Source Code Vulnerability Assessment Methodology

Villa, Diana; Landin, Daniel

Source Code Vulnerability Assessment Methodology

Active / Technical Report | Accession Number: ADA486804 |

Open PDF

Abstract:

Coding errors and security vulnerabilities are routinely introduced into application source code for both malicious and non-malicious purposes. The U.S. Army Research Laboratory ARL SurvivabilityLethality Analysis Directorate SLAD, Information and Electronic Protection Division IEPD has developed a security-focused source Code Analysis Methodology CAM to identify, exploit, and mitigate vulnerabilities found in software developed for use in U.S. Army systems. Because of the classified nature of the results obtained via the CAM on actual systems, it is not possible to present these results in an unclassified forum. Instead, the work presented here provides a proof-of-concept of the CAM and exploit development process by generating an exploit for a buffer overflow vulnerability found in a free software application. A buffer overflow vulnerability presents a serious threat to the security of a software system and provides one example of the coding errors and security issues that the CAM is designed to detect, exploit, and mitigate against. The work described here provides an example of the process that is followed to ultimately determine the appropriate mitigations and countermeasures that will protect and enhance Soldier and system survivability via the CAM.

Author(s):

Villa, Diana ; Landin, Daniel

Author Organization(s):

ARMY RESEARCH LAB WHITE SANDS MISSILE RANGE NM INFORMATION AND ELECTRONIC PROTECTION DIV

Descriptive Note:

Final rept.

Supplementary Note:

The original document contains color images. DOI: 10.21236/ADA486804

Pagination:

0034

Security Markings

DOCUMENT & CONTEXTUAL SUMMARY

Distribution:

Approved For Public Release

Distribution Statement:

Approved For Public Release; Distribution Is Unlimited.

RECORD

Collection: TR

Identifying Numbers

Report Number(s):

ARL-TR-4571

Monitor Series:

AMSRL

Subject Terms

Joint Capability Areas:

JCA_5_Command and Control; JCA_5.3_Planning; JCA_5.3.2_Apply Situational Understanding; JCA_6_Net Centric; JCA_4.7.2_Installation Services; JCA_4.7_Base and Installations Support; JCA_6.1.3_Switching and Routing; JCA_6.1_Information Transport; JCA_6.4.1_Secure Information Exchange; JCA_3.2_Engagement; JCA_3_Force Application; JCA_6.4_Information Assurance; JCA_3.2.2_Non-Kinetic Means; JCA_6.3.4_Cyber Management; JCA_7.1.2_Prevent Non-kinetic Attack; JCA_7.1_Prevent; JCA_7_Protection; JCA_8_Building Partnerships; JCA_1.2_Force Preparation; JCA_1_Force Support; JCA_6.3_Net Management

Modernization Areas:

Cyber

Communities of Interest:

Materials and Manufacturing Processes

Descriptor(s):

*COMPUTER PROGRAMS, *CODING, ERROR DETECTION CODES, ELECTRONIC SECURITY, VULNERABILITY

Field(s)/Group(s):

Computer Programming and Software, Cybernetics

Keyword(s):

CAM(CODE ANALYSIS METHODOLOGY), CODE ANALYSIS, EXPLOIT DEVELOPMENT

Report Date:

2008 Sep 01

Creation Date:

2008 Oct 08