Improving Security Using Extensible Lightweight Static Analysis

David Evans and David Larochelle
In IEEE Software, Jan/Feb 2002

Abstract
Most security attacks exploit instances of well-known classes of implementation flaws. Many of these flaws could be detected and eliminated before software is deployed. These problems continue to be present with disturbing frequency, not because they are not sufficiently understood by the security community, but because techniques for preventing them have not been integrated into the software development process. This paper describes an extensible tool that uses lightweight static analysis to detect common security vulnerabilities (including buffer overflows and format string vulnerabilities) and can be readily extended to detect new vulnerabilities.

Keywords: static analysis, security vulnerabilities, checking, buffer overflows, format bugs.

Complete Paper (10 pages) [PDF]

Splint Project Page

David Evans
University of Virginia
Department of Computer Science
 evans@virginia.edu