Abstract
Several critical systems, such as Linux, are implemented using the C language, and a security flaw in these systems may impact a vast number of users. Despite the effort to providing security support, these systems still have weaknesses, leading to vulnerable code. In fact, the number of reported vulnerabilities has increased in the last years, where more than 18 thousand vulnerabilities were reported to the National Vulnerability Database (NVD) in 2020. Static analysis tools, such as Flawfinder and Cppcheck, may help in this problem, reporting some kinds of weaknesses. However, they present a high rate of false alarms, an issue reported in a program when no problem actually exists. We present a technique that combines static analysis with software testing to detect weaknesses introduced in the code during earlier development stages of C programs. The technique is implemented in a framework named WTT. To verify our technique’s relevance, we evaluated 103 warnings of 6 different projects, and we detected 22 weaknesses of three different kinds: Buffer Overflow, Format String, and Integer Overflow. Results show evidence that our technique may help developers anticipate weakness detection in C programs, reducing vulnerability occurrence in operational versions.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
