ITS4: A static vulnerability scanner for C and C++ code

New Orleans, Louisiana December 11-December 15

DOI Bookmark:

http://doi.ieeecomputersociety.org/10.1109/ACSAC.2000.898880

16th Annual Computer Security Applica ...

	This Article
	PURCHASE ARTICLE: $19 PDF HTML IEEE Xplore Subscribers
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/Endnote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by J. Viega Articles by J.T. Bloch Articles by Y. Kohno Articles by G. McGraw

	ASCII Text	x
	J. Viega, J.T. Bloch, Y. Kohno, G. McGraw, "ITS4: A static vulnerability scanner for C and C++ code," Computer Security Applications Conference, Annual, pp. 257, 16th Annual Computer Security Applications Conference (ACSAC'00), 2000.

	BibTex	x
	@article{ 10.1109/ACSAC.2000.898880, author = {J. Viega and J.T. Bloch and Y. Kohno and G. McGraw}, title = {ITS4: A static vulnerability scanner for C and C++ code}, journal ={Computer Security Applications Conference, Annual}, volume = {0}, year = {2000}, issn = {1063-9527}, pages = {257}, doi = {http://doi.ieeecomputersociety.org/10.1109/ACSAC.2000.898880}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - Computer Security Applications Conference, Annual TI - ITS4: A static vulnerability scanner for C and C++ code SN - 1063-9527 SP EP A1 - J. Viega, A1 - J.T. Bloch, A1 - Y. Kohno, A1 - G. McGraw, PY - 2000 KW - security of data; C language; C++ language; software packages; software tools; ITS4; static vulnerability scanner; C code; C++ code; security-critical source code; software vulnerabilities; real-time feedback; software package; e-commerce software VL - 0 JA - Computer Security Applications Conference, Annual ER -

J. Viega, Reliable Software Technol., Dulles, VA, USA

J.T. Bloch, Reliable Software Technol., Dulles, VA, USA

Y. Kohno, Reliable Software Technol., Dulles, VA, USA

G. McGraw, Reliable Software Technol., Dulles, VA, USA

We describe ITS4, a tool for statically scanning security-critical C source code for vulnerabilities. Compared to other approaches, our scanning technique stakes out a new middle ground between accuracy and efficiency. This method is efficient enough to offer real-time feedback to developers during coding while producing few false negatives. Unlike other techniques, our method is also simple enough to scan C++ code despite the complexities inherent in the language. Using ITS4 we found new remotely-exploitable vulnerabilities in a widely distributed software package as well as in a major piece of e-commerce software. The ITS4 source distribution is available at http://www.rstcorp.com/its4.

Index Terms:

security of data; C language; C++ language; software packages; software tools; ITS4; static vulnerability scanner; C code; C++ code; security-critical source code; software vulnerabilities; real-time feedback; software package; e-commerce software

Citation:

J. Viega, J.T. Bloch, Y. Kohno, G. McGraw, "ITS4: A static vulnerability scanner for C and C++ code," acsac, pp.257, 16th Annual Computer Security Applications Conference (ACSAC'00), 2000

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.