Browse > Article
http://dx.doi.org/10.3745/KIPSTA.2008.15-A.1.45

An Analysis Method for Detecting Vulnerability to Symbolic Link Exploit  

Joo, Seong-Yong (동아대학교 대학원 컴퓨터공학과)
Ahn, Joon-Seon (한국항공대학교 항공전자 및 정보통신공학부)
Jo, Jang-Wu (동아대학교 컴퓨터공학과)
Publication Information
The KIPS Transactions:PartA / v.15A, no.1, 2008 , pp. 45-52 More about this Journal
Abstract
In this paper we define a vulnerable code to symbolic link exploit and propose a technique to detect this using program analysis. The existing methods to solve symbolic link exploit is for protecting it, on accessing a temporary file they should perform an investigation whether the file is attacked by symbolic link exploit. If programmers miss the investigation, the program may be revealed to symbolic link exploit. Because our technique detects all the vulnerable codes to symbolic link exploit, it helps programmers keep the program safety. Our technique add two type qualifiers to the existing type system to analyze vulnerable codes to symbolic link exploit, it detects the vulnerable codes using type checking including the added type qualifiers. Our technique detects all the vulnerable codes to symbolic link exploit automatically, it has the advantage of saving costs of modifying and of overviewing all codes because programmers apply the methods protecting symbolic link exploit to only the detected codes as vulnerable. We experiment our analyzer with widely used programs. In our experiments only a portion of all the function fopen() is analyzed as the vulnerabilities to symbolic link exploit. It shows that our technique is useful to diminish modifying codes.
Keywords
SymboLic Link Exploit; Race Condition Detection; Flow-Insensitive Analysis; Software Vulnerabilities; Software Security;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Kyung-Goo Doh, Seung Cheol Shin,'Detection of Information Leak by Data Flow Analysis', ACM SIGPLAN Notices, Volume 37, Issue 8, pages 66-71, 2002   DOI
2 Jeffrey S. Foster, Manuel Fahndrich, Alexander Aiken,'A Theory of Type Qualifiers', ACM SIGPLAN Notices, Conference on Programming language design and implementation PLDI '99, Volume 34, Issue 5, pages 192-203, 1999
3 Jeffrey S. Foster, Robert Johnson, John Kodumal, Alex Aiken,'Flow-insenstive Type Qualifiers', ACM Transactions on Programming Languages and Systems (TOPLAS), Volume 28, Issue 6, pages 1035-1087, 2006   DOI   ScienceOn
4 Jeffrey S. Foster,'Type Qualifiers: Lightweight Specifications to Improve Software Quality', Ph.D. thesis. University of California, Berkeley, 2002
5 Etienne Gagnon,'SABLECC, AN OBJECT-ORIENTED COMPILER FRAMEWORK', School of Computer Science, McGill University, Montreal, pages 58-60, 1998
6 Flemming Nielson, Hanne Riis Nielson, Chris Hankin,'Principles of Program Analysis', Springer, pages 174-175, 1998
7 Jakob Rehof and Torben A.E. Mogensen. Tractable Constraints in Finite Semilattices. In Hadhia Cousot and David A. Schmidt, editors, Static Analysis, Third International Symposium, volume 1145 of Lecture Notes in Computer Science, Pages 285-300, Aachen, Germany, September 1996. Springer-Verlag
8 Andrei Sabelfeld, Andrew C. Myers,'Language-Based Information-Flow Security'. IEEE Journal on selected areas in communications, Vol. 21, No.1, January 2003   DOI   ScienceOn
9 Robert C. Seacord,'Secure Coding in C and C++(한국어판)', Addison-Wesley, pages 277-305, 2006
10 Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, and David Wagner,'Detecting Format-String Vulnerabilities with Type Qualifiers', 10th USENIX Security Symposium, pages 201-218, 2001
11 John Viega, Gary McGraw,'Building Secure Software', pages 209-265, 2001
12 SableCC homepage, http://sablecc.org/
13 양대일,'정보 보안 개론과 실습', 한빛 미디어, pages 227-234, 2004
14 Jeffrey S. Foster, Tachio Terauchi, Alex Aiken,'Flow-sensitive Type Qualifiers', ACM SIGPLAN Notices, Conference on Programming language design and implementation PLDI '02, Volume 37, Issue 5, pages 1-12, 2002