liu.seSearch for publications in DiVA
Change search
ReferencesLink to record
Permanent link

Direct link
Policy and implementation assurance for software security
Linköping University, Department of Computer and Information Science, PELAB - Programming Environment Laboratory. Linköping University, The Institute of Technology.
2005 (English)Licentiate thesis, monograph (Other academic)
Abstract [en]

To build more secure software, accurate and consistent security requirements must be specified. We have investigated current practice by doing a field study of eleven requirement specifications on IT systems. The overall conclusion is that security requirements are poorly specified due to three things: inconsistency in the selection of requirements, inconsistency in level of detail, and almost no requirements on standard security solutions.

To build more secure software we specifically need assurance requirements on code. A way to achieve implementation assurance is to use effective methods and tools that solve or warn for known vulnerability types in code. We have investigated the effectiveness of four publicly available tools for run-time prevention of buffer overflow attacks. Our comparison shows that the best tool is effective against only 50 % of the attacks and there are six attack forms which none of the tools can handle. We have also investigated the effectiveness of five publicly available compile-time intrusion prevention tools. The test results show high rates of false positives for the tools building on lexical analysis and low rates of true positives for the tools building on syntactical and semantical analysis.

As a first step toward a more effective and generic solution we propose dependence graphs decorated with type and range information as a way of modeling and pattern matching security properties of code. These models can be used to characterize both good and bad programming practice. They can also be used to visually explain code properties to the programmer.

Place, publisher, year, edition, pages
Linköping: Linköpings universitet , 2005. , 135 p.
Linköping Studies in Science and Technology. Thesis, ISSN 0280-7971 ; 1207
Keyword [en]
IT-säkerhet, dataskydd, data protection, computer security
National Category
Computer Science
URN: urn:nbn:se:liu:diva-33297Local ID: 19300ISBN: 91-85457-65-5OAI: diva2:254120
2005-11-18, Visionen, Hus B, Linköpings Universitet, Linköping, 13:15 (Swedish)
Available from: 2009-10-09 Created: 2009-10-09 Last updated: 2013-11-14

Open Access in DiVA

No full text

Search in DiVA

By author/editor
Wilander, John
By organisation
PELAB - Programming Environment LaboratoryThe Institute of Technology
Computer Science

Search outside of DiVA

GoogleGoogle Scholar
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

Total: 111 hits
ReferencesLink to record
Permanent link

Direct link