Text Box: A Demand-Driven Path-Sensitive Framework to Detect, Diagnose and Test for Software Vulnerabilities Text Box: Marple Text Box: Despite increasing efforts in detecting and managing software security flaws, the number of security attacks is still rising every year. As software becomes more complex, security flaws are more easily introduced into the system and more difficult to eliminate. Meanwhile, attackers take advantage of software tools for developing, testing and debugging exploits, which make the construction of attacks automatic, fast and easy. The goal of this research is to develop a static analysis and testing framework for detecting and managing security flaws. The key idea is to develop static analysis tools to determine program paths that lead to various types of vulnerabilities, and then apply testing techniques to exploit the vulnerabilities. The static analysis algorithms will be path-sensitive to provide detailed information about the security flaw. They will also be demand-driven to ensure scalability to handle large programs. We will then develop test inputs to exercise potentially vulnerable paths and paths where a determination of whether vulnerability exists cannot be made statically to show that vulnerabilities exist. By demonstrating real exploits through testing, we aim to eliminate (or at least reduce) false alarms generated from static analysis.

We  thank the Microsoft External Research & Programs group for supporting this project 2005-2007. We also thank the Google Anita Borg Scholarship  for the funding for Wei Le's research in 2007.

 

 

 

 

Sponsors:

Contact Us:

Email:

marple@cs.virginia.edu

 

Address:

Department of Computer Science

University of Virginia

151 Engineering¡¯s Way, P.O.Box 400740

Charlottesville, VA 22904-4740