Securing Legacy Code with the TRACER Platform
Authors: 
Kostantinos Stroggylos, 
Dimitris Mitropoulos, Zacharias Tzermias, Panagiotis Papadopoulos, Fotios Rafailidis, 
Diomidis Spinellis, Sotiris Ioannidis, Panagiotis KatsarosAuthors Info & Claims
Pages 1 - 6
Abstract
Software vulnerabilities can severely affect an organization's infrastructure and cause significant financial damage to it. A number of tools and techniques are available for performing vulnerability detection in software written in various programming platforms, in a pursuit to mitigate such defects. However, since the requirements for running such tools and the formats in which they store and present their results vary wildly, it is difficult to utilize many of them in the scope of a project. By simplifying the process of running a variety of vulnerability detectors and collecting their results in an efficient, automated manner during development, the task of tracking security defects throughout the evolution history of software projects is bolstered. In this paper we present tracer, a software framework and platform to support the development of more secure applications by constantly monitoring software projects for vulnerabilities. The platform allows the easy integration of existing tools that statically detect software vulnerabilities and promotes their use during software development and maintenance. To demonstrate the efficiency and usability of the platform, we integrated two popular static analysis tools, FindBugs and Frama-c as sample implementations, and report on preliminary results from their use.
References
[1]
McGraw, G.: Software Security: Building Security In. Addison-Wesley Professional (2006)
[2]
Shahriar, H., Zulkernine, M.: Mitigating program security vulnerabilities: Approaches and challenges. ACM Comput. Surv. 44(3) (June 2012) 11:1--11:46
[3]
Telang, R., Wattal, S.: Impact of software vulnerability announcements on the market value of software vendors - an empirical investigation. In: Workshop on the Economics of Information Security. (2007) 677427
[4]
Ray, D., Ligatti, J.: Defining code-injection attacks. In: Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages. POPL '12, New York, NY, USA, ACM (2012) 179--190
[5]
Chess, B., West, J.: Secure programming with static analysis. Addison-Wesley Professional (2007)
[6]
Okun, V., Guthrie, W.F., Gaucher, R., Black, P.E.: Effect of static analysis tools on software security: preliminary investigation. In: Proceedings of the 2007 ACM workshop on Quality of protection. QoP '07, New York, NY, USA, ACM (2007) 1--5
[7]
Ozment, A., Schechter, S.E.: Milk or wine: does software security improve with age? In: Proceedings of the 15th conference on USENIX Security Symposium - Volume 15. USENIX-SS'06, Berkeley, CA, USA, USENIX Association (2006)
[8]
Lehman, M.M., Ramil, J.F., Wernick, P.D., Perry, D.E., Turski, W.M.: Metrics and laws of software evolution - the nineties view. In: Proceedings of the 4th International Symposium on Software Metrics. METRICS '97, Washington, DC, USA, IEEE Computer Society (1997) 20.
[9]
Wang, Y., Lively, W.M., Simmons, D.B.: Software security analysis and assessment model for the web-based applications. J. Comp. Methods in Sci. and Eng. 9 (April 2009) 179--189
[10]
Bozorgi, M., Saul, L.K., Savage, S., Voelker, G.M.: Beyond heuristics: learning to classify vulnerabilities and predict exploits. In: Proceedings of the 16th ACM SIGKDD international conference on Knowledge discovery and data mining. KDD '10, New York, NY, USA, ACM (2010) 105--114
[11]
Herraiz, I., Izquierdo-Cortazar, D., Rivas-Hernández, F.: Flossmetrics: Free/libre/open source software metrics. In: Proceedings of the 2009 European Conference on Software Maintenance and Reengineering. CSMR '09, Washington, DC, USA, IEEE Computer Society (2009) 281--284
[12]
Cubranic, D., Murphy, G.: Hipikat: recommending pertinent software development artifacts. In: Software Engineering, 2003. Proceedings. 25th International Conference on. (May 2003) 408--418
[13]
Johnson, P., Kou, H., Paulding, M., Zhang, Q., Kagawa, A., Yamashita, T.: Improving software development management through software project telemetry. Software, IEEE 22(4) (July 2005) 76--85
[14]
Campell, A., Papapetrou, P. In: SonarQube in Action, Manning Publications (October 2014)
[15]
Cifuentes, C., Scholz, B.: Parfait: Designing a scalable bug checker. In: Proceedings of the 2008 Workshop on Static Analysis. SAW '08, New York, NY, USA, ACM (2008) 4--11
[16]
Cifuentes, C., Keynes, N., Li, L., Scholz, B.: Program analysis for bug detection using parfait: Invited talk. In: Proceedings of the 2009 ACM SIGPLAN Workshop on Partial Evaluation and Program Manipulation. PEPM '09, New York, NY, USA, ACM (2009) 7--8
[17]
Chatzieleftheriou, G., Katsaros, P.: Test-driving static analysis tools in search of c code vulnerabilities. 2012 IEEE 36th Annual Computer Software and Applications Conference Workshops 0 (2011) 96--103
[18]
Lattner, C., Adve, V.: LLVM: a compilation framework for lifelong program analysis transformation. In: Code Generation and Optimization, 2004. CGO 2004. International Symposium on. (March 2004) 75--86
[19]
Cifuentes, C., Hoermann, C., Keynes, N., Li, L., Long, S., Mealy, E., Mounteney, M., Scholz, B.: Begbunch: Benchmarking for c bug detection tools. In: Proceedings of the 2Nd International Workshop on Defects in Large Software Systems. DEFECTS '09, New York, NY, USA, ACM (2009) 16--20
[20]
Gousios, G., Spinellis, D.: Alitheia core: An extensible software quality monitoring platform. In: Proceedings of the 31st International Conference on Software Engineering. ICSE '09, Washington, DC, USA, IEEE Computer Society (2009) 579--582
[21]
Hovemeyer, D., Pugh, W.: Finding bugs is easy. SIGPLAN Not. 39 (December 2004) 92--106
[22]
Cuoq, P., Kirchner, F., Kosmatov, N., Prevosto, V., Signoles, J., Yakobowski, B.: Frama-C: A software analysis perspective. In: Proceedings of the 10th International Conference on Software Engineering and Formal Methods, Berlin, Heidelberg, Springer-Verlag (2012) 233--247
[23]
Ayewah, N., Pugh, W., Morgenthaler, J.D., Penix, J., Zhou, Y.: Evaluating static analysis defect warnings on production software. In: Proceedings of the 7th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering. PASTE '07, New York, NY, USA, ACM (2007) 1--8
[24]
Gyrard, A., Bonnet, C., Boudaoud, K.: The STAC (Security Toolbox: Attacks & Countermeasures) Ontology. In: 22nd International World Wide Web Conference., Rio de Janeiro, Brazil (May 2013) 165--166
Index Terms
- Securing Legacy Code with the TRACER Platform
Recommendations
Securing Legacy Software against Real-World Code-Reuse Exploits: Utopia, Alchemy, or Possible Future?
ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications SecurityExploitation of memory-corruption vulnerabilities in widely-used software has been a threat for over two decades and no end seems to be in sight. Since performance and backwards compatibility trump security concerns, popular programs such as web ...
TRACER: Signature-based Static Analysis for Detecting Recurring Vulnerabilities
CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications SecuritySimilar software vulnerabilities recur because developers reuse existing vulnerable code, or make similar mistakes when implementing the same logic. Recently, various analysis techniques have been proposed to find syntactically recurring vulnerabilities ...
Reengineering legacy software products into software product line based on automatic variability analysis
ICSE '11: Proceedings of the 33rd International Conference on Software EngineeringIn order to deliver the various and short time-to-market software products to customers, the paradigm of Software Product Line (SPL) represents a new endeavor to the software development. To migrate a family of legacy software products into SPL for ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
October 2014
355 pages
ISBN:9781450328975
DOI:10.1145/2645791
- General Chairs:
- Katsikas Sokratis,
- Hatzopoulos Michael,
- Apostolopoulos Theodoros,
- Anagnostopoulos Dimosthenis,
- Program Chairs:
- Carayiannis Elias,
- Varvarigou Theodora,
- Nikolaidou Mara
Copyright © 2014 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
In-Cooperation
- Greek Com Soc: Greek Computer Society
- Univ. of Piraeus: University of Piraeus
- National and Kapodistrian University of Athens: National and Kapodistrian University of Athens
- Athens U of Econ & Business: Athens University of Economics and Business
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 02 October 2014
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
PCI '14
Acceptance Rates
PCI '14 Paper Acceptance Rate 51 of 102 submissions, 50%;
Overall Acceptance Rate 190 of 390 submissions, 49%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 96Total Downloads
- Downloads (Last 12 months)1
- Downloads (Last 6 weeks)0
Reflects downloads up to 18 Nov 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in