 |
    |
A Synergy between Static and Dynamic Analysis for the Detection of Software Security Vulnerabilities*
Aiman Hanna, Hai Zhou Ling, XiaoChun Yang, and Mourad Debbabi
Computer Security Laboratory, Concordia Institute for Information Systems Engineering, Concordia University, Montreal (QC), Canadaahanna@encs.concordia.ca
ha_ling@encs.concordia.ca
xc_yang@encs.concordia.ca
debbabi@encs.concordia.ca
Abstract. The main contribution of this paper is a framework for security testing. The key components of this framework are twofold: First, a static analyzer that automatically identifies suspicious sites of security vulnerabilities in a control flow graph. Second, a test-data generator. The intent is to attempt proving/disproving whether, or not, the suspicious sites are actual vulnerabilities. The paper introduces the static-dynamic hybrid vulnerability detection system, a system that targets the automation of security vulnerability detection in software. The system combines the detection powers of both static and dynamic analysis. Various components compose this model, namely Static Vulnerability Revealer, Goal-Path-oriented System, and Dynamic Vulnerability Detector.
Keywords: Security Automata, Security Testing, Static Analysis, Dynamic Analysis, Test-Data Generation
*This research is the result of a fruitful collaboration between CSL (Computer Security Laboratory) of Concordia University, DRDC (Defence Research and Development Canada) Valcartier and Bell Canada under the NSERC DND Research Partnership Program.
LNCS 5871, p. 815 ff.
lncs@springer.com
© Springer-Verlag Berlin Heidelberg 2009