Detecting violations of security requirements for vulnerability discovery in source code

Hongzhe Li; Jaesang Oh; Heejo Lee

doi:10.1587/transinf.2016EDL8035

Detecting violations of security requirements for vulnerability discovery in source code

Hongzhe Li, Jaesang Oh, Heejo Lee

Research output: Contribution to journal › Article › peer-review

2 Citations (Scopus)

Abstract

Finding software vulnerabilities in source code before the program gets deployed is crucial to ensure the software quality. Existing source code auditing tools for vulnerability detection generate too many false positives, and only limited types of vulnerability can be detected automatically. In this paper, we propose an extendable mechanism to reveal vulnerabilities in source code with low false positives by specifying security requirements and detecting requirement violations of the potential vulnerable sinks. The experimental results show that the proposed mechanism can detect vulnerabilities with zero false positives and indicate the extendability of the mechanism to cover more types of vulnerabilities.

Original language	English
Pages (from-to)	2385-2389
Number of pages	5
Journal	IEICE Transactions on Information and Systems
Volume	E99D
Issue number	9
DOIs	https://doi.org/10.1587/transinf.2016EDL8035
Publication status	Published - 2016 Sept

Keywords

Security requirements
Security sinks
Software vulnerability

ASJC Scopus subject areas

Software
Hardware and Architecture
Computer Vision and Pattern Recognition
Electrical and Electronic Engineering
Artificial Intelligence

Access to Document

10.1587/transinf.2016EDL8035

Cite this

@article{f9d61f9916184c86856e7fefc16f76d0,

title = "Detecting violations of security requirements for vulnerability discovery in source code",

abstract = "Finding software vulnerabilities in source code before the program gets deployed is crucial to ensure the software quality. Existing source code auditing tools for vulnerability detection generate too many false positives, and only limited types of vulnerability can be detected automatically. In this paper, we propose an extendable mechanism to reveal vulnerabilities in source code with low false positives by specifying security requirements and detecting requirement violations of the potential vulnerable sinks. The experimental results show that the proposed mechanism can detect vulnerabilities with zero false positives and indicate the extendability of the mechanism to cover more types of vulnerabilities.",

keywords = "Security requirements, Security sinks, Software vulnerability",

author = "Hongzhe Li and Jaesang Oh and Heejo Lee",

note = "Publisher Copyright: Copyright {\textcopyright} 2016 The Institute of Electronics, Information and Communication Engineers.",

year = "2016",

month = sep,

doi = "10.1587/transinf.2016EDL8035",

language = "English",

volume = "E99D",

pages = "2385--2389",

journal = "IEICE Transactions on Information and Systems",

issn = "0916-8532",

publisher = "Maruzen Co., Ltd/Maruzen Kabushikikaisha",

number = "9",

}

TY - JOUR

T1 - Detecting violations of security requirements for vulnerability discovery in source code

AU - Li, Hongzhe

AU - Oh, Jaesang

AU - Lee, Heejo

PY - 2016/9

Y1 - 2016/9

N2 - Finding software vulnerabilities in source code before the program gets deployed is crucial to ensure the software quality. Existing source code auditing tools for vulnerability detection generate too many false positives, and only limited types of vulnerability can be detected automatically. In this paper, we propose an extendable mechanism to reveal vulnerabilities in source code with low false positives by specifying security requirements and detecting requirement violations of the potential vulnerable sinks. The experimental results show that the proposed mechanism can detect vulnerabilities with zero false positives and indicate the extendability of the mechanism to cover more types of vulnerabilities.

AB - Finding software vulnerabilities in source code before the program gets deployed is crucial to ensure the software quality. Existing source code auditing tools for vulnerability detection generate too many false positives, and only limited types of vulnerability can be detected automatically. In this paper, we propose an extendable mechanism to reveal vulnerabilities in source code with low false positives by specifying security requirements and detecting requirement violations of the potential vulnerable sinks. The experimental results show that the proposed mechanism can detect vulnerabilities with zero false positives and indicate the extendability of the mechanism to cover more types of vulnerabilities.

KW - Security requirements

KW - Security sinks

KW - Software vulnerability

UR - http://www.scopus.com/inward/record.url?scp=84984885335&partnerID=8YFLogxK

U2 - 10.1587/transinf.2016EDL8035

DO - 10.1587/transinf.2016EDL8035

M3 - Article

AN - SCOPUS:84984885335

SN - 0916-8532

VL - E99D

SP - 2385

EP - 2389

JO - IEICE Transactions on Information and Systems

JF - IEICE Transactions on Information and Systems

IS - 9

ER -

Detecting violations of security requirements for vulnerability discovery in source code

Abstract

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this