静态检测源代码漏洞的演化与衰减

2008 Eighth IEEE International Working Conference on Source Code Analysis and Manipulation Pub Date : 2008-10-03 DOI:10.1109/SCAM.2008.20

M. D. Penta, L. Cerulo, Lerina Aversano

{"title":"静态检测源代码漏洞的演化与衰减","authors":"M. D. Penta, L. Cerulo, Lerina Aversano","doi":"10.1109/SCAM.2008.20","DOIUrl":null,"url":null,"abstract":"The presence of vulnerable statements in the source code is a crucial problem for maintainers: properly monitoring and, if necessary, removing them is highly desirable to ensure high security and reliability. To this aim, a number of static analysis tools have been developed to detect the presence of instructions that can be subject to vulnerability attacks, ranging from buffer overflow exploitations to command injection and cross-site scripting.Based on the availability of existing tools and of data extracted from software repositories, this paper reports an empirical study on the evolution of vulnerable statements detected in three software systems with different static analysis tools. Specifically, the study investigates on vulnerability evolution trends and on the decay time exhibited by different kinds of vulnerabilities.","PeriodicalId":433693,"journal":{"name":"2008 Eighth IEEE International Working Conference on Source Code Analysis and Manipulation","volume":"249 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2008-10-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"12","resultStr":"{\"title\":\"The Evolution and Decay of Statically Detected Source Code Vulnerabilities\",\"authors\":\"M. D. Penta, L. Cerulo, Lerina Aversano\",\"doi\":\"10.1109/SCAM.2008.20\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The presence of vulnerable statements in the source code is a crucial problem for maintainers: properly monitoring and, if necessary, removing them is highly desirable to ensure high security and reliability. To this aim, a number of static analysis tools have been developed to detect the presence of instructions that can be subject to vulnerability attacks, ranging from buffer overflow exploitations to command injection and cross-site scripting.Based on the availability of existing tools and of data extracted from software repositories, this paper reports an empirical study on the evolution of vulnerable statements detected in three software systems with different static analysis tools. Specifically, the study investigates on vulnerability evolution trends and on the decay time exhibited by different kinds of vulnerabilities.\",\"PeriodicalId\":433693,\"journal\":{\"name\":\"2008 Eighth IEEE International Working Conference on Source Code Analysis and Manipulation\",\"volume\":\"249 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2008-10-03\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"12\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2008 Eighth IEEE International Working Conference on Source Code Analysis and Manipulation\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/SCAM.2008.20\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2008 Eighth IEEE International Working Conference on Source Code Analysis and Manipulation","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SCAM.2008.20","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 12

摘要

对于维护人员来说，源代码中存在易受攻击的语句是一个关键问题:适当地监视并在必要时删除它们，以确保高安全性和可靠性是非常可取的。为此，已经开发了许多静态分析工具来检测可能受到漏洞攻击的指令的存在，范围从缓冲区溢出利用到命令注入和跨站点脚本。基于现有工具的可用性和从软件存储库中提取的数据，本文对使用不同静态分析工具在三个软件系统中检测到的脆弱语句的演变进行了实证研究。具体而言，研究了不同类型漏洞的演化趋势和衰减时间。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

The Evolution and Decay of Statically Detected Source Code Vulnerabilities

The presence of vulnerable statements in the source code is a crucial problem for maintainers: properly monitoring and, if necessary, removing them is highly desirable to ensure high security and reliability. To this aim, a number of static analysis tools have been developed to detect the presence of instructions that can be subject to vulnerability attacks, ranging from buffer overflow exploitations to command injection and cross-site scripting.Based on the availability of existing tools and of data extracted from software repositories, this paper reports an empirical study on the evolution of vulnerable statements detected in three software systems with different static analysis tools. Specifically, the study investigates on vulnerability evolution trends and on the decay time exhibited by different kinds of vulnerabilities.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2008 Eighth IEEE International Working Conference on Source Code Analysis and Manipulation

自引率

0.00%

发文量