Skip to main content
Springer Nature Link
Log in

Verification of CERT Secure Coding Rules: Case Studies

  • Conference paper
On the Move to Meaningful Internet Systems: OTM 2009 (OTM 2009)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 5871))

  • 770 Accesses

Abstract

Growing security requirements for systems and applications have raised the stakes on software security verification techniques. Recently, model-checking is settling in the arena of software verification. It is effective in verifying high-level security properties related to software functionalities. In this paper, we present the experiments conducted with our security verification framework based on model-checking. We embedded a wide range of the CERT secure coding rules into our framework. Then, we verified real software packages against these rules for purpose of demonstrating the capability and the efficiency of our tool in detecting real errors.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Hadjidj, R., Yang, X., Tlili, S., Debbabi, M.: Model-checking for software vulnerabilities detection with multi-language support. In: PST 2008: Proceedings of the 2008 Sixth Annual Conference on Privacy, Security and Trust, pp. 133–142. IEEE Computer Society, Washington (2008)

    Chapter  Google Scholar 

  2. CERT Secure Coding Standards (April 2009), http://www.securecoding.cert.org

  3. Reps, T., Schwoon, S., Jha, S., Melski, D.: Weighted pushdown systems and their application to interprocedural dataflow analysis. Science of Computer Programming 58(1–2), 206–263 (2005); Special Issue on the Static Analysis Symposium 2003

    Article  MATH  MathSciNet  Google Scholar 

  4. Novillo, D.: Tree-SSA: A New Optimization Infrastructure for GCC. In: Proceedings of the GCC Developers Summit3, Ottawa, Ontario, Canada, pp. 181–193 (2003)

    Google Scholar 

  5. Coverity: Coverity Prevent for C and C++, http://www.coverity.com/main.html

  6. Bishop, M., Dilger, M.: Checking for Race Conditions in File Accesses. Computing Systems 2(2), 131–152 (1996)

    Google Scholar 

  7. Specification for safer, more secure c library functions. Technical Report tech. report ISO/IEC TR 24731, Int’l Organization for Standardization (September 2005), http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1135.pdf

  8. Chen, H., Wagner, D.A.: MOPS: an Infrastructure for Examining Security Properties of Software. Technical Report UCB/CSD-02-1197, EECS Department, University of California, Berkeley (2002)

    Google Scholar 

  9. Ashcraft, K., Engler, D.: Using Programmer-Written Compiler Extensions to Catch Security Holes. In: SP 2002: Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 143–159. IEEE Computer Society, Washington (2002)

    Chapter  Google Scholar 

  10. Hallem, S., Chelf, B., Xie, Y., Engler, D.: A System and Language for Building System-Specific, Static Analyses. In: PLDI 2002: Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation, pp. 69–82. ACM, New York (2002)

    Chapter  Google Scholar 

  11. Henzinger, T.A., Jhala, R., Majumdar, R., Sutre, G.: Lazy Abstraction. In: POPL 2002: Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of Programming Languages, pp. 58–70. ACM, New York (2002)

    Chapter  Google Scholar 

  12. Clarke, E., Kroening, D., Sharygina, N., Yorav, K.: Predicate Abstraction of ANSI-C Programs Using SAT. Formal Methods in System Design 25(2-3), 105–127 (2004)

    Article  MATH  Google Scholar 

  13. Ball, T., Rajamani, S.K.: The slam project: debugging system software via static analysis. SIGPLAN Not. 37(1), 1–3 (2002)

    Article  Google Scholar 

  14. Viega, J., Bloch, J.T., Kohno, Y., McGraw, G.: ITS4: A Static Vulnerability Scanner for C and C++ code. In: ACSAC 2000: Proceedings of the 16th Annual Computer Security Applications Conference, p. 257. IEEE Computer Society, Los Alamitos (2000)

    Chapter  Google Scholar 

  15. Fortify Software. Rats - rough auditing tool for security (April 2009), http://www.fortify.com/security-resources/rats.jsp

Download references

Author information

Authors and Affiliations

  1. Computer Security Laboratory, Concordia Institute for Information Systems Engineering, Concordia University, Montreal, (QC), Canada

    Syrine Tlili, XiaoChun Yang, Rachid Hadjidj & Mourad Debbabi

Authors
  1. Syrine Tlili
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. XiaoChun Yang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Rachid Hadjidj
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Mourad Debbabi
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. STARLab, Vrije Universiteit Brussel (VUB), Bldg G/10, Pleinlaan 2, 1050, Brussels, Belgium

    Robert Meersman

  2. DEBII - CBS, De Laeter Way, Curtin University of Technology, 6102, Bentley, WA, Australia

    Tharam Dillon

  3. Facultad de Informática, Universidad Politécnica de Madrid, , , , ,, Campus de Montegancedo S/N, Boadilla del Monte, 28660, Madrid, Spain

    Pilar Herrero

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Tlili, S., Yang, X., Hadjidj, R., Debbabi, M. (2009). Verification of CERT Secure Coding Rules: Case Studies. In: Meersman, R., Dillon, T., Herrero, P. (eds) On the Move to Meaningful Internet Systems: OTM 2009. OTM 2009. Lecture Notes in Computer Science, vol 5871. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-05151-7_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-05151-7_12

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-05150-0

  • Online ISBN: 978-3-642-05151-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics