Abstract
Two approaches to enhancing the reliability and security of software—static analysis of the source code and dynamic protection—are compared. Advantages and disadvantages of these approaches are discussed. A hybrid approach to enhancing the reliability of software is suggested that combines advantages of both methods and smoothes over their drawbacks. A classification of dynamic protection systems is presented in terms of the time of their operation, abstraction level at which modifications are introduced and the protection code operates, and principles of protection. A pragmatic approach to the development and evolution of an algorithm for finding errors of a certain class in the source code that result in reducing the reliability or security of the system is described. The algorithm calculates an approximation of the exact solution (the set of dangerous fragments), and every next version of the algorithm improves the approximation to the exact solution. At each stage, the hybrid algorithm is used: when the static analysis cannot decide whether there are errors or not, the task of preventing the effects of possible errors is entrusted to the dynamic protection system. The iterative improvement of the algorithm has two purposes: to reduce the number of false alerts and to reduce the workload on the dynamic protection system. Application of the approach to a class of errors reducing the security of software is considered.
Similar content being viewed by others
REFERENCES
Lipaev, V.V., Kachestvo programmnykh sredstv (Quality of Software), Moscow: Yanus-K, 2002.
Zhogolev, E.A., Lectures in Software Engineering, http://sp.cs.msu.ru/courses/techprog/lectp5.zip.
Myers, G.J., Software Reliability: Principles and Practices, New York: Wiley, 1976. Translated under the title Nadezhnost' programmnogo obespecheniya, Moscow: Mir, 1980.
Landi, W., Undecidability of Static Analysis, ACM Lett. Program. Lang. Syst., 1992, vol. 1, pp. 323–337.
Ramalingam, G., The Undecidability of Aliasing, ACM Trans. Prom. Lang. Syst., 1994, vol. 16, pp. 1467–1471.
Team, T., Exploiting Format String Vulnerabilities, http://teso.scene.at/articles/formatstring/.
Robbins, T.J., Libformat home page, http://www.wiretapped.net/ fyre/software/libformat.html.
Cowan, C., Barringer, M., Beattie, S., and Kroah-Hartmann, G., FormatGuard: Automatic Protection from printf Format String Vulnerabilities, http://immunix.org/formatguard.pdf.
Tsai, T.K. and Singh, N., Libsafe: Protecting Critical Elements of Stacks, http://www.research.avaylabs.com/project/libsafe.
DeKok, A., PScan: A Limited Problem Scanner for C Source Files, http://www.striker.ottawa.on.ca/aland/pscan/.
Secure Software Solutions. Rough Auditing Tool for Security. RATS 1.3, http://www.securesw.com/rats/.
Wheeler, D., Flawfinder, http://www.dwheeler.com/flawfinder/.
Wheeler, D., Secure Programming for Linux and Unix HOWTO, http://www.dwheeler.com/secure-programs/.
Viega, J., Bloch, J.T., Kohno, T., and McGraw, G., Token-based Scanning of Source Code for Security, ACM Trans. Inf. Syst. Security, 2002, vol. 5, pp. 238–261.
Byers, D. and Kamkar, M., A Hybrid Approach to Propagation Analysis, Proc. Third Int. Workshop on Automatic Debugging, 1997, pp. 193–197.
Mock, M., Dynamic Analysis from the Bottom Up, http://www.cs.nmsu.edu/jcook/woda2003/papers/Mock.pdf.
Heuzeroth, D., Holl, T., and Lowe, W., Combining Static and Dynamic Analysis to Detect Interaction Patterns, Proc. Sixths Int. Conf. on Integrated Design and Process Technology (IDPT), 2002.
Necula, G.C., McPeak, S., and Weimer, W., Ccured: Type-safe Retrofitting of Legacy Code, ACM SIGPLAN Notices, 2002, vol. 37, pp. 128–139.
Austin, T.M., Breach, S.E., and Sohi, G.S., Efficient Detection of All Pointer and Array Access Errors, Conf. on Programming Languages Design and Implementation (PLDI 94), 1994, pp. 290–301.
Jim, T., Morrisett, G., Grossman, D., Hicks, M., Cheney, J., and Wang, Y., Cyclone: A Safe Dialect of C, USENIX Annual Technical Conf., Monterey, CA, pp. 275–278.
Author information
Authors and Affiliations
Rights and permissions
About this article
Cite this article
Frolov, A.M. A Hybrid Approach to Enhancing the Reliability of Software. Programming and Computer Software 30, 18–24 (2004). https://doi.org/10.1023/B:PACS.0000013437.87730.e5
Issue Date:
DOI: https://doi.org/10.1023/B:PACS.0000013437.87730.e5