Robustness and Security Hardening of COTS Software Libraries
Publikation: Beitrag zu Konferenzen › Paper › Beigetragen › Begutachtung
Beitragende
Abstract
COTS components, like software libraries, can be used to
reduce the development effort. Unfortunately, many COTS
components have been developed without a focus on robust-
ness and security. We propose a novel approach to harden
software libraries to improve their robustness and security.
Our approach is automated, general and extensible and
consists of the following stages. First, we use a static anal-
ysis to prepare and guide the following fault injection. In
the dynamic analysis stage, fault injection experiments exe-
cute the library functions with both usual and extreme input
values. The experiments are used to derive and verify one
protection hypothesis per function (for instance, function
foo fails if argument 1 is a NULL pointer). In the hard-
ening stage, a protection wrapper is generated from these
hypothesis to reject unrobust input values of library func-
tions. We evaluate our approach by hardening a library
used by Apache (a web server).
reduce the development effort. Unfortunately, many COTS
components have been developed without a focus on robust-
ness and security. We propose a novel approach to harden
software libraries to improve their robustness and security.
Our approach is automated, general and extensible and
consists of the following stages. First, we use a static anal-
ysis to prepare and guide the following fault injection. In
the dynamic analysis stage, fault injection experiments exe-
cute the library functions with both usual and extreme input
values. The experiments are used to derive and verify one
protection hypothesis per function (for instance, function
foo fails if argument 1 is a NULL pointer). In the hard-
ening stage, a protection wrapper is generated from these
hypothesis to reject unrobust input values of library func-
tions. We evaluate our approach by hardening a library
used by Apache (a web server).
Details
| Originalsprache | Englisch |
|---|---|
| Seiten | 61-71 |
| Seitenumfang | 11 |
| Publikationsstatus | Veröffentlicht - 2007 |
| Peer-Review-Status | Ja |
Konferenz
| Titel | 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks 2007 |
|---|---|
| Kurztitel | DSN'07 |
| Veranstaltungsnummer | 37 |
| Dauer | 25 - 28 Juni 2007 |
| Bekanntheitsgrad | Internationale Veranstaltung |
| Stadt | Edinburgh |
| Land | Großbritannien/Vereinigtes Königreich |
Schlagworte
Forschungsprofillinien der TU Dresden
DFG-Fachsystematik nach Fachkollegium
Schlagwörter
- Robustness, Security, Software libraries, Protection, Runtime, Performance analysis, Computer crashes, Programming profession, Automatic testing, Software systems, security of data, ststem monitoring, security hardening, COTS software libraries, dynamic analysis, fault injection, protection wrapper, Apache