Combining static and dynamic analyses for vulnerability detection: Illustration on heartbleed - Archive ouverte HAL Access content directly
Conference Papers Year : 2015

Combining static and dynamic analyses for vulnerability detection: Illustration on heartbleed

(1) , (2) , (3) , (2)
1
2
3

Abstract

Security of modern information and communication systems has become a major concern. This tool paper presents Flinder-SCA, an original combined tool for vulnerability detection, implemented on top of Frama-C, a platform for collaborative verification of C programs, and Search Lab’s Flinder testing tool. Flinder-SCA includes three steps. First, abstract interpretation and taint analysis are used to detect potential vulnerabilities (alarms), then program slicing is applied to reduce the initial program, and finally a testing step tries to confirm detected alarms by fuzzing on the reduced program. We describe the proposed approach and the tool, illustrate its application for the recent OpenSSL/HeartBeat Heartbleed vulnerability, and discuss the benefits and industrial application perspectives of the proposed verification approach.
Not file

Dates and versions

cea-01834981 , version 1 (11-07-2018)

Identifiers

Cite

B. Kiss, N. Kosmatov, D. Pariente, A. Puccetti. Combining static and dynamic analyses for vulnerability detection: Illustration on heartbleed. Hardware and Software: Verification and Testing. HVC 2015. Lecture Notes in Computer Science, Nov 2015, Haifa, Israel. pp.39-50, ⟨10.1007/978-3-319-26287-1_3⟩. ⟨cea-01834981⟩
83 View
0 Download

Altmetric

Share

Gmail Facebook Twitter LinkedIn More