Overview of secure software analysis methods
DOI:
https://doi.org/10.26906/SUNZ.2025.1.156-161Keywords:
secure software, program vulnerability, information leak, version changes, binary codeAbstract
The article provides a detailed review of methods for analyzing secure software. The purpose of the study is to
provide a detailed review of existing methods for static and dynamic program analysis, which are the basis for ensuring security.
For this purpose, a comparative analysis of the functional capabilities of various methods and tools is carried out and the main
shortcomings are identified. Research results. A detailed review and comparative analysis of existing methods for comparing source
and binary files, analyzing changes between software versions, searching for dynamic memory leaks and errors in using freed
memory are presented. It is proved that despite the large number of available methods, there are serious limitations on the class of
tasks for which they can be effectively applied. Conclusion. It is necessary to remove existing limitations by developing the proposed methods. It is advisable to consider the methods not separately, but in combination. In this case, it is necessary to take into
account the contribution that the methods individually bring to the overall picture of ensuring program security. Such joint development and joint use of the methods considered in the article will allow for a higher-quality analysis.
Downloads
References
1. NIST CVE report. URL:https://nvd.nist.gov/vuln/search/statistics?form_type=Basic&results_type=statistics&search_type=all&isCpeNameSearch=false
2. Github. URL: https://github.com
3. Oss-fuzz. URL: https://github.com/google/oss-fuzz
4. Openssl. URL: https://www.openssl.org
5. Google-zero. URL: https://googleprojectzero.blogspot.com/2022/04/the-more-you-know-more-you-know-you.html
6. Sliwerski J., Zimmermann T., Zeller A. When Do Changes Induce Fixes, ACM SIGSOFT Software Engineering Notes, vol. 3, no. 4. 2005. DOI: https://doi.org/10.1145/1082983.1083147 DOI: https://doi.org/10.1145/1082983.1083147
7. F. Rahman, D. Posnett, A. Hindle, E. Barr, P. Devanbu, "BugCache for Inspections: Hit or Miss?", Proceedings of the 19th ACM SIGSOFT symposium and the 13th European conference on Foundations of software engineering, 2011. DOI:https://doi.org/10.1145/2025113.2025157 DOI: https://doi.org/10.1145/2025113.2025157
8. J. Yang, X. Song, Y. Xiong, Y. Meng, "An Open Source Software Defect Detection Technique Based on Homology Detection and Pre-identification Vulnerabilitys", International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing, 2018. DOI: https://doi.org/10.1007/978-3-319-93554-6_94 DOI: https://doi.org/10.1007/978-3-319-93554-6_94
9. A. Xu, T. Dai, H. Chen, Z. Ming, W. Li, "Vulnerability Detection for Source Code Using Contextual LSTM", 5th International Conference on Systems and Informatics, 2018. DOI: https://doi.org/10.1109/ICSAI.2018.8599360 DOI: https://doi.org/10.1109/ICSAI.2018.8599360
10. H. Perl, S. Dechand, M. Smith, D. Arp, F. Yamaguchi, K. Rieck, S. Fahl, Y. Acar, "VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assist Code Audits", Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications, 2015. DOI: https://doi.org/10.1145/2810103.2813604 DOI: https://doi.org/10.1145/2810103.2813604
11. Change Distiller. URL: https://bitbucket.org/sealuzh/tools-changedistiller/src/master
12. M. Kim, D. Notkin, "Discovering and representing systematic code changes", International Conference on Software Engineering (ICSE), pp. 309-319, 2009. URL: https://web.cs.ucla.edu/~miryung/Publications/icse09-lsdiff.pdf DOI: https://doi.org/10.1109/ICSE.2009.5070531
13. Kaifeng Huang, Bihuan Chen, Xin Peng, Daihong Zhou, Ying Wang, Yang Liu, Wenyun Zhao, "ClDiff: Generating Concise Linked Code Differences", Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, 2018. DOI: https://doi.org/10.1145/3238147.3238219 DOI: https://doi.org/10.1145/3238147.3238219
14. Pigaios. URL: https://github.com/joxeankoret/pigaios
15. ON MATCHING BINARY TO SOURCE CODE. https://users.encs.concordia.ca/~mmannan/student-resources/ThesisMASc-Shahkar-2016.pdf
16. G. Fan, R. Wu, Q. Shi, X. Xiao, J. Zhou, C. Zhang, "SMOKE: Scalable Path-Sensitive Memory Leak Detection for Millions of Lines of Code", International Conference on Software Engineering (ICSE), 2019. URL: https://gangfan.github.io/assets/papers/gang_smoke_icse2019_preprint.pdf DOI: https://doi.org/10.1109/ICSE.2019.00025
17. Z3. URL: https://github.com/Z3Prover/z3
18. W. Li, H. Cai, Y. Sui, D. Manz, "PCA: memory leak detection using partial call-path analysis", Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, 2020. DOI: https://doi.org/10.1145/3368089.3417923 DOI: https://doi.org/10.1145/3368089.3417923
19. Andersen pointer analysis. URL: https://github.com/grievejia/andersen
20. SVF. URL: https://github.com/SVF-tools/SVF
21. S. Cherem, L. Princehouse, R. Rugina, "Practical memory leak detection using guarded value-flow analysis", Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation, 2007. DOI:https://doi.org/10.1145/1250734.1250789 DOI: https://doi.org/10.1145/1250734.1250789
22. Fbinfer. URL: Available: https://fbinfer.com
23. X. Sun, S. Xu, C. Guo, J. Xu, N. Dong, X Ji, S. Zhang, "A Projection-Based Approach for Memory Leak Detection", IEEE 42nd Annual Computer Software and Applications Conference, 2018. https://doi.org/10.1109/COMPSAC.2018.10271 DOI: https://doi.org/10.1109/COMPSAC.2018.10271
Downloads
Published
Issue
Section
License
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
