Detection Methods about Concurrency Error of Secure Coding based on Symbolic Information of Symbolic Execution
Kim, Joon-Ho
Department of IT Policy and Management
Graduate School of Soongsil University
As businesses develope and evolve, they are inc...
Detection Methods about Concurrency Error of Secure Coding based on Symbolic Information of Symbolic Execution
Kim, Joon-Ho
Department of IT Policy and Management
Graduate School of Soongsil University
As businesses develope and evolve, they are increasingly reliant on software. Almost all areas such as the Internet, home appliances, and smart devices are combined with software, making it difficult to imagine a world without software.
However, the higher the reliance on software, the worse the side effects. The most common case is to exploit security weaknesses left in the software without being removed from the production process. Attackers try to take advantage of the security weaknesses left in the software to seize information and take monetary gain. It has become a situation where social confusion occur and even life might be dangerous.
Creating secure software is more important than we thought, and it is directly related to our survival. In order to prevent attacks on software, it is important to completely eliminate security weaknesses in the source code and to properly control the development process for them. To this end, various software inspection methodologies are emerging. Among them, static analysis inspection methodology has many advantages and is effective. However, static analysis methodology is analyzed and checked only for source code, so there is a high possibility of false positives and false negatives. Failure to resolve many false positives and false negatives leads to less confidence in the inspection methodology. In particular, it is difficult to check for concurrency errors, which are an important issue in multi-threaded environments, using the static analysis methodology.
To improve this situation, I propose a methodology for checking concurrency errors in static analysis methodology using symbolic execution. Symbolic execution differs greatly from the traditional methodologies of checking security weaknesses in a patterned manner. Symbolic Execution methodology added to the static analysis methodology can detect the correct security weaknesses against concurrency errors without false positives or false negatives. This is a advanced static analysis methodology that can help implementing more secure software. To prove this, I have used open source programs to inspect various codes.