Skip to main content
SpringerLink
Log in

Software Vulnerability Detection Methodology Combined with Static and Dynamic Analysis

  • Published:
Wireless Personal Communications Aims and scope Submit manuscript

Abstract

Software vulnerability is the attack surface. Therefore, vulnerabilities innate in software should be detected for software security assurance. Vulnerability detection method can be divided into static vulnerability detection and dynamic vulnerability detection. Static vulnerability detection is more commonly used for vulnerability detection. This method has many benefits, but it also creates false positives. Therefore, this paper proposes a method to combine static and dynamic detection to reduce false positives created from static vulnerability detection. The proposed method verifies the vulnerability by implanting a fault, based on the information received from static code analysis.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

References

  1. National Institute of Standards and Technology (NIST). (2014). National vulnerability database. Retrieved September 28, 2014. http://nvd.nist.gov.

  2. Dhamankar, R., Dausin, M., Eisenbarth, M., King, J., Kandek, W., Ullrich, J., & Lee, R. (2009). The top cyber security risks. Tipping Point, Qualys, the Internet Storm Center and the SANS Institute faculty, Tech. Rep.

  3. Gopalakrishna, R., Spafford, E., & Vitek, J. (2005). Vulnerability likelihood: A probabilistic approach to software assurance. CERIAS, Purdue Univeristy Tech. Rep, 6, 2005.

    Google Scholar 

  4. Vassilaras, S., & Yovanof, G. S. (2010). Wireless innovations as enablers for complex & dynamic artificial systems. Wireless Personal Communications, 53(3), 365–393.

    Article  Google Scholar 

  5. Garitano, I., Fayyad, S., & Noll, J. (2015). Multi-metrics approach for security, privacy and dependability in embedded systems. Wireless Personal Communications, 81(4), 1359–1376.

    Article  Google Scholar 

  6. Gladisch, A., Daher, R., & Tavangarian, D. (2014). Survey on mobility and multihoming in future internet. Wireless Personal Communications, 74(1), 45–81.

    Article  Google Scholar 

  7. McGraw, G. (2006). Software security: Building security in (Vol. 1). Boston: Addison-Wesley Professional.

    Google Scholar 

  8. Chess, B., & McGraw, G. (2004). Static analysis for security. IEEE Security and Privacy, 6, 76–79.

    Article  Google Scholar 

  9. Wheeler, D. (2006). Flawfinder home page. Web page: http://www.dwheeler.com/flawfinder.

  10. Viega, J., Bloch, J. T., Kohno, Y., & McGraw, G. (2000). ITS4: A static vulnerability scanner for C and C++ code. In Computer Security Applications, 2000. ACSAC’00. 16th Annual Conference (pp. 257–267). IEEE.

  11. Copeland, T. (2005). PMD applied. https://pmd.github.io. Accessed 19 Aug 2015.

  12. Zhang, J. (2011). A mobile agent-based tool supporting web services testing. Wireless Personal Communications, 56(1), 147–172.

    Article  Google Scholar 

  13. Hsueh, M. C., Tsai, T. K., & Iyer, R. K. (1997). Fault injection techniques and tools. Computer, 30(4), 75–82.

    Article  Google Scholar 

  14. Source code instrumentation overview at IBM website, http://www-01.ibm.com/support/knowledgecenter/#!/SSSHUF_8.0.0/com.ibm.rational.testrt.doc/topics/cinstruovw.html.

  15. Huang, J. C. (1978). Program instrumentation and software testing. Computer, 4, 25–32.

    Article  Google Scholar 

  16. Introduction to instrumentation and tracing at Microsoft developer network website, https://msdn.microsoft.com/en-us/library/aa983649(VS.71).aspx.

  17. Luk, C. K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., & Hazelwood, K. (2005). Pin: Building customized program analysis tools with dynamic instrumentation. In ACM Sigplan Notices (Vol. 40, No. 6, pp. 190–200). ACM.

  18. Bala, V., Duesterwald, E., & Banerjia, S. (2000). Dynamo: A transparent dynamic optimization system. In ACM SIGPLAN Notices (Vol. 35, No. 5, pp. 1–12). ACM.

  19. Mens, T., & Van Gorp, P. (2006). A taxonomy of model transformation. Electronic Notes in Theoretical Computer Science, 152, 125–142.

    Article  Google Scholar 

  20. Object Management Group. http://www.omg.org.

  21. Mell, P., Scarfone, K., & Romanosky, S. (2006). Common vulnerability scoring system. Security & Privacy, IEEE, 4(6), 85–89.

    Article  Google Scholar 

  22. Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., & Vigna, G. (2008). Saner: Composing static and dynamic analysis to validate sanitization in web applications. In Security and Privacy, 2008. SP 2008. IEEE Symposium on (pp. 387–401). IEEE.

  23. Halfond, W. G. J., Choudhary, S. R., & Orso, A. (2011). Improving penetration testing through static and dynamic analysis. Software Testing, Verification and Reliability, 21(3), 195–214.

    Article  Google Scholar 

  24. Rawat, S., Ceara, D., Mounier, L., & Potet, M. L. (2013). Combining static and dynamic analysis for vulnerability detection. arXiv preprint arXiv:1305.3883.

  25. Eclipse. https://www.eclipse.org/.

  26. Acceleo, Eclipse plugin. http://www.eclipse.org/acceleo/.

  27. MOFM2T. http://www.omg.org/spec/MOFM2T/1.0/.

  28. Thomas, S., & Williams, L. (2007). Using automated fix generation to secure SQL statements. In Proceedings of the Third International Workshop on Software Engineering for Secure Systems (p. 9). IEEE Computer Society.

Download references

Acknowledgments

This work was supported by the ICT R&D program of MSIP/IITP. [R0101-15-0144, (EXOBRAIN-4)] development of autonomous intelligent collaboration framework for knowledge bases and smart devises] and “employment contract based master’s degree program for information security” supervised by the KISA (KOREA INTERNET SECURITY AGENCY) (H2101-14-1001).

Author information

Authors and Affiliations

  1. Department of Computer Science & Engineering, Dankook University, Yongin, Republic of Korea

    Seokmo Kim

  2. Department of Computer Information Communication, Hongik University, Sejong, Republic of Korea

    R. Young Chul Kim

  3. Department of Computer Science, Dankook University, 119, Dandae-ro, Dongnam-gu, Cheonan-si, 31116, Chungnam, Republic of Korea

    Young B. Park

Authors
  1. Seokmo Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. R. Young Chul Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Young B. Park
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Young B. Park.

Additional information

Special Issue: "Convergence Interaction for Communication", Guest Edited by Prof. Jong Kyung Ryu, jkryu.hci@gmail.com.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Kim, S., Kim, R. & Park, Y.B. Software Vulnerability Detection Methodology Combined with Static and Dynamic Analysis. Wireless Pers Commun 89, 777–793 (2016). https://doi.org/10.1007/s11277-015-3152-1

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11277-015-3152-1

Keywords

Search

Navigation