Designing a Code Vulnerability Meta-scanner

机译：设计代码漏洞元扫描仪

获取原文

页面导航

摘要
著录项
相似文献
相关主题

摘要

The concept of "secure by design" is based on preventive software security and aims at avoiding vulnerabilities as soon as possible. However, finding vulnerabilities manually is a time-consuming and error-prone process. Thus, the use of code scanner tools becomes a good practice for developers. Unfortunately, existing code scanner tools produce too many false positives, which complicates the cycle development task. In this paper, we present an approach to construct a code vulnerability scanner upon existing scanner tools. The aim of such a scanner, called code vulnerability meta-scanner (CVMS), is to be more efficient and reduce the number of false positives. Our experimental results show that none of the scanners strictly subsumes another, and none of them is better than all the others for all the vulnerabilities. So, we propose a method that combines their results with respect to their performances. We experimented our approach using three existing scanner tools (Fortify, Yag Suite and SpotBug). Then, we used the resulted CVMS to annotate a well-known Java application corpus, namely Qualitas Corpus. These experiment results demonstrated that the CVMS performs better than the scanners on which it is constructed.

机译：“通过设计安全”的概念是基于预防性软件安全性，并尽快避免漏洞。但是，手动查找漏洞是耗时和错误的过程。因此，使用代码扫描仪工具成为开发人员的良好做法。不幸的是，现有的代码扫描程序工具产生了太多误报，这使得周期开发任务复杂化。在本文中，我们提出了一种在现有扫描仪工具上构造代码漏洞扫描仪的方法。这种扫描仪的目的，称为代码漏洞元扫描仪（CVM），是更有效和减少误报的数量。我们的实验结果表明，没有一个扫描仪严格归结为另一个，而且这些扫描仪都不是所有其他漏洞的所有人都更好。因此，我们提出了一种将其结果与其表演相结合的方法。我们使用三个现有扫描仪工具（Fortify，YAG Suite和Spotbug）进行了我们的方法。然后，我们使用产生的CVM来注释一个众所周知的Java应用程序语料库，即质量语料库。这些实验结果表明，CVMS比其构造的扫描仪更好地表现得更好。

著录项

来源
《International conference on information security practice and experience》|2019年|xiii 490 p.|共17页
会议地点
作者
Raounak Benabidallah; Salah Sadou; Brendan Le Trionnaire; Isabelle Borne;
展开▼
作者单位

展开▼
会议组织
原文格式 PDF
正文语种
中图分类安全保密;
关键词

相似文献

外文文献
中文文献
专利

1. Towards designing an extendable vulnerability detection method for executable codes [J] . Mouzarani Maryam, Sadeghiyan Babak Information and software technology . 2016,第deca期

机译：致力于设计可执行代码的可扩展漏洞检测方法
2. Designing a Web Application and Detecting Vulnerabilities Using Vega Vulnerabilities Scanner [J] . Korra Manasa, L.Venkateswara Reddy American Journal of Engineering Research . 2016,第8期

机译：使用Vega Vulnerabilities Scanner设计Web应用程序并检测漏洞
3. Designing Algebraic Trellis Vector Code as an Efficient Excitation Codebook for ACELP Coder [J] . Sungjin KIM, Sangwon KANG IEICE Transactions on Communications . 2012,第11期

机译：将代数网格矢量代码设计为ACELP编码器的高效激励代码本
4. Designing a Code Vulnerability Meta-scanner [C] . Raounak Benabidallah, Salah Sadou, Brendan Le Trionnaire, International conference on information security practice and experience . 2019

机译：设计代码漏洞元扫描程序
5. Requirements for imaging vulnerable plaque in the coronary artery using a coded aperture imaging system. [D] . Tozian, Cynthia. 2006

机译：使用编码孔径成像系统对冠状动脉中易损斑块进行成像的要求。
6. Designing an Integrated Care Initiative for Vulnerable Families: Operationalisation of Realist Causal and Programme Theory Sydney Australia [O] . John G. Eastwood ED, Miranda Shaw, Pankaj Garg, 2019

机译：为弱势家庭设计综合照顾计划：现实因果和计划理论的运作澳大利亚悉尼
7. Designing Tornado Codes as Hyper Codes for Improved Error Correcting Performance [O] . Kristian Nybom, Jerker Björkqvist 2006

机译：将龙卷风代码设计为超级代码以改进纠错性能
8. Analysis Comparison Using the Vulnerability Analysis for Surface Targets (VAST)Computer Code and the Computation of Vulnerable Area and Repair Time (COVART III) Computer Code [R] . Lynch, D. D., Kunkel, R. W., Juarascio, S. S. 1997

机译：使用表面目标（VasT）计算机代码的漏洞分析和脆弱区域和维修时间计算的分析比较（COVaRT III）计算机代码

Designing a Code Vulnerability Meta-scanner

摘要

著录项

相似文献

相关主题

期刊订阅