基于CWE的CBMC软件漏洞检测分析

2020 22nd International Conference on Advanced Communication Technology (ICACT) Pub Date : 2020-02-01 DOI:10.23919/ICACT48636.2020.9061281

Minjae Byun, Yongjun Lee, Jin-Young Choi

{"title":"基于CWE的CBMC软件漏洞检测分析","authors":"Minjae Byun, Yongjun Lee, Jin-Young Choi","doi":"10.23919/ICACT48636.2020.9061281","DOIUrl":null,"url":null,"abstract":"Model checking is a method of verifying whether a target system satisfies a specific property using mathematical and logical proofs. Model checking tools to verify design (1) require a formal description of the design and (2) there can be discrepancies between the model and actual implementation. To solve these problems, various tools such as CBMC and BLAST that can directly input C codes have been proposed. However, in terms of security, it is difficult to figure out which software weaknesses these tools can verify. In this paper, we matched the properties that CBMC can verify with corresponding CWEs, considering interdependencies of CWEs. We also conducted an experiment using Juliet Test Suite to check CBMC can actually verify the codes including these CWEs.","PeriodicalId":296763,"journal":{"name":"2020 22nd International Conference on Advanced Communication Technology (ICACT)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":"{\"title\":\"Analysis of software weakness detection of CBMC based on CWE\",\"authors\":\"Minjae Byun, Yongjun Lee, Jin-Young Choi\",\"doi\":\"10.23919/ICACT48636.2020.9061281\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Model checking is a method of verifying whether a target system satisfies a specific property using mathematical and logical proofs. Model checking tools to verify design (1) require a formal description of the design and (2) there can be discrepancies between the model and actual implementation. To solve these problems, various tools such as CBMC and BLAST that can directly input C codes have been proposed. However, in terms of security, it is difficult to figure out which software weaknesses these tools can verify. In this paper, we matched the properties that CBMC can verify with corresponding CWEs, considering interdependencies of CWEs. We also conducted an experiment using Juliet Test Suite to check CBMC can actually verify the codes including these CWEs.\",\"PeriodicalId\":296763,\"journal\":{\"name\":\"2020 22nd International Conference on Advanced Communication Technology (ICACT)\",\"volume\":\"1 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2020-02-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"2\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2020 22nd International Conference on Advanced Communication Technology (ICACT)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.23919/ICACT48636.2020.9061281\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2020 22nd International Conference on Advanced Communication Technology (ICACT)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.23919/ICACT48636.2020.9061281","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

摘要

模型检验是一种利用数学和逻辑证明验证目标系统是否满足特定属性的方法。验证设计的模型检查工具(1)需要对设计进行正式描述，(2)模型和实际实现之间可能存在差异。为了解决这些问题，人们提出了各种可以直接输入C代码的工具，如CBMC、BLAST等。然而，就安全性而言，很难确定这些工具可以验证哪些软件弱点。在本文中，我们将CBMC可以验证的属性与相应的CWEs进行匹配，考虑到CWEs之间的相互依赖性。我们还使用Juliet Test Suite进行了一个实验，以检查CBMC是否可以实际验证包含这些CWEs的代码。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Analysis of software weakness detection of CBMC based on CWE

Model checking is a method of verifying whether a target system satisfies a specific property using mathematical and logical proofs. Model checking tools to verify design (1) require a formal description of the design and (2) there can be discrepancies between the model and actual implementation. To solve these problems, various tools such as CBMC and BLAST that can directly input C codes have been proposed. However, in terms of security, it is difficult to figure out which software weaknesses these tools can verify. In this paper, we matched the properties that CBMC can verify with corresponding CWEs, considering interdependencies of CWEs. We also conducted an experiment using Juliet Test Suite to check CBMC can actually verify the codes including these CWEs.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2020 22nd International Conference on Advanced Communication Technology (ICACT)

自引率

0.00%

发文量