Software users have become more conscious of security. More people have access to Internet and huge databases of security exploits. To make secure products, software developers must acknowledge this threat and take action. A first step is to perform a software security analysis. The software security analysis was performed using automatic auditing tools. An experimental environment was constructed to check if the findings were exploitable or not…
Contents
1 INTRODUCTION
1.1 BACKGROUND
1.2 SECURING SOFTWARE
1.3 DIFFERENCES IN CLOSED AND OPEN SOURCE
1.4 RESEARCH QUESTIONS
1.5 PURPOSE
1.6 THE PRODUCT
1.7 LIMITATIONS OF THIS THESIS
2 THEORY
2.1 MANUAL SOURCE CODE AUDITING
2.2 AUTOMATIC SOURCE CODE AUDITING
2.3 COMMON SECURITY RISKS AND IMPROVEMENTS
2.3.1 Buffer overflow
2.3.2 Denial of Service
2.3.3 Misplaced trust and input validation
2.3.4 Race condition
2.3.5 Random number generator
3 METHODOLOGY
3.1 AUDITING METHOD
3.2 AUDITING SOURCE CODE
3.2.1 Automatic auditing
3.2.2 Flawfinder
3.2.3 ITS4
3.2.4 RATS
3.2.5 Manual auditing
3.3 SECURITY CATEGORIES
3.4 PRACTICAL EXPERIMENTS
3.5 OPEN SOURCE SECURITY REPORTS
3.6 RISK EVALUATION
3.7 BUG TRACKING
3.8 THIRD PARTY LIBRARIES
4 INVESTIGATION
4.1 RESULTS – AUTOMATED TOOLS
4.1.1 Manual examination of the automated tools findings
4.1.2 Manual auditing
4.1.3 Automated tools false negative
4.2 RESULTS – APPLICATION
4.2.1 Security risks
4.2.2 Proof of concepts
5 DISCUSSION
5.1 THE TOOLS
5.2 THE APPLICATION
5.3 INCORPORATING SECURITY
6 CONCLUSIONS
7 REFERENCES
Author: Daniel Persson, Dejan Baca
Source: Blekinge Institute of Technology
Reference URL 1: Visit Now