Partitioners Track : Generating Security Vulnerabilities in Source Code
@inproceedings{Schuckert2016PartitionersT,
title={Partitioners Track : Generating Security Vulnerabilities in Source Code},
author={Felix Schuckert},
year={2016}
}This paper describes a framework, which modifies existing source code to generate security issues. An example plugin for generating SQL injection in Java source code is described. The generation process is based on static code analysis techniques like dataflow analysis and abstract syntax trees. The framework is evaluated with the help of Java projects from GitHub. One modified project was successfully used in a capture the flag event as a challenge.
References
SHOWING 1-10 OF 19 REFERENCES
SPOON: A library for implementing analyses and transformations of Java source code
- Computer ScienceSoftw. Pract. Exp.
- 2016
SPOON enables Java developers to write a large range of domain‐specific analyses and transformations in an easy and concise manner and developers do not need to dive into parsing, to hack a compiler infrastructure, or to master a new formalism.
Static analysis of source code security: Assessment of tools against SAMATE tests
- Computer ScienceInf. Softw. Technol.
- 2013
Comparing the Effectiveness of Penetration Testing and Static Code Analysis on the Detection of SQL Injection Vulnerabilities in Web Services
- Computer Science2009 15th IEEE Pacific Rim International Symposium on Dependable Computing
- 2009
This work used several commercial and open source tools to detect vulnerabilities in a set of vulnerable services and suggested that, in general, static code analyzers are able to detect more SQL Injection vulnerabilities than penetration testing tools.
Secure Programming with Static Analysis
- Computer Science, Economics
- 2007
The First Expert Guide to Static Analysis for Software Security!Creating secure code requires more than just good intentions. Programmers need to know that their code will be safe in an almost…
Automated static code analysis : A tool for early vulnerability detection
- Computer Science
- 2009
This thesis investigates the technical capabilities and limitations of using a static analysis tool as an early vulnerability detector and the most important limitation being the incorrect warnings that are reported by static analysis tools.
Evaluation of static analysis tools for software security
- Computer Science2014 10th International Conference on Innovations in Information Technology (IIT)
- 2014
Results show that security static analysis tools are, to some extent, effective in detecting security holes in source code; source code analyzers are able to detect more weaknesses than bytecode and binary code scanners; and while tools can assist the development team in security code review activities, they are not enough to uncover all common weaknesses in software.
Programming languages and program analysis for security: a three-year retrospective
- Computer ScienceSIGP
- 2009
This paper is a three-year survey of PLAS papers that discusses the progress made in the area of language-based security, which has become very active with the advent of Web applications.
DieHard: probabilistic memory safety for unsafe languages
- Computer SciencePLDI '06
- 2006
Analytical and experimental results are presented that show DieHard's resilience to a wide range of memory errors, including a heap-based buffer overflow in an actual application.
https://www.owasp.org/index.php/Category:OWA SP Top Ten Project, last visit
- https://www.owasp.org/index.php/Category:OWA SP Top Ten Project, last visit
SA10] SAMATE -Software Assurance Metrics and Tool Evaluation. https://samate.nist.gov, last visit
- SA10] SAMATE -Software Assurance Metrics and Tool Evaluation. https://samate.nist.gov, last visit