info@ijrst.com

+919555269393

Track Article

Upload Article

IJRST
About
About IJRST Editorial Board Reviewers Advisory Board Call for Papers Subject Areas Indexing
For Author
Peer Review Guidelines Instruction for Authors Submission Process Manuscript Withdrawal Article Processing Charge Invitation for Reviewers Review Process Article Workflow
Policies
Open Access Policy Review Policy Publication Ethics Article Correction Policy Plagiarism Policy Conflict of Interest Policy
Archive
Past Issues Current Issue
Download
Paper Template Copyright Form Cover Page AIU Prospectus
Certificate FAQ Contact Upload Article Track Article

Details

Static Vulnerability Pattern Detection in Low Level Programming Language

Mansour Al-Qattan

Software Technology Research Laboratory, De Montfort University, Leicester - UK

Feng Chen

Software Technology Research Laboratory, De Montfort University, Leicester - UK

29-40

Vol: 6, Issue: 4, 2016

Receiving Date: 2016-07-14 Acceptance Date:

2016-09-30

Publication Date:

2016-10-11

Download PDF

Abstract

Vulnerability checking tools in the software industry mostly focus on high-level programming languages, and vulnerability detection in low-level languages, unfortunately, has been largely sidelined in the case of legacy systems. This research proposes a method for finding vulnerabilities in an assembly language through wide-spectrum language (WSL) with FermaT using the static tainted vulnerability analysis technique with the slicing transformation FermaT engine. Our method decompiles the binary executable file to assembly and translates the assembly to WSL, and then detects vulnerabilities by combining the FermaT slicing transformation with taint analysis. The results show that WSL FermaT can detect vulnerability in a binary executable file easily as FermaT contains multiple transformations that enable developers to meet their requirements.

Keywords: vulnerabilities; vulnerability detection; static analysis; program transformation; FermaT; wide-spectrum language.

References

  1. M. Akbari, S. Berenji and R. Azmi , 'Vulnerability detector using parse tree annotation,' In Education technology and computer (ICETC), 2010 2nd international conference on, 2010, pp. V4-257-V4-261
  2. A. Atkins, N. Reznikov, L. Ofer, A. Masic, S. Weiner and R. Shahar, 'The three-dimensional structure of anosteocytic lamellated bone of fish,' Acta biomaterialia, vol 13, pp. 311–323, 2015.
  3. B. Chess and G. McGraw, 'Static analysis for security,' IEEE security & privacy, no 6, pp. 76–79, 2004.
  4. M. Cova, V. Felmetsger, G. Banks and G. Vigna, , 'Static detection of vulnerabilities in x86 executables,' In 2006, pp. 269–278.
  5. C. Dahn and S. Mancoridis, 'Using program transformation to secure C programs against buffer overflows,' In 2003, pp. 323
  6. J. Dehlinger, Q. Feng and L. Hu, 'Ssvchecker: Unifying static security vulnerability detection tools in an eclipse plug-in,' In Proceedings of the 2006 OOPSLA workshop on eclipse technology eXchange, 2006, pp. 30–34.
  7. N. Dor, M. Rodeh and M. Sagiv, 'CSSV: Towards a realistic tool for statically detecting all buffer overflows in C,' In ACM sigplan notices, 2003, pp. 155–167.
  8. D. Evans, 'Splint home page ', [Online] [Accessed 6/9/2016].
  9. D. Evans and D. Larochelle, 'Improving security using extensible lightweight static analysis,' Software, IEEE, vol 19, no 1, pp. 42–51, 2002
  10. B. Hackett, M. Das, D. Wang and Z. Yang, , 'Modular checking for buffer overflows in the large,' In Proceedings of the 28th international conference on software engineering, 2006, pp. 232–241.
  11. S. Horwitz, T. Reps and D. Binkley, 'Interprocedural slicing using dependence graphs,' ACM transactions on programming languages and systems (TOPLAS), vol 12, no 1, pp. 26–60, 1990.
  12. R.W. Jones and P.H. Kelly, 'Backwards-compatible bounds checking for arrays and pointers in C programs.' In Aadebug, 1997, pp. 13–26
  13. S. Neuhaus, T. Zimmermann, C. Holler and A. Zeller, , 'Predicting vulnerable software components,' In Proceedings of the 14th ACM conference on computer and communications security, 2007, pp. 529–540.
  14. A. One, 'Smashing the stack for fun and profit,' Phrack magazine, vol 7, no 49, pp. 14–16, 1996.
  15. G. Paul, '7. memory : Stack vs heap ', [Online] [Accessed 6/9/2016].
  16. D. Pozza, R. Sisto, L. Durante and A. Valenzano, 'Comparing lexical analysis tools for buffer overflow detection in network software,' In Communication system software and middleware, 2006. comsware 2006. first international conference on, 2006, pp. 1–7.
  17. L. V. SATYANARAYANA and M. C. SEKHAR, 'Static analysis tool for detecting web application vulnerabilities,' .
  18. H. Shahriar and M. Zulkernine, , 'Classification of static analysis-based buffer overflow detectors,' In 2010 fourth international conference on secure software integration and reliability improvement companion, 2010, pp. 94–101
  19. A. Smirnov and T. Chiueh, 'Automatic patch generation for buffer overflow attacks,' In Information assurance and security, 2007. IAS 2007. third international symposium on, 2007, pp. 165–170.
  20. J. Viega, J. Bloch, T. Kohno and G. McGraw, 'Token-based scanning of source code for security problems,' ACM transactions on information and system security (TISSEC), vol 5, no 3, pp. 238–261, 2002.
  21. C. Vulnerabilities, Common vulnerabilities and exposures, 2005
  22. D.B. Wagner, 'Buffer overrun detection', [Online] [Accessed 6/9/2016].
  23. D.A. Wheeler, 'Flawfinder home page ', [Online] [Accessed 6/9/2016].
  24. J. Wilander, 'Contributions to specification, implementation, and execution of secure software,' 2013.
  25. Y. Xie, A. Chou and D. Engler, 'Archer: Using symbolic, path-sensitive analysis to detect memory access errors,' ACM SIGSOFT software engineering notes, vol 28, no 5, pp. 327–336, 2003.
  26. R. Xu, P. Godefroid and R. Majumdar, , 'Testing for buffer overflows with length abstraction,' In Proceedings of the 2008 international symposium on software testing and analysis, 2008, pp. 27–38.
  27. F. Yamaguchi, N. Golde, D. Arp and K. Rieck, 'Modeling and discovering vulnerabilities with code property graphs,' In Security and privacy (SP), 2014 IEEE symposium on, 2014, pp. 590–604.
  28. M. Zhang, Y. Duan, H. Yin and Z. Zhao, , 'Semantics-aware android malware classification using weighted contextual API dependency graphs,' In Proceedings of the 2014 ACM SIGSAC conference on computer and communications security, 2014, pp. 1105–1116.
  29. M. Zhang and H. Yin, , 'AppSealer: Automatic generation of vulnerability-specific patches for preventing component hijacking attacks in android applications.' In Ndss, 2014, .
  30. Y. Zhang, W. Fu, X. Qian and W. Chen, 'Program slicing based buffer overflow detection,' Journal of software engineering and applications, vol 3, no 10, pp. 965, 2010.
  31. M. Zitser, R. Lippmann and T. Leek, , 'Testing static analysis tools using exploitable buffer overflows from open source code,' In ACM SIGSOFT software engineering notes, 2004, pp. 97–106.
  32. D. Wagner, J.S. Foster, E.A. Brewer and A. Aiken, , 'A first step towards automated detection of buffer overrun vulnerabilities.' In Ndss, 2000, pp. 2000–2002.
  33. U. Shankar, K. Talwar, J.S. Foster and D. Wagner, 'Detecting format string vulnerabilities with type qualifiers.' In USENIX security symposium, 2001, pp. 201–220.
  34. J.J. Tevis and J.A. Hamilton Jr, , 'Static analysis of anomalies and security vulnerabilities in executable files,' In Proceedings of the 44th annual southeast regional conference, 2006, pp. 560–565.
Back

Disclaimer: All papers published in IJRST will be indexed on Google Search Engine as per their policy.

We are one of the best in the field of watches and we take care of the needs of our customers and produce replica watches of very good quality as per their demands.

Our Head Office

Aryavart International University
233/1, Second Floor, Pkt: D-12, Sector-7, Rohini, New Delhi-85

+91-9555269393

info@ijrst.com

Quick Links

Plagiarism Policy Current Issue Certificate Reviewers FAQs Our Journals

Indexing

© IJRST, All Right Reserved.

Designed By Krrypto

alexistogel toto online

bandar alexistogel

alexistogel bandar gacor

alexistogel link

alexistogel online

alexistogel bandar togel

link alternatif alexistogel

alexistogel

alexistogel

alexistogel

alexistogel daftar

alexistogel toto macau

alexistogel bandar macau

alexistogel slot

alexistogel agen slot

situs alexistogel

alexistogel

alexistogel

alexistogel

alexistogel

alexistogel bandar slot

alexistogel

Alexistogel Toto Macau

bandar alexistogel

slot alexistogel

alexistogel bandar togel

alexistogel

alexistogel slot

alexistogel

daftar alexistogel

alexistogel online

rtp alexistogel

alexistogel slot

alexistogel gacor

link alternatif alexistogel

alexistogel login

alexistogel

alexistogel slot dana

agen togel online

bandar togel online

alexistogel rtp

alexistogel slot

alexistogel daftar

slot online dana

situs slot online

alexistogel

bandar togel online

slot online terpercaya

togel slot online

agen slot online gacor

rtp live slot online

bandar slot online

bandar slot online gacor

agen slot online

daftar bandar togel slot

bandar togel online

togel slot hari ini

link alternatif togel slot

rtp slot online gacor

slot online gacor

alexistogel terpercaya

rtp slot gacor

tips slot maxwin

togel slot gacor

prediksi togel

game slot gacor

trik slot online

prediksi togel jitu

daftar togel slot online

slot online gacor

trik slot bonus

prediksi togel

RTP LIVE

Bandar Toto Macau

Situs Slot Gacor

bandarbola855 resmi

bandarbola855 gacor

bandarbola855 slot

link bandarbola855

bandarbola855 rtp

bandarbola855 link

bandarbola855 bandar

bandarbola855

bandarbola855 slot

bandarbola855 terpercaya

bandarbola855 slot

bandarbola855 daftar

bandarbola855 link

bandarbola855

bandarbola855

bandarbola855

iosbet

iosbet

link iosbet

slot online iosbet

iosbet link login

slot iosbet

iosbet gacor

iosbet

slot iosbet

agen iosbet

bandar iosbet

iosbet

iosbet link

iosbet

iosbet

iosbet

iosbet

liatogel

login liatogel

liatogel totomacau