Classification of Diagnostic Information and Analysis Methods for Weaknesses in C/C++ Programs (C/C++ 프로그램을 위한 진단 정보와 분석 방법의 분류)

Han, Kyung sook (한경숙); Damho Lee (이담호); Changwoo Pyo (표창우)

doi:10.9708/jksci.2017.22.03.081

Classification of Diagnostic Information and Analysis Methods for Weaknesses in C/C++ Programs

Journal of The Korea Society of Computer and Information
Abbr : JKSCI
2017, 22(3), pp.81-88
DOI : 10.9708/jksci.2017.22.03.081
Publisher : The Korean Society Of Computer And Information
Research Area : Engineering > Computer Science
Received : March 9, 2017
Accepted : March 23, 2017
Published : March 31, 2017

Han, Kyung sook ¹, Damho Lee ², Changwoo Pyo ²

¹한국산업기술대학교
²홍익대학교

Accredited

ABSTRACT

In this paper, we classified the weaknesses of C/C++ programs listed in CWE based on the diagnostic information produced at each stage of program compilation. Our classification identifies which stages should be responsible for analyzing the weaknesses. We also present algorithmic frameworks for detecting typical weaknesses belonging to the classes to demonstrate validness of our scheme. For the weaknesses that cannot be analyzed by using the diagnostic information, we separated them as a group that are often detectable by the analyses that simulate program execution, for instance, symbolic execution and abstract interpretation. We expect that classification of weaknesses, and diagnostic information accordingly, would contribute to systematic development of static analyzers that minimizes false positives and negatives.

KEYWORDS

Security, Weakness, Static Analysis, Diagnostic Information, Analysis Method

Citation status

* References for papers published after 2023 are currently being built.

[web] CWE / Common Weakness Enumeration / http://cwe.mitre.org/

[web] / NIST / https://samate.nist.gov/

[other] SAMATE / Juliet Test Suite v1.2 for C/C++ User Guide / National Security Agency

[web] / SecurityPrism / http://www.gtone.co.kr/kr/securitystatic-analysis-tools.php

[journal] Hyun-Joon Kwon / 2010 / Developing An Automatic Tool for Static Detection of Software Security Vulnerabilities / KIISE 28(2) : 37~40

[confproc] Hyunha Kim / 2009 / Rule-based Source-code Analysis for Detection of Security Vulnerability / WISA2009:The 10th International Workshop on Information Security Applications : ~

[web] / Fortify Static Code Analyzer / https://saas.hpe.com/en-us/software/sca

[book] Alfred V. Aho / 1986 / Compilers: Principled, Techniques, and Tools / Addison Wesley

[book] Steven S. Muchnick / 1997 / Advanced Compiler Design and Implementation / Morgan Kaufmann : 169~265

[journal] C. Cadar / 2013 / Symbolic execution for software testing: three decades later / Communications of the ACM 56(2) : 82~90

[confproc] P. Cousot / 1977 / Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints / Proceedings of the 4th ACM SIGACT- SIGPLAN symposium on Principles of programming languages / ACM : 238~252

KJCKorea
Journal Central

Journal of The Korea Society of Computer and Information 2023 KCI Impact Factor : 0.65

Classification of Diagnostic Information and Analysis Methods for Weaknesses in C/C++ Programs

ABSTRACT

KEYWORDS

Citation status

* References for papers published after 2023 are currently being built.

Journal of The Korea Society of Computer and Information 2023 KCI Impact Factor : 0.65

Classification of Diagnostic Information and Analysis Methods for Weaknesses in C/C++ Programs

ABSTRACT

KEYWORDS

Statistics

Tools

Issue List

Citation status

KCI Citation Counts (1)

REFERENCES (11) * References for papers published after 2023 are currently being built.

Search PDF

Citation

* References for papers published after 2023 are currently being built.