Publication | Closed Access
ITS4: a static vulnerability scanner for C and C++ code
328
Citations
7
References
2002
Year
Unknown Venue
Software MaintenanceEngineeringInformation SecuritySoftware EngineeringSource Code AnalysisSoftware AnalysisFormal VerificationIts4 Source DistributionHardware SecurityVulnerability Assessment (Computing)Static Vulnerability ScannerStatic CheckingStatic AnalysisE-commerce SoftwareComputer EngineeringComputer ScienceStatic Program AnalysisLanguage-based SecuritySecurity Testing MethodSoftware SecurityProgram AnalysisSoftware TestingSystem SoftwareSoftware Package
The authors present ITS4, a static vulnerability scanner for security‑critical C source code. ITS4 performs static analysis to detect vulnerabilities in C (and C++) code. Compared to other methods, ITS4 balances accuracy and efficiency, delivers real‑time feedback with few false negatives, supports C++ despite its complexities, and uncovered new remotely exploitable vulnerabilities in widely distributed and e‑commerce software. The ITS4 source distribution is available at http://www.rstcorp.com/its4.
We describe ITS4, a tool for statically scanning security-critical C source code for vulnerabilities. Compared to other approaches, our scanning technique stakes out a new middle ground between accuracy and efficiency. This method is efficient enough to offer real-time feedback to developers during coding while producing few false negatives. Unlike other techniques, our method is also simple enough to scan C++ code despite the complexities inherent in the language. Using ITS4 we found new remotely-exploitable vulnerabilities in a widely distributed software package as well as in a major piece of e-commerce software. The ITS4 source distribution is available at http://www.rstcorp.com/its4.
| Year | Citations | |
|---|---|---|
Page 1
Page 1