Abstract
Software vulnerability is the attack surface. Therefore, vulnerabilities innate in software should be detected for software security assurance. Vulnerability detection method can be divided into static vulnerability detection and dynamic vulnerability detection. Static vulnerability detection is more commonly used for vulnerability detection. This method has many benefits, but it also creates false positives. Therefore, this paper proposes a method to combine static and dynamic detection to reduce false positives created from static vulnerability detection. The proposed method verifies the vulnerability by implanting a fault, based on the information received from static code analysis.
Similar content being viewed by others
References
National Institute of Standards and Technology (NIST). (2014). National vulnerability database. Retrieved September 28, 2014. http://nvd.nist.gov.
Dhamankar, R., Dausin, M., Eisenbarth, M., King, J., Kandek, W., Ullrich, J., & Lee, R. (2009). The top cyber security risks. Tipping Point, Qualys, the Internet Storm Center and the SANS Institute faculty, Tech. Rep.
Gopalakrishna, R., Spafford, E., & Vitek, J. (2005). Vulnerability likelihood: A probabilistic approach to software assurance. CERIAS, Purdue Univeristy Tech. Rep, 6, 2005.
Vassilaras, S., & Yovanof, G. S. (2010). Wireless innovations as enablers for complex & dynamic artificial systems. Wireless Personal Communications, 53(3), 365–393.
Garitano, I., Fayyad, S., & Noll, J. (2015). Multi-metrics approach for security, privacy and dependability in embedded systems. Wireless Personal Communications, 81(4), 1359–1376.
Gladisch, A., Daher, R., & Tavangarian, D. (2014). Survey on mobility and multihoming in future internet. Wireless Personal Communications, 74(1), 45–81.
McGraw, G. (2006). Software security: Building security in (Vol. 1). Boston: Addison-Wesley Professional.
Chess, B., & McGraw, G. (2004). Static analysis for security. IEEE Security and Privacy, 6, 76–79.
Wheeler, D. (2006). Flawfinder home page. Web page: http://www.dwheeler.com/flawfinder.
Viega, J., Bloch, J. T., Kohno, Y., & McGraw, G. (2000). ITS4: A static vulnerability scanner for C and C++ code. In Computer Security Applications, 2000. ACSAC’00. 16th Annual Conference (pp. 257–267). IEEE.
Copeland, T. (2005). PMD applied. https://pmd.github.io. Accessed 19 Aug 2015.
Zhang, J. (2011). A mobile agent-based tool supporting web services testing. Wireless Personal Communications, 56(1), 147–172.
Hsueh, M. C., Tsai, T. K., & Iyer, R. K. (1997). Fault injection techniques and tools. Computer, 30(4), 75–82.
Source code instrumentation overview at IBM website, http://www-01.ibm.com/support/knowledgecenter/#!/SSSHUF_8.0.0/com.ibm.rational.testrt.doc/topics/cinstruovw.html.
Huang, J. C. (1978). Program instrumentation and software testing. Computer, 4, 25–32.
Introduction to instrumentation and tracing at Microsoft developer network website, https://msdn.microsoft.com/en-us/library/aa983649(VS.71).aspx.
Luk, C. K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., & Hazelwood, K. (2005). Pin: Building customized program analysis tools with dynamic instrumentation. In ACM Sigplan Notices (Vol. 40, No. 6, pp. 190–200). ACM.
Bala, V., Duesterwald, E., & Banerjia, S. (2000). Dynamo: A transparent dynamic optimization system. In ACM SIGPLAN Notices (Vol. 35, No. 5, pp. 1–12). ACM.
Mens, T., & Van Gorp, P. (2006). A taxonomy of model transformation. Electronic Notes in Theoretical Computer Science, 152, 125–142.
Object Management Group. http://www.omg.org.
Mell, P., Scarfone, K., & Romanosky, S. (2006). Common vulnerability scoring system. Security & Privacy, IEEE, 4(6), 85–89.
Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., & Vigna, G. (2008). Saner: Composing static and dynamic analysis to validate sanitization in web applications. In Security and Privacy, 2008. SP 2008. IEEE Symposium on (pp. 387–401). IEEE.
Halfond, W. G. J., Choudhary, S. R., & Orso, A. (2011). Improving penetration testing through static and dynamic analysis. Software Testing, Verification and Reliability, 21(3), 195–214.
Rawat, S., Ceara, D., Mounier, L., & Potet, M. L. (2013). Combining static and dynamic analysis for vulnerability detection. arXiv preprint arXiv:1305.3883.
Eclipse. https://www.eclipse.org/.
Acceleo, Eclipse plugin. http://www.eclipse.org/acceleo/.
MOFM2T. http://www.omg.org/spec/MOFM2T/1.0/.
Thomas, S., & Williams, L. (2007). Using automated fix generation to secure SQL statements. In Proceedings of the Third International Workshop on Software Engineering for Secure Systems (p. 9). IEEE Computer Society.
Acknowledgments
This work was supported by the ICT R&D program of MSIP/IITP. [R0101-15-0144, (EXOBRAIN-4)] development of autonomous intelligent collaboration framework for knowledge bases and smart devises] and “employment contract based master’s degree program for information security” supervised by the KISA (KOREA INTERNET SECURITY AGENCY) (H2101-14-1001).
Author information
Authors and Affiliations
Corresponding author
Additional information
Special Issue: "Convergence Interaction for Communication", Guest Edited by Prof. Jong Kyung Ryu, jkryu.hci@gmail.com.
Rights and permissions
About this article
Cite this article
Kim, S., Kim, R. & Park, Y.B. Software Vulnerability Detection Methodology Combined with Static and Dynamic Analysis. Wireless Pers Commun 89, 777–793 (2016). https://doi.org/10.1007/s11277-015-3152-1
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11277-015-3152-1