ITS4: A static vulnerability scanner for C and C++ code

A
ACSAC
2000
16th Annual Computer Security Applications Conference (ACSAC'00)
Abstract - ITS4: A static vulnerability scanner for C and C++ code

	This Article
	Subscribers, please Login Purchase article: $19 PDF IEEE Xplore Subscribers RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by J. Viega Articles by J.T. Bloch Articles by Y. Kohno Articles by G. McGraw

16th Annual Computer Security Applications Conference (ACSAC'00)

New Orleans, Louisiana

December 11-December 15

ISBN: 0-7695-0859-6

	ASCII Text	x
	J. Viega, J.T. Bloch, Y. Kohno, G. McGraw, "ITS4: A static vulnerability scanner for C and C++ code," Computer Security Applications Conference, Annual, pp. 257, 16th Annual Computer Security Applications Conference (ACSAC'00), 2000.

	BibTex	x
	@article{ 10.1109/ACSAC.2000.898880, author = {J. Viega and J.T. Bloch and Y. Kohno and G. McGraw}, title = {ITS4: A static vulnerability scanner for C and C++ code}, journal ={Computer Security Applications Conference, Annual}, volume = {0}, year = {2000}, issn = {1063-9527}, pages = {257}, doi = {http://doi.ieeecomputersociety.org/10.1109/ACSAC.2000.898880}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - Computer Security Applications Conference, Annual TI - ITS4: A static vulnerability scanner for C and C++ code SN - 1063-9527 SP EP A1 - J. Viega, A1 - J.T. Bloch, A1 - Y. Kohno, A1 - G. McGraw, PY - 2000 KW - security of data; C language; C++ language; software packages; software tools; ITS4; static vulnerability scanner; C code; C++ code; security-critical source code; software vulnerabilities; real-time feedback; software package; e-commerce software VL - 0 JA - Computer Security Applications Conference, Annual ER -

J. Viega, Reliable Software Technol., Dulles, VA, USA

J.T. Bloch, Reliable Software Technol., Dulles, VA, USA

Y. Kohno, Reliable Software Technol., Dulles, VA, USA

G. McGraw, Reliable Software Technol., Dulles, VA, USA

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/ACSAC.2000.898880

We describe ITS4, a tool for statically scanning security-critical C source code for vulnerabilities. Compared to other approaches, our scanning technique stakes out a new middle ground between accuracy and efficiency. This method is efficient enough to offer real-time feedback to developers during coding while producing few false negatives. Unlike other techniques, our method is also simple enough to scan C++ code despite the complexities inherent in the language. Using ITS4 we found new remotely-exploitable vulnerabilities in a widely distributed software package as well as in a major piece of e-commerce software. The ITS4 source distribution is available at http://www.rstcorp.com/its4.

Index Terms:

security of data; C language; C++ language; software packages; software tools; ITS4; static vulnerability scanner; C code; C++ code; security-critical source code; software vulnerabilities; real-time feedback; software package; e-commerce software

Citation:

J. Viega, J.T. Bloch, Y. Kohno, G. McGraw, "ITS4: A static vulnerability scanner for C and C++ code," acsac, pp.257, 16th Annual Computer Security Applications Conference (ACSAC'00), 2000

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.