liu.seSearch for publications in DiVA
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • oxford
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Policy and implementation assurance for software security
Linköping University, Department of Computer and Information Science, PELAB - Programming Environment Laboratory. Linköping University, The Institute of Technology.
2005 (English)Licentiate thesis, monograph (Other academic)
Abstract [en]

To build more secure software, accurate and consistent security requirements must be specified. We have investigated current practice by doing a field study of eleven requirement specifications on IT systems. The overall conclusion is that security requirements are poorly specified due to three things: inconsistency in the selection of requirements, inconsistency in level of detail, and almost no requirements on standard security solutions.

To build more secure software we specifically need assurance requirements on code. A way to achieve implementation assurance is to use effective methods and tools that solve or warn for known vulnerability types in code. We have investigated the effectiveness of four publicly available tools for run-time prevention of buffer overflow attacks. Our comparison shows that the best tool is effective against only 50 % of the attacks and there are six attack forms which none of the tools can handle. We have also investigated the effectiveness of five publicly available compile-time intrusion prevention tools. The test results show high rates of false positives for the tools building on lexical analysis and low rates of true positives for the tools building on syntactical and semantical analysis.

As a first step toward a more effective and generic solution we propose dependence graphs decorated with type and range information as a way of modeling and pattern matching security properties of code. These models can be used to characterize both good and bad programming practice. They can also be used to visually explain code properties to the programmer.

Place, publisher, year, edition, pages
Linköping: Linköpings universitet , 2005. , 135 p.
Series
Linköping Studies in Science and Technology. Thesis, ISSN 0280-7971 ; 1207
Keyword [en]
IT-säkerhet, dataskydd, data protection, computer security
National Category
Computer Science
Identifiers
URN: urn:nbn:se:liu:diva-33297Local ID: 19300ISBN: 91-85457-65-5 (print)OAI: oai:DiVA.org:liu-33297DiVA: diva2:254120
Presentation
2005-11-18, Visionen, Hus B, Linköpings Universitet, Linköping, 13:15 (Swedish)
Available from: 2009-10-09 Created: 2009-10-09 Last updated: 2013-11-14

Open Access in DiVA

No full text

Authority records BETA

Wilander, John

Search in DiVA

By author/editor
Wilander, John
By organisation
PELAB - Programming Environment LaboratoryThe Institute of Technology
Computer Science

Search outside of DiVA

GoogleGoogle Scholar

isbn
urn-nbn

Altmetric score

isbn
urn-nbn
Total: 113 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • oxford
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf