Combining static and dynamic analyses for vulnerability detection: Illustration on heartbleed - CEA - Commissariat à l’énergie atomique et aux énergies alternatives Accéder directement au contenu
Communication Dans Un Congrès Année : 2015

Combining static and dynamic analyses for vulnerability detection: Illustration on heartbleed

Résumé

Security of modern information and communication systems has become a major concern. This tool paper presents Flinder-SCA, an original combined tool for vulnerability detection, implemented on top of Frama-C, a platform for collaborative verification of C programs, and Search Lab’s Flinder testing tool. Flinder-SCA includes three steps. First, abstract interpretation and taint analysis are used to detect potential vulnerabilities (alarms), then program slicing is applied to reduce the initial program, and finally a testing step tries to confirm detected alarms by fuzzing on the reduced program. We describe the proposed approach and the tool, illustrate its application for the recent OpenSSL/HeartBeat Heartbleed vulnerability, and discuss the benefits and industrial application perspectives of the proposed verification approach.
Fichier non déposé

Dates et versions

cea-01834981 , version 1 (11-07-2018)

Identifiants

Citer

B. Kiss, N. Kosmatov, D. Pariente, A. Puccetti. Combining static and dynamic analyses for vulnerability detection: Illustration on heartbleed. Hardware and Software: Verification and Testing. HVC 2015. Lecture Notes in Computer Science, Nov 2015, Haifa, Israel. pp.39-50, ⟨10.1007/978-3-319-26287-1_3⟩. ⟨cea-01834981⟩
93 Consultations
0 Téléchargements

Altmetric

Partager

Gmail Facebook X LinkedIn More