IBM Systems Journal - 2002 Copyright

IBM Skip to main content
  Home     Products & services     Support & downloads     My account  

  Select a country  
Journals Home  
  Systems Journal  
    Current Issue  
    Recent Issues  
    Papers in Progress  
    Author's Guide  
Journal of Research
and Development
  Contact Us  
  Related links:  
     IBM Research  

IBM Journal of Research and Development  
Volume 46, Number 2, Page 265 (2007)
Compliance Management
  Full article: arrowHTML arrowPDF   arrowCopyright info


A survey of static analysis methods for identifying security vulnerabilities in software systems

by M. Pistoia, S. Chandra, S.J. Fink, E. Yahav
In this paper we survey static analysis methods for identifying security vulnerabilities in software systems. We cover three areas that have been associated with sources of security vulnerabilities: access-control, information-flow, and application-programming-interface conformance. Because access control mechanisms fall into two major categories, stack-based access control and role-based access control, we discuss static analysis techniques for these two areas of access control separately. Similarly, security violations pertaining to information flow consist of integrity violations and confidentiality violations, and consequently, our discussion of static analysis techniques for information-flow vulnerabilities includes these two topics. For each type of security vulnerability we present our findings in two parts: in the first part we describe recent research results, and in the second part we illustrate implementation techniques by describing selected static analysis algorithms.
Related Subjects: