fud4

An Empirical Examination of the Relationship between Code Smells and Vulnerabilities

Aakanshi Gupta, Bharti Suri, Vijin Vincent
2020 International Journal of Computer Applications  
For continuous inspection of code quality, Sonar Cloud has been used to conduct automated assessments with static code analysis to detect code smells and vulnerabilities with web scrapping technique.  ...  The quality of software is a crucial issue as a software system evolves. Managing source code smells and vulnerabilities contributes to software quality.  ...  Several automated tools already exist to detect vulnerable source code statements like Splint and Pixy etc. which can detect vulnerabilities by analyzing the static source code for this research work SonarCloud  ... 
doi:10.5120/ijca2020920362 fatcat:nyid7d23ifhnbpbhkubj7dupvi

Multi-context Attention Fusion Neural Network for Software Vulnerability Identification [article]

Anshul Tanwar, Hariharan Manikandan, Krishna Sundaresan, Prasanna Ganesan, Sathish Kumar Chandrasekaran, Sriram Ravi
2021 arXiv   pre-print
In this work, we propose a deep learning model that learns to detect some of the common categories of security vulnerabilities in source code efficiently.  ...  Thus helping a developer to quickly focus on the vulnerable code sections; and this becomes the "explainable" part of the vulnerability detection.  ...  Some of the most popular source code-based static analysis methods for code vulnerability finding include, code similarity-based methods [12, 13] and pattern-based methods [14] [15] [16] .  ... 
arXiv:2104.09225v1 fatcat:qwpzhbjp35a7xdach6rrnihmxq

On the Relationship between Program Evolution and Fault-Proneness: An Empirical Study

F. Jaafar, S. Hassaine, Y. Gueheneuc, S. Hamel, B. Adams
2013 2013 17th European Conference on Software Maintenance and Reengineering  
Over the years, many researchers have studied the evolution and maintenance of object-oriented source code in order to understand the possibly costly erosion of the software.  ...  We perform an empirical study, on three open-source programs: ArgoUML, JFreechart, and XercesJ, to examine the relation between the evolution of object-oriented source code at class level and fault-proneness  ...  ACKNOWLEDGMENT This work has been partly funded a FQRNT team grant and the Canada Research Chair in Software Patterns and Patterns of Software.  ... 
doi:10.1109/csmr.2013.12 dblp:conf/csmr/JaafarHGHA13 fatcat:akl6i6dwhrg2lbdwk3jnuvoppy

Security Testing of Web Applications: A Search-Based Approach for Cross-Site Scripting Vulnerabilities

Andrea Avancini, Mariano Ceccato
2011 2011 IEEE 11th International Working Conference on Source Code Analysis and Manipulation  
We take advantage of static analysis to detect candidate cross-site scripting vulnerabilities.  ...  More and more web applications suffer the presence of cross-site scripting vulnerabilities that could be exploited by attackers to access sensitive information (such as credentials or credit card numbers  ...  Static analysis Taint analysis is applied using Pixy [4] , an open source tool for static analysis of PHP code.  ... 
doi:10.1109/scam.2011.7 dblp:conf/scam/AvanciniC11 fatcat:uuasarwcyzdxbicntt2xsp7eay

Using Microservice Telemetry Data for System Dynamic Analysis [article]

Abdullah Al Maruf, Alexander Bakhtin, Tomas Cerny, Davide Taibi
2022 arXiv   pre-print
In this paper, we assess the opportunity to combine current dynamic analysis tools with anomaly detection in the form of quality metrics and anti-patterns.  ...  However, given the decentralization and possible language diversity across microservices, static analysis tools are lacking.  ...  ACKNOWLEDGMENT This material is based upon work supported by the National Science Foundation under Grant No. 1854049, grant from Red Hat Research, and Ulla Tuominen (Shapit).  ... 
arXiv:2207.02776v1 fatcat:5nusc77ftjhmjgvaliw76qtjoi

On information flow for intrusion detection

Mohammed I. Al-Saleh, Jedidiah R. Crandall
2010 Proceedings of the 2010 workshop on New security paradigms - NSPW '10  
We measure the amount of information flow between tainted sources and the control path of the CPU for a variety of scenarios and show that our prototype system gives intuitive, meaningful results.  ...  Intrusion detection based on a general method for information flow tracking would allow for very explicit and general definitions of attacks that precluded entire categories of vulnerabilities and exploits  ...  Any opinions, findings, conclusions, or recommendations expressed in this publication are those of the authors and do not necessarily reflect the views of the National Science Foundation.  ... 
doi:10.1145/1900546.1900551 dblp:conf/nspw/Al-SalehC10 fatcat:nf2yr5mvnbh45czjsrcuxbikoy

A Dynamic Mechanism for Recovering from Buffer Overflow Attacks [chapter]

Stelios Sidiroglou, Giannis Giovanidis, Angelos D. Keromytis
2005 Lecture Notes in Computer Science  
Briefly, we automatically augment source code to dynamically catch stack and heap-based buffer overflow and underflow attacks, and recover from them by allowing the program to continue execution.  ...  Our hypothesis is that we can treat each code function as a transaction that can be aborted when an attack is detected, without affecting the application's ability to correctly execute.  ...  Our plans for future work include enhancing the capabilities of DYBOC by combining it with a static source-code analysis tool, extending the performance evaluation, and further validating our hypothesis  ... 
doi:10.1007/11556992_1 fatcat:ruqzzdtgdzaijjoqxbhzswjbau

The evolution of data races

C. Sadowski, Jaeheon Yi, Sunghun Kim
2012 2012 9th IEEE Working Conference on Mining Software Repositories (MSR)  
In this paper, we examine the evolution of data races by analyzing samples of the committed code in two open source projects over a multi-year period.  ...  Several prior empirical studies have identified the prevalence and challenges of concurrency bugs in open source projects, and several existing tools can be used to identify concurrency errors such as  ...  A couple papers have examined the evolution of warnings produced by static analysis tools. One of them analyzed the decay likelihood for various types of vulnerabilities [9] .  ... 
doi:10.1109/msr.2012.6224277 dblp:conf/msr/SadowskiYK12 fatcat:yaew2onomvc6plzyipuejk6vza

Deep Learning for Android Malware Defenses: a Systematic Literature Review [article]

Yue Liu, Chakkrit Tantithamthavorn, Li Li, Yepang Liu
2022 arXiv   pre-print
Our investigation reveals that, while the majority of these sources mainly consider DL-based on Android malware detection, 53 primary studies (40.1 percent) design defense approaches based on other scenarios  ...  However, given the explosive growth of Android malware and the continuous advancement of malicious evasion technologies like obfuscation and reflection, Android malware defense approaches based on manual  ...  Attacks and Protections Hybrid analysis MLP CADE [193] 2021 Malware Evolution Detection and Defense Static analysis AE Li et al. [91] 2021 Malware Evolution Detection and Defense, Adversarial Static analysis  ... 
arXiv:2103.05292v2 fatcat:qruddq4gknfq7jx5wyrk5qu2eu

Software assurance with samate reference dataset, tool standards, and studies

Paul E. Black
2007 2007 IEEE/AIAA 26th Digital Avionics Systems Conference  
They can also help identify malicious code and poor coding practices that lead to vulnerabilities.  ...  This is a huge amount of software with the risk of attack from distant global sites. Yet users need assurance that the software will work and not create security problems.  ...  For instance, how much does the use of static source code analyzers help? How much assurance can we get from using test-driven development?  ... 
doi:10.1109/dasc.2007.4391957 fatcat:ii74u7fr6jg7dfsocwo42gg3oe

Tracking defect warnings across versions

Jaime Spacco, David Hovemeyer, William Pugh
2006 Proceedings of the 2006 international workshop on Mining software repositories - MSR '06  
One motivation for this capability is to remember decisions about code that has been reviewed and found to be safe despite the occurrence of a warning.  ...  Various static analysis tools will analyze a software artifact in order to identify potential defects, such as misused APIs, race conditions and deadlocks, and security vulnerabilities.  ...  INTRODUCTION There are many tools that perform static analysis of software to detect possible software defects.  ... 
doi:10.1145/1137983.1138014 dblp:conf/msr/SpaccoHP06 fatcat:ezz7psvtnrbsdoqh3w5kqn3wpu
« Previous Showing results 1 — 15 out of 5,454 results