research-article

Mitigating program security vulnerabilities: Approaches and challenges

Authors:

Hossain Shahriar,

Mohammad ZulkernineAuthors Info & Claims

ACM Computing Surveys (CSUR), Volume 44, Issue 3

Article No.: 11, Pages 1 - 46

https://doi.org/10.1145/2187671.2187673

Published: 14 June 2012 Publication History

Abstract

Programs are implemented in a variety of languages and contain serious vulnerabilities which might be exploited to cause security breaches. These vulnerabilities have been exploited in real life and caused damages to related stakeholders such as program users. As many security vulnerabilities belong to program code, many techniques have been applied to mitigate these vulnerabilities before program deployment. Unfortunately, there is no comprehensive comparative analysis of different vulnerability mitigation works. As a result, there exists an obscure mapping between the techniques, the addressed vulnerabilities, and the limitations of different approaches. This article attempts to address these issues. The work extensively compares and contrasts the existing program security vulnerability mitigation techniques, namely testing, static analysis, and hybrid analysis. We also discuss three other approaches employed to mitigate the most common program security vulnerabilities: secure programming, program transformation, and patching. The survey provides a comprehensive understanding of the current program security vulnerability mitigation approaches and challenges as well as their key characteristics and limitations. Moreover, our discussion highlights the open issues and future research directions in the area of program security vulnerability mitigation.

References

[1]

Aggarwal, A. and Jalote, P. 2006. Integrating static and dynamic analysis for detecting vulnerabilities. In Proceedings of the 30^th Annual International Computer Software and Application Conference. 343--350.

Digital Library

[2]

Allen, W., Chin, D., and Marin, G. 2006. A model-based approach to the security testing of network protocol implementations. In Proceedings of the 31^st IEEE Conference on Local Computer Networks. 1008--1015.

[3]

Ashcraft, K. and Engler, D. 2002. Using programmer-written compiler extensions to catch security holes. In Proceedings of the IEEE Symposium on Security and Privacy. 143.

Digital Library

[4]

Austin, T., Breach, S., and Sohi, G. 1994. Efficient detection of all pointer and array access errors. In Proceedings of the Conference on Programming Language Design and Implementation. 290--301.

Digital Library

[5]

Balzarotti, D., Cova, M., Felmetsger, V., and Vigna, G. 2007. Multi-Module vulnerability analysis of Web-based applications. In Proceedings of the 14^th ACM Conference on Computer and Communications Security. 25--35.

Digital Library

[6]

Bertino, E., Kamra, A., and Early, J. 2007. Profiling database application to detect SQL injection attacks. In Proceedings of the International Performance, Computing and Communications Conference. 449--458.

[7]

Breech, B. and Pollock, L. 2005. A framework for testing security mechanisms for program-based attacks. In Proceedings of the ICSE Workshop on Software Engineering for Secure Systems. 1--7.

Digital Library

[8]

Burns, J. 2005. Cross site request forgery: An introduction to a common Web application weakness. White paper, Information Security Partners LLC.

[9]

Castro, M., Costa, M., and Harris, T. 2006. Securing software by enforcing data-flow integrity. In Proceedings of the 7^th USENIX Symposium on Operating Systems Design and Implementation. 11.

Digital Library

[10]

Cadar, C., Ganesh, V., Pawlowski, P., Dill, D., and Engler, D. 2006. EXE: Automatically generating inputs of death. In Proceedings of the 13^th ACM Conference on Computer and Communications Security. 322--335.

Digital Library

[11]

Chen, K. and Wagner, D. 2007. Large-Scale analysis of format string vulnerabilities in Debian Linux. In Proceedings of the Workshop on Programming Languages and Analysis for Security (PLAS'07). 75--84.

Digital Library

[12]

Chess, B. and McGraw, G. 2004. Static analysis for security. IEEE Secur. Priv. 2, 6, 76--79.

Digital Library

[13]

Chong, S., Liu, J., Myers, A., Qi, X., Vikram, K., Zheng, L., and Zheng, X. 2007. Secure Web applications via automatic partitioning. In Proceedings of the 21^st ACM SIGOPS Symposium on Operating Systems Principles. 31--44.

Digital Library

[14]

CVE. 2010. Common vulnerabilities and exposures. http://cve.mitre.org.

[15]

CWE. 2009. Common weakness enumeration. CWE/SANS top 25 most dangerous programming errors. http://cwe.mitre.org/top25.

[16]

CWE. 2010. CWE-352: Cross-Site request forgery (CSRF). http://cwe.mitre.org/data/definitions/352.html.

[17]

Dahn, C. and Mancoridis, S. 2003. Using program transformation to secure C programs against buffer overflows. In Proceedings of the 10^th Working Conference on Reverse Engineering (WCRE'03). 323--332.

Digital Library

[18]

Dekok, A. 2007. Pscan (1.2-8) format string security checker for C files. http://packages.debian.org/etch/pscan.

[19]

DeMillo, R., Lipton, R., and Sayward, F. 1978. Hints on test data selection: Help for the practicing programmer. IEEE Comput. Mag. 11, 4, 34--41.

Digital Library

[20]

DOM. 1998. Document object model (DOM), level 1 specification, version 1.0. http://www.w3.org.

[21]

Dor, N., Rodeh, M., and Sagiv, M. 2003. CSSV: Towards a realistic tool for statically detecting all buffer overflows in C. In Proceedings of the Conference on Programming Language Design and Implementation. 155--167.

Digital Library

[22]

Dowd, M., McDonald, J., and Schuh, J. 2007. The Art of Software Security Assessment. Addison-Wesley.

Digital Library

[23]

Du, W. and Mathur, A. 2000. Testing for software vulnerabilities using environment perturbation. In Proceedings of the International Conference on Dependable Systems and Networks (DSN'00). 603--612.

Digital Library

[24]

Dysart, F. and Sherriff, M. 2008. Automated fix generator for SQL injection attacks. In Proceedings of the 19^th International Symposium on Software Reliability Engineering. 311--312.

Digital Library

[25]

Ernst, M. 2003. Static and dynamic analysis: Synergy and duality. In Proceedings of the ICSE Workshop on Dynamic Analysis. 24--27.

[26]

Erlingsson, U. 2007. Low-Level software security: Attacks and defenses. Tech. rep. MSR-TR-07-153, Microsoft Research.

[27]

Evans, D. and Larochelle, D. 2002. Improving security using extensible lightweight static analysis. IEEE Softw. 19, 1, 42--51.

Digital Library

[28]

FlawFinder. 2010. http://www.dwheeler.com/flawfinder.

[29]

Fonseca, J., Vieira, M., and Madeira, H. 2007. Testing and comparing Web vulnerability scanning tools for SQL injection and XSS attacks. In Proceedings of the 13^th Pacific Rim International Symposium on Dependable Computing. 365--372.

Digital Library

[30]

Ganapathy, V., Jha, S., Chandler, D., Melski, D., and Vitek, D. 2003. Buffer overrun detection using linear programming and static analysis. In Proceedings of the 10^th ACM Conference on Computer and Communications Security. 345--354.

Digital Library

[31]

Gao, Q., Zhang, W., Tang, Y., and Qin, F. 2009. First aid: Surviving and preventing memory management bugs during production runs. In Proceedings of the 4^th European Conference on Computer Systems. 159--172.

Digital Library

[32]

Ghosh, A., O'Connor, T., and McGraw, G. 1998. An automated approach for identifying potential vulnerabilities in software. In Proceedings of the IEEE Symposium on Security and Privacy. 104--114.

[33]

Gordon, L. A., Loeb, M. P., Lucyshyn, W., and Richardson, R. 2004. Ninth CSI/FBI computer crime and security survey. Tech. rep. RL32331, Computer Security Institute.

[34]

Grosso, C., Antoniol, G., Merlo, E., and Galinier, P. 2008. Detecting buffer overflow via automatic test input data generation. Comput. Oper. Res. 35, 10, 3125--3143.

Digital Library

[35]

Guha, A., Krishnamurthi, S., and Jim, T. 2009. Using static analysis for ajax intrusion detection. In Proceedings of the International World Wide Web Conference. 561--570.

Digital Library

[36]

Guo, P. 2006. A scalable mixed-level approach to dynamic analysis of C and C++ programs. Master of Engineering thesis, Massachusetts Institute of Technology. May.

[37]

Hackett, B., Das, M., Wang, D., and Yang, Z. 2006. Modular checking for buffer overflows in the large. In Proceedings of the 28^th International Conference on Software Engineering. 232--241.

Digital Library

[38]

Halfond, W. and Orso, A. 2005. Combining static analysis and runtime monitoring to counter SQL injection attacks. In Proceedings of the 3^rd International Workshop on Dynamic Analysis. 1--7.

Digital Library

[39]

Halfond, W., Orso, A., and Manolios, P. 2006a. FSE. Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. In Proceedings of the 14^th ACM SIGSOFT International Symposium on Foundations of Software Engineering. 175--185.

Digital Library

[40]

Halfond, W., Viegas, J., and Orso, A. 2006b. A classification of SQL injection attacks and countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering.

[41]

Haugh, E. and Bishop, M. 2003. Testing C programs for buffer overflow vulnerabilities. In Proceedings of the Network and Distributed System Security Symposium (NDSS).

[42]

Hermosillo, G., Gomez, R., Seinturier, L., and Duchien, L. 2007. AProSec: An aspect for programming secure Web applications. In Proceedings of the 2^nd International Conference on Availability, Reliability and Security. 1026--1033.

Digital Library

[43]

Hind, M. 2001. Pointer analysis: Haven't we solved this problem yet&quest; In Proceedings of the ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering. 54--61.

Digital Library

[44]

Huang, Y., Huang, S., Lin, T., and Tsai, C. 2003. Web application security assessment by fault injection and behavior monitoring. In Proceedings of the 12^th International Conference on World Wide Web. 148--159.

Digital Library

[45]

Huss, E. 1997. The C library reference guide, release 1. http://www.acm.uiuc.edu/webmonkeys/book/c_guide/.

[46]

ISO. 1992. International Standards Organization, Information Technology, Database Languages, SQL 3^rd Ed. ISO/IEC.

[47]

Johns, M. and Beyerlein, C. 2007. SMask: Preventing injection attacks in Web applications by approximating automatic data/code separation. In Proceedings of the ACM Symposium on Applied Computing. 284--291.

Digital Library

[48]

Jorgensen, A. 2003. Testing with hostile data streams. ACM SIGSOFT Softw. Engin. Not. 28, 2, 9.

Digital Library

[49]

Jovanovic, N., Kruegel, C., and Kirda, E. 2006. Pixy: A static analysis tool for detecting Web application vulnerabilities. In Proceedings of the IEEE Symposium on Security and Privacy. 258--263.

Digital Library

[50]

Juillerat, N. 2007. Enforcing code security in database Web applications using libraries and object models. In Proceedings of the Symposium on Library-Centric Software Design. 31--41.

Digital Library

[51]

Junjin, M. 2009. An approach for SQL injection vulnerability detection. In Proceedings of the 6^th International Conference on Information Technology: New Generations. 1411--1414.

Digital Library

[52]

Kals, S., Krida, E., Kruegel, C., and Jovanovic, N. 2006. SecuBat: A Web vulnerability scanner. In Proceedings of the 15^th International Conference on World Wide Web. 247--256.

Digital Library

[53]

Kayacik, H., Heywood, M., and Heywood, N. 2006. On evolving buffer overflow attacks using genetic programming. In Proceedings of the 8^th Annual Conference on Genetic and Evolutionary Computation. 1667--1674.

Digital Library

[54]

Kemalis, K. and Tzouramanis, T. 2008. SQL-IDS: A specification-based approach for SQL injection detection. In Proceedings of the 23^rd ACM Symposium on Applied Computing (SAC'08). 2153--2158.

Digital Library

[55]

Kiezun, A., Guo, P., Jayaraman, K., and Ernst, M. 2009. Automatic creation of SQL injection and cross-site scripting attacks. In Proceedings of the 31^st International Conference on Software Engineering. 199--209.

Digital Library

[56]

Kim, H., Choi, Y., Lee, D., and Lee, D. 2008. Practical security testing using file fuzzing. In Proceedings of the International Conference on Advanced Computing Technologies (ICACT). 1304--1307.

[57]

King, J. 1976. Symbolic execution and program testing. Comm. ACM 19, 7, 385--394.

Digital Library

[58]

Klein, A. 2005. DOM-Based cross site scripting or XSS of the third kind. http://www.webappsec.org/projects/articles/071105.shtml.

[59]

Klog. 1999. The frame pointer overwrite. Phrack Mag. 9, 55. http://www.phrack.org.

[60]

Kratkewicz, K. and Lippmann, R. 2005. Using a diagnostic corpus of C programs to evaluate buffer overflow detection by static analysis tools. In Proceedings of the Workshop on the Evaluation of Software Defect Detection Tools.

[61]

Kumar, P., Nema, A., and Kumar, R. 2009. Hybrid analysis of executables to detect security vulnerabilities. In Proceedings of the 2^nd Annual Conference on India Software Engineering. 141--142.

Digital Library

[62]

Lam, M., Martin, M., Livshits, B., and Whaley, J. 2008. Securing Web applications with static and dynamic information flow tracking. In Proceedings of the ACM SIGPLAN Symposium on Partial Evaluation and Semantics-Based Program Manipulation. 3--12.

Digital Library

[63]

Le, W. and Soffa, M. 2008. Marple: A demand-driven path-sensitive buffer overflow detector. In Proceedings of the 16^th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE'08). 272--282.

Digital Library

[64]

Leah, D. 2000. A memory allocator. http://g.oswego.edu/dl/html/malloc.html.

[65]

Lin, J. and Chen, J. 2007. The automatic defense mechanism for malicious injection attack. In Proceedings of the 7^th International Conference on Computer and Information Technology. 709--714.

Digital Library

[66]

Lin, Z., Jiang, X., Xu, D., Mao, B., and Xie, L. 2007. AutoPaG: Towards automated software patch generation with source code root cause identification and repair. In Proceedings of the 2^nd ACM Symposium on Information, Computer and Communications Security. 329--340.

Digital Library

[67]

Lin, Z., Mao, B., and Xie, L. 2006. A practical framework for dynamically immunizing software security vulnerabilities. In Proceedings of the 1^st International Conference on Availability, Reliability and Security. 348--357.

Digital Library

[68]

Livshits, V. and Lam, M. 2005. Finding security vulnerabilities in Java applications with static analysis. In Proceedings of the 14^th USENIX Security Symposium. 18.

Digital Library

[69]

Lucca, G., Fasolino, A., Mastoianni, M., and Tramontana, P. 2004. Identifying cross site scripting vulnerabilities in Web applications. In Proceedings of the 6^th International Workshop on Web Site Evolution. 71--80.

Digital Library

[70]

Mancoridis, S. 2008. Software analysis for security. In Proceedings of the Conference on Frontiers of Software Maintenance. 109--118.

[71]

Mathur, A. 2008. Foundations of Software Testing 1^st Ed. Pearson Education.

Digital Library

[72]

McAllister, S., Kirda, E., and Kruegel, C. 2008. Leveraging user interactions for in-depth testing of Web applications. In Proceedings of the 11^th International Symposium on Recent Advances in Intrusion Detection (RAID). 191--210.

Digital Library

[73]

McGraw, G. and Potter, B. 2004. Software security testing. IEEE Secur. Priv. 2, 5, 81--85.

Digital Library

[74]

McMinn, P. 2004. Search-Based software test data generation: A survey. Softw. Test. Verif. Reliab. 14, 2, 105--156.

Digital Library

[75]

Monga, M., Paleari, R., and Passerini, E. 2009. A hybrid analysis framework for detecting Web application vulnerabilities. In Proceedings of the 5^th Workshop on Software Engineering for Secured Systems. 25--32.

Digital Library

[76]

Muthuprasanna, M., Wei, K., and Kothari, S. 2006. Eliminating SQL injection attacks: A transparent defense mechanism. In Proceedings of the 8^th International Symposium on Web Site Evolution. 22--32.

Digital Library

[77]

Nishiyama, H. 2005. SecureC: Control-Flow protection against general buffer overflow attack. In Proceedings of the 29^th Annual International Computer Software and Applications Conference. 149--155.

Digital Library

[78]

Novark, G., Berger, E., and Zorn, B. 2007. Exterminator: Automatically correcting memory errors with high probability. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation. 1--11.

Digital Library

[79]

Offutt, J., Wu, Y., Du, X., and Huang, H. 2004. Bypass testing of Web applications. In Proceedings of the 15^th International Symposium on Software Reliability Engineering (ISSRE). 187--197.

Digital Library

[80]

Ofuonye, E. and Miller, J. 2008. Resolving Javascript vulnerabilities in the browser runtime. In Proceedings of the 19^th International Symposium on Software Reliability Engineering. 57--66.

Digital Library

[81]

Okun, V., Guthrie, W., Gaucher, R., and Black, P. 2007. Effect of static analysis tools on software security: Preliminary investigation. In Proceedings of the 3^rd Workshop on Quality of Protection. 1--5.

Digital Library

[82]

One, A. 1996. Smashing the stack for fun and profit. Phrack Mag. 7, 49. http://insecure.org/stf/smashstack.html.

[83]

OSVDB. 2010. Open source vulnerability database. http://osvdb.org.

[84]

OWASP. 2010a. OWASP CSRFGuard project. http://www.owasp.org/index.php/CSRFGuard_2.2 _Configuration_Manual.

[85]

OWASP. 2010b. Range and type error vulnerability. http://www.owasp.org/index.php/Category:Range_and_ Type_Error_Vulnerability.

[86]

Pozza, D., Sisto, R., Durante, L., and Valenzano, A. 2006. Comparing lexical analysis tools for buffer overflow detection in network software. In Proceedings of the 1^st International Conference on Communication System Software and Middleware. 1--7.

[87]

PAX. 2003. Documentation for the PaX project. http://pax.grsecurity.net/docs/pax.txt.

[88]

Reis, C., Dunagan, J., Wang, H., Dubrovsky, O., and Esmeir, S. 2007. BrowserShield: Vulnerability-Driven filtering of dynamic HTML. ACM Trans. Web 1, 3.

Digital Library

[89]

Ringenburg, M. and Grossman, D. 2005. Preventing format-string attacks via automatic and efficient dynamic checking. In Proceedings of the 12^th Conference on Computer and Communications Security. 354--363.

Digital Library

[90]

Robbins, T. 2000. Libformat. http://archives.neohapsis.com/archives/linux/lsap/2000-q3/0444.html.

[91]

Seacord, R. 2006. Secure coding in C and C++ of strings and integers. IEEE Secur. Priv. 4, 1, 74--76.

Digital Library

[92]

Shahriar, H. and Zulkernine, M. 2010a. Assessing test suites for buffer overflow vulnerabilities. Int. J. Softw. Engin. Knowl. Engin. 20, 1, 73--101. World Scientific.

[93]

Shahriar, H. and Zulkernine, M. 2010b. Classification of buffer overflow vulnerability monitors. In Proceedings of the 4^th International Workshop on Secure Software Engineering. 519--524.

[94]

Shahriar, H. and Zulkernine, M. 2010c. Classification of static analysis-based buffer overflow vulnerability detection. In Proceedings of the 1^st Workshop on Model Checking in Reliability and Security. 94--101.

Digital Library

[95]

Shahriar, H. and Zulkernine, M. 2010d. Monitoring buffer overflow vulnerabilities: A perennial problem. Int. J. Secur. Softw. Engin. 1, 3, 18--40.

Digital Library

[96]

Shahriar, H. and Zulkernine, M. 2009a. Automatic testing of program security vulnerabilities. In Proceedings of the 1^st International Workshop on Test Automation. 550--555.

Digital Library

[97]

Shahriar, H. and Zulkernine, M. 2009b. MUTEC: Mutation-Based testing of cross site scripting. In Proceedings of the 5^th ICSE Workshop on Software Engineering for Secure Systems. 47--53.

Digital Library

[98]

Shahriar, H. and Zulkernine, M. 2008a. Mutation-Based testing of buffer overflow vulnerabilities. In Proceedings of the 2^nd International Workshop on Security in Software Engineering (IWSSE). 979--984.

Digital Library

[99]

Shahriar, H. and Zulkernine, M. 2008b. Mutation-Based testing of format string bugs. In Proceedings of the 11^th High Assurance Systems Engineering Symposium (HASE'08). 229--238.

Digital Library

[100]

Shahriar, H. and Zulkernine, M. 2008c. MUSIC: Mutation-Based SQL injection vulnerability checking. In Proceedings of the 8^th International Conference on Quality Software (QSIC). 77--86.

Digital Library

[101]

Shankar, U., Talwar, K., Foster, J., and Wagner, D. 2001. Detecting format string vulnerabilities with type qualifiers. In Proceedings of the 10^th USENIX Security Symposium.

Digital Library

[102]

Silva, A. 2005. Format strings. Gotfault Security Community, version 2.5. http://www.milw0rm.com/papers/5.

[103]

Smirnov, A. and Chiueh, T. 2007. Automatic patch generation for buffer overflow attacks. In Proceedings of the 3^rd International Symposium on Information Assurance and Security. 165--170.

Digital Library

[104]

Sotirov, A. 2005. Automatic vulnerability detection using static analysis. MSc thesis, The University of Alabama. http://gcc.vulncheck.org/sotirov05automatic.pdf.

[105]

Speirs, W. 2005. Making the kernel responsible: A new approach to determining and preventing buffer overflows. In Proceedings of the 3^rd IEEE International Workshop on Information Assurance. 21--32.

Digital Library

[106]

Symantec. 2008. Internet security threat report, trends for July-September 07. Volume XII. http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_exec_summary_internet_security_threat_report_xiii_04-2008.en-us.pdf.

[107]

Tal, O., Knight, S., and Dean, T. 2004. Syntax-Based vulnerabilities testing of frame-based network protocols. In Proceedings of the 2^nd Annual Conference on Privacy, Security and Trust. 155--160.

[108]

Tappenden, A., Beatty, P., Miller, J., Geras, A., and Smith, M. 2005. Agile security testing of Web-based systems via HTTPUnit. In Proceedings of the Agile Development Conference (ADC). 29--38.

Digital Library

[109]

Teso, Scut/Team. 2001. Exploiting format string vulnerabilities. http://doc.bughunter.net/format-string/exploit-fs.html.

[110]

Tevis, J. and Hamilton, J. 2006. Static analysis of anomalies and security vulnerabilities in executable files. In Proceedings of the 44^th Annual SouthEast Regional Conference. 560--565.

Digital Library

[111]

Thomas, S. and Williams, L. 2007. Using automated fix generation to secure SQL statements. In Proceedings of the 3^rd International Workshop on Software Engineering for Secure Systems. 9--14.

Digital Library

[112]

Tripp, O., Pistoia, M., Fink, S., Sridharan, M., and Weisman, O. 2009. TAJ: Effective taint analysis of Web applications. In Proceedings of the Conference on Programming Language Design and Implementation. 87--97.

Digital Library

[113]

Tsai, T. and Singh, N. 2002. Libsafe: Transparent system-wide protection against buffer overflow attacks. In Proceedings of the International Conference on Dependable Systems and Networks. 541.

Digital Library

[114]

Viega, J., Bloch, J., Kohno, T., and McGraw, G. 2002. Token-Based scanning of source code for security problems. ACM Trans. Inf. Syst. Secur. 5, 3, 238--261.

Digital Library

[115]

Vigna, G., Robertson, W., and Balzarotti, D. 2004. Testing network-based intrusion detection signature using mutant exploits. In Proceedings of the ACM Conference on Computer and Communication Security. 21--30.

Digital Library

[116]

Vilela, P., Machado, M., and Wong, E. 2002. Testing for security vulnerabilities in software. In Proceedings of the Conference on Software Engineering and Applications (SEA).

[117]

W3C. 1999. HTML 4.10 specification. http://www.w3.org/TR/REC-html40.

[118]

Wagner, D., Foster, J., Brewer, E., and Aiken, A. 2000. A first step towards automated detection of buffer overrun vulnerabilities. In Proceedings of the Network and Distributed System Security Symposium.

[119]

Wang, L., Cordy, J., and Dean, T. 2005. Enhancing security using legality assertions. In Proceedings of the 12^th Working Conference on Reverse Engineering. 35--44.

Digital Library

[120]

Wassermann, G. and Su, Z. 2008. Static detection of cross-site scripting vulnerabilities. In Proceedings of the 30^th International Conference on Software Engineering (ISCE). 171--180.

Digital Library

[121]

Wassermann, G. and Su, Z. 2007. Sound and precise analysis of Web applications for injection vulnerabilities. In Proceedings of the Conference on Programming Language Design and Implementation (PLDI). 32--41.

Digital Library

[122]

Weber, M., Shah, V., and Ren, C. 2001. A case study in detecting software security vulnerabilities using constraint optimization. In Proceedings of the Workshop on Source Code Analysis and Manipulation. 3--13.

[123]

Wei, K., Muthuprasanna, M., and Kothari, S. 2006. Preserving SQL injection attacks in stored procedures. In Proceedings of the Australian Software Engineering Conference. 191--198.

Digital Library

[124]

Wilander, J. and Kamkar, M. 2003. A comparison of publicly available tools for dynamic buffer overflow prevention. In Proceedings of the 10^th Network and Distributed System Security Symposium.

[125]

Xie, Y. and Aiken, A. 2006. Static detection of security vulnerabilities in scripting languages. In Proceedings of the 15^th USENIX Security Symposium.

Digital Library

[126]

Xie, Y., Chou, A., and Engler, D. 2003. ARCHER: Using symbolic, path-sensitive analysis to detect memory access errors. In Proceedings of the 9^th European Software Engineering Conference. 327--336.

Digital Library

[127]

Xu, W., DuVarney, D., and Sekar, R. 2004. An efficient and backwards-compatible transformation to ensure memory safety of C programs. In Proceedings of the 12^th ACM SIGSOFT International Symposium on Foundations of Software Engineering. 117--126.

Digital Library

[128]

Xu, R., Godefroid, P., and Majumdar, R. 2008. Testing for buffer overflows with length abstraction. In Proceedings of the International Symposium on Software Testing and Analysis. 27--38.

Digital Library

[129]

Yang, J., Kremenek, T., Xie, Y., and Engler, D. 2003. MECA: An extensible, expressive system and language for statically checking security properties. In Proceedings of the 10^th ACM Conference on Computer and Communications Security. 321--334.

Digital Library

[130]

Yong, S. and Horwitz, S. 2003. Protecting C programs from attacks via invalid pointer dereferences. ACM SIGSOFT Softw. Engin. Not. 28, 5, 307--316.

Digital Library

[131]

Younan, Y., Joosen, W., Piessens, F., and Eynden, H. 2005. Security of memory allocators for C and C++. Tech. rep. CW419, Katholieke University Leuven, Belgium. http://www.fort-knox.be/files/CW419.pdf.

[132]

Yu, D., Chander, A., Islam, N., and Serikov, I. 2007. Javascript instrumentation for browser security. In Proceedings of the 34^th Symposium on Principles of Programming Languages (POPL). 237--249.

Digital Library

[133]

Zitser, M., Lippmann, R., and Leek, T. 2004. Testing static analysis tools using exploitable buffer overflows from open source code. In Proceedings of the 12^th ACM SIGSOFT International Symposium on Foundations of Software Engineering. 97--106.

Digital Library

[134]

Zhang, X., Shao, L., and Zheng, J. 2008. A novel method of software vulnerability detection based on fuzzing technique. In Proceedings of the International Conference on Apperceiving Computing and Intelligence Analysis. 270--273.

[135]

Zhu, H., Hall, P., and May, J. 1997. Software unit test coverage and adequacy. ACM Comput. Surv. 29, 4, 366--427.

Digital Library

[136]

Zuchlinski, G. 2003. The anatomy of cross site scripting. http://www.net-security.org/dl/articles/xss_anatomy.pdf.

Cited By

Zhu XZhou WHan QMa WWen SXiang Y(2025)When Software Security Meets Large Language Models: A SurveyIEEE/CAA Journal of Automatica Sinica10.1109/JAS.2024.12497112:2(317-334)Online publication date: Mar-2025
https://doi.org/10.1109/JAS.2024.124971
Anastasia TStamatia B(2024)Managing Security Vulnerabilities Introduced by Dependencies in React.JS JavaScript Framework2024 IEEE International Conference on Software Analysis, Evolution and Reengineering - Companion (SANER-C)10.1109/SANER-C62648.2024.00022(126-133)Online publication date: 12-Mar-2024
https://doi.org/10.1109/SANER-C62648.2024.00022
Rahman MAkter MMiller ETimofti BShahriar HMasum MWu F(2024)Fine-Tuned Variational Quantum Classifiers for Cyber Attacks Detection Based on Parameterized Quantum Circuits and Optimizers2024 IEEE 48th Annual Computers, Software, and Applications Conference (COMPSAC)10.1109/COMPSAC61105.2024.00144(1067-1072)Online publication date: 2-Jul-2024
https://doi.org/10.1109/COMPSAC61105.2024.00144
Show More Cited By

Index Terms

Mitigating program security vulnerabilities: Approaches and challenges
1. Information systems
  1. Data management systems
    1. Middleware for databases
      1. Distributed transaction monitors
2. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Process validation
        Walkthroughs
      2. Software defect analysis
        Software testing and debugging
  2. Software organization and properties
    1. Contextual software domains
      1. Operating systems
        Process management
        Monitors

Recommendations

Mitigating Access Control Vulnerabilities through Interactive Static Analysis
SACMAT '15: Proceedings of the 20th ACM Symposium on Access Control Models and Technologies

Access control vulnerabilities due to programming errors have consistently ranked amongst top software vulnerabilities. Previous research efforts have concentrated on using automatic program analysis techniques to detect access control vulnerabilities ...
Security vulnerabilities and mitigation techniques of web applications
SIN '13: Proceedings of the 6th International Conference on Security of Information and Networks

Web applications contain vulnerabilities, which may lead to serious security breaches such as stealing of confidential information. To protect against security breaches, it is necessary to understand the detailed steps of attacks and the pros and cons ...
Exploiting and Mitigating Advanced Security Vulnerabilities

Comments

Information & Contributors

Information

Published In

cover image ACM Computing Surveys

ACM Computing Surveys Volume 44, Issue 3

June 2012

344 pages

ISSN:0360-0300

EISSN:1557-7341

DOI:10.1145/2187671

Issue’s Table of Contents

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 June 2012

Accepted: 01 September 2010

Revised: 01 June 2010

Received: 01 October 2009

Published in CSUR Volume 44, Issue 3

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

75
Total Citations
View Citations
3,816
Total Downloads

Downloads (Last 12 months)250
Downloads (Last 6 weeks)26

Reflects downloads up to 26 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Zhu XZhou WHan QMa WWen SXiang Y(2025)When Software Security Meets Large Language Models: A SurveyIEEE/CAA Journal of Automatica Sinica10.1109/JAS.2024.12497112:2(317-334)Online publication date: Mar-2025
https://doi.org/10.1109/JAS.2024.124971
Anastasia TStamatia B(2024)Managing Security Vulnerabilities Introduced by Dependencies in React.JS JavaScript Framework2024 IEEE International Conference on Software Analysis, Evolution and Reengineering - Companion (SANER-C)10.1109/SANER-C62648.2024.00022(126-133)Online publication date: 12-Mar-2024
https://doi.org/10.1109/SANER-C62648.2024.00022
Rahman MAkter MMiller ETimofti BShahriar HMasum MWu F(2024)Fine-Tuned Variational Quantum Classifiers for Cyber Attacks Detection Based on Parameterized Quantum Circuits and Optimizers2024 IEEE 48th Annual Computers, Software, and Applications Conference (COMPSAC)10.1109/COMPSAC61105.2024.00144(1067-1072)Online publication date: 2-Jul-2024
https://doi.org/10.1109/COMPSAC61105.2024.00144
Rahman MShahrier H(2024)Towards Developing Generative Adversarial Networks Based Robust Intrusion Detection Systems for Imbalanced Dataset Using Hadoop-PySparkProceedings of the Third International Conference on Innovations in Computing Research (ICR’24)10.1007/978-3-031-65522-7_40(449-463)Online publication date: 1-Aug-2024
https://doi.org/10.1007/978-3-031-65522-7_40
Kree LHelmke RWinter E(2024)Using Semgrep OSS to Find OWASP Top 10 Weaknesses in PHP Applications: A Case StudyDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-031-64171-8_4(64-83)Online publication date: 9-Jul-2024
https://doi.org/10.1007/978-3-031-64171-8_4
Croft RXie YBabar M(2023)Data Preparation for Software Vulnerability Prediction: A Systematic Literature ReviewIEEE Transactions on Software Engineering10.1109/TSE.2022.317120249:3(1044-1063)Online publication date: 1-Mar-2023
https://dl.acm.org/doi/10.1109/TSE.2022.3171202
Liu WTan BFung JKarri RChakrabarty K(2023)Hardware-Supported Patching of Security Bugs in Hardware IP BlocksIEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems10.1109/TCAD.2022.316851342:1(54-67)Online publication date: Jan-2023
https://doi.org/10.1109/TCAD.2022.3168513
Croft RBabar MKholoosi MGrundy JPollock LPenta M(2023)Data Quality for Software Vulnerability DatasetsProceedings of the 45th International Conference on Software Engineering10.1109/ICSE48619.2023.00022(121-133)Online publication date: 14-May-2023
https://dl.acm.org/doi/10.1109/ICSE48619.2023.00022
Rahman MShahriar H(2023)Clustering Enabled Robust Intrusion Detection System for Big Data Using Hadoop–PySpark2023 IEEE 20th International Conference on Smart Communities: Improving Quality of Life using AI, Robotics and IoT (HONET)10.1109/HONET59747.2023.10374747(249-254)Online publication date: 4-Dec-2023
https://doi.org/10.1109/HONET59747.2023.10374747
Rahman MShahriar HClincy VHossain MRahman M(2023)A Quantum Generative Adversarial Network-based Intrusion Detection System2023 IEEE 47th Annual Computers, Software, and Applications Conference (COMPSAC)10.1109/COMPSAC57700.2023.00280(1810-1815)Online publication date: Jun-2023
https://doi.org/10.1109/COMPSAC57700.2023.00280
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Issue’s Table of Contents