Securing software : an evaluation of static source code analyzers
Thesis (M. Eng.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2003.
| Main Author: | |
|---|---|
| Other Authors: | |
| Format: | Thesis |
| Language: | eng |
| Published: |
Massachusetts Institute of Technology
2005
|
| Subjects: | |
| Online Access: | http://hdl.handle.net/1721.1/18025 |
| _version_ | 1811080558957035520 |
|---|---|
| author | Zitser, Misha, 1979- |
| author2 | Richard Lippmann. |
| author_facet | Richard Lippmann. Zitser, Misha, 1979- |
| author_sort | Zitser, Misha, 1979- |
| collection | MIT |
| description | Thesis (M. Eng.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2003. |
| first_indexed | 2024-09-23T11:33:30Z |
| format | Thesis |
| id | mit-1721.1/18025 |
| institution | Massachusetts Institute of Technology |
| language | eng |
| last_indexed | 2024-09-23T11:33:30Z |
| publishDate | 2005 |
| publisher | Massachusetts Institute of Technology |
| record_format | dspace |
| spelling | mit-1721.1/180252019-04-11T02:49:26Z Securing software : an evaluation of static source code analyzers Zitser, Misha, 1979- Richard Lippmann. Massachusetts Institute of Technology. Dept. of Electrical Engineering and Computer Science. Massachusetts Institute of Technology. Dept. of Electrical Engineering and Computer Science. Electrical Engineering and Computer Science. Thesis (M. Eng.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2003. Includes bibliographical references (leaves 100-105). This thesis evaluated five static analysis tools--Polyspace C Verifier, ARCHER, BOON, Splint, and UNO--using 14 code examples that illustrated actual buffer overflow vulnerabilities found in various versions of Sendmail, BIND, and WU-FTPD. Each code example included a "BAD" case with one or more buffer overflow vulnerabilities and a "PATCHED" case without buffer overflows. The buffer overflows varied and included stack, heap, bss and data buffers; access above and below buffer bounds; access using pointers, indices, and functions; and scope differences between buffer creation and use. Detection rates for the "BAD" examples were low except for Splint and PolySpace C Verifier, which had average detection rates of 57% and 87% respectively. However, average false alarm rates, as measured using the "PATCHED" programs, were high for these two systems. The frequency of false alarms per lines of code was high for both of these tools; Splint gave on average one false alarm per 50 lines of code, and PolySpace gave on average one false alarm per 10 lines of code. This result shows that current approaches can detect buffer overflows, but that false alarm rates need to be lowered substantially. by Misha Zitser. M.Eng. 2005-06-02T19:40:34Z 2005-06-02T19:40:34Z 2003 2003 Thesis http://hdl.handle.net/1721.1/18025 57225430 eng M.I.T. theses are protected by copyright. They may be viewed from this source for any purpose, but reproduction or distribution in any format is prohibited without written permission. See provided URL for inquiries about permission. http://dspace.mit.edu/handle/1721.1/7582 130 leaves 8499325 bytes 8516258 bytes application/pdf application/pdf application/pdf Massachusetts Institute of Technology |
| spellingShingle | Electrical Engineering and Computer Science. Zitser, Misha, 1979- Securing software : an evaluation of static source code analyzers |
| title | Securing software : an evaluation of static source code analyzers |
| title_full | Securing software : an evaluation of static source code analyzers |
| title_fullStr | Securing software : an evaluation of static source code analyzers |
| title_full_unstemmed | Securing software : an evaluation of static source code analyzers |
| title_short | Securing software : an evaluation of static source code analyzers |
| title_sort | securing software an evaluation of static source code analyzers |
| topic | Electrical Engineering and Computer Science. |
| url | http://hdl.handle.net/1721.1/18025 |
| work_keys_str_mv | AT zitsermisha1979 securingsoftwareanevaluationofstaticsourcecodeanalyzers |