Cyber security at software development time

Secure systems are intrinsically dependent on secure software. Creating secure software is no simple task and every aspect of the software development lifecycle has to be taken into account. In this article we focus on security in the software implementation phase and present a number of techniques that enable the formal checking of security properties at software development time. We give an overview of some of the automated analysis techniques available today ranging from tree-based pattern matching to model checking. Moreover, we present our source code analysis tool Goanna which integrates those security analysis techniques, and we provide a number of application examples, where Goanna detects real security threats demonstrated in application examples from the National Institute of Standard's comparative exposition.

[1]  Joseph Sifakis,et al.  Specification and verification of concurrent systems in CESAR , 1982, Symposium on Programming.

[2]  Amir Pnueli,et al.  The temporal logic of programs , 1977, 18th Annual Symposium on Foundations of Computer Science (sfcs 1977).

[3]  Gabriel M. Kuper,et al.  Structural Properties of XPath Fragments , 2003, ICDT.

[4]  Edmund M. Clarke,et al.  Design and Synthesis of Synchronization Skeletons Using Branching Time Temporal Logic , 2008, 25 Years of Model Checking.

[5]  Fred Kröger,et al.  Temporal Logic of Programs , 1987, EATCS Monographs on Theoretical Computer Science.

[6]  Ulf Nilsson,et al.  A Comparative Study of Industrial Static Analysis Tools , 2008, SSV.

[7]  Paul Steckler,et al.  Goanna static analysis at the NIST static analysis tool exposition , 2011 .

[8]  Ralf Huuck,et al.  Model Checking Software at Compile Time , 2007, First Joint IEEE/IFIP Symposium on Theoretical Aspects of Software Engineering (TASE '07).

[9]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[10]  Patrick Cousot,et al.  Semantic foundations of program analysis , 1981 .

[11]  Flemming Nielson,et al.  Principles of Program Analysis , 1999, Springer Berlin Heidelberg.

[12]  Edmund M. Clarke,et al.  Design and Synthesis of Synchronization Skeletons Using Branching-Time Temporal Logic , 1981, Logic of Programs.