The SAMATE Project Department of Homeland Security

Bibliography

From SAMATE

DISCLAIMER: Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation or endorsement by the National Institute of Standards and Technology (NIST), nor does it imply that the products are necessarily the best available for the purpose.

By selecting almost any of these links, you will be leaving NIST webspace. We provide these links because they may have information of interest to you. No inferences should be drawn because some sites are referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the assertions presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites.

We also keep a list of all SAMATE Publications and presentations.

Contents

Metrics

  • CAS Static Analysis Tool Study - Methodology, Center for Assured Software, National Security Agency, Dec 2012.
Available at http://samate.nist.gov/docs/CAS 2012 Static Analysis Tool Study Methodology.pdf
  • CAS Static Analysis Tool Study - Methodology, Center for Assured Software, National Security Agency, Dec 2011.
Available at http://samate.nist.gov/docs/CAS 2011 Static Analysis Tool Study Methodology.pdf
  • P. K. Manadhata, K. M. C. Tan, R. A. Maxion, and J. M. Wing, An approach to Measuring a System's Attack Surface, Carnegie Mellon University, Technical Report CMU-CS-07-146, August 2007.
Available at http://reports-archive.adm.cs.cmu.edu/anon/2007/CMU-CS-07-146.pdf
  • O. H. Alhazmi, Y. K. Malaiya and I. Ray, Security Vulnerabilities in Software Systems A Quantitative Perspective, Colorado State University, IFIP WG 11.3 Working Conference on Data and Applications Security, 2005, August 2005
  • Joe Schofield, The Statistically Unreliable Nature of Lines of Code, CrossTalk, 18(4):29-33, April 2005.
Available at http://www.crosstalkonline.org/storage/issue-archives/2005/200504/200504-Schofield.pdf
  • Brian Chess and Katrina Tsipenyuk, A Metric for Evaluating Static Analysis Tools, MetriCon 1.0, Vancouver, August 2006.

Product Evaluation and Surveys

in reverse chronological order

  • Booz Allen Hamilton, Software Security Assessment Tools Review, March 2009.
Available at http://samate.nist.gov/docs/NAVSEA-Tools-Paper-2009-03-02.pdf
  • Martin Johns, Scanstud - Evaluating static analysis tools, May 2008
Available at https://www.owasp.org/images/7/76/Johns_jodeit_-_ScanStud_OWASP_Europe_2008.pdf
  • R Krishnan, Margaret Nadworny, and Nishil Bharill, Static Analysis for Improving Secure Software Development at Motorola, November 2007
  • Redge Bartholomew, Evaluation of Static Source Code Analyzers for Real-Time Embedded Software Development, November 2007
Available in Proc. Static Analysis Workshop II SASII, Ada Letters, April 2008.
  • Larry Suto, Analyzing the Effectiveness and Coverage of Web Application Security Scanners, October 2007
  • Justin Schuh, Code Scanners: False Sense of Security?, 16 April 2007
  • Peter A. Buxbaum, All for one, but not one for all, GCN, March 18, 2007
Available at http://gcn.com/articles/2007/03/18/all-for-one-but-not-one-for-all.aspx
  • iDefense Labs, Top 10 Spyware Applications, January 5, 2006
Available at http://labs.idefense.com/intelligence/researchpapers.php
  • Jeff Forristal, Review: Source-Code Assessment Tools Kill Bugs Dead, Secure Enterprise Magazine, Dec. 2005.
  • Brian E. Burke, sponsored by Webroot, Securing Enterprise Environments Against Spyware : Benefits of Best-of-Breed Security, November 2005
  • Kendra Kratkiewicz, Evaluating Static Analysis Tools for Detecting Buffer Overflows in C Code, Master's thesis, Harvard University, Cambridge, MA, 2005, 285 pages.
Available at http://www.ll.mit.edu/mission/communications/ist/corpora/KratkiewiczThesis.pdf
  • Freeland Abbott and Joseph Saur, A Comparison of Code Checker Technologies for Software Vulnerability Evaluation, Code Checkers Project Evaluation Report, Joint Systems Integration Command, 25 April 2005
  • Misha Zitser, Richard Lippmann, and Tim Leek, Testing Static Analysis Tools using Exploitable Buffer Overflows from Open Source Code, Proc. FSE-12, ACM SIGSOFT, 2004.
Their test cases can be found on their website, http://www.ll.mit.edu/mission/communications/cyber/CSTcorpora/Cybersystemscorpora.html under Model Programs ... file models-2007-11-06.tgz.
  • Defense Information Systems Agency, Application Security Assessment Tool Market Survey, Version 3.0, July 29, 2004.
  • Nick Rutar, Christian B. Almazan, and Jeffrey S. Foster, A Comparison of Bug Finding Tools for Java - The 15th IEEE International Symposium on Software Reliability Engineering (ISSRE'04). Saint-Malo, Bretagne, France. November 2004.
Available at http://www.cs.umd.edu/~jfoster/papers/issre04.pdf (12 pages).
  • John Wilander and Mariam Kamkar, A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention, proc 10th Network and Distributed System Security Symposium (NDSS'03), February 5-7, 2003, San Diego, California. Pages 149-162.
Available at https://www.isoc.org/isoc/conferences/ndss/03/proceedings/papers/10.pdf
  • Ciera Nicole Christopher, Evaluating Static Analysis Frameworks, Carnegie Mellon University, "Analysis of Software Artifacts 17-754", May 10, 2006.
Available at http://www.cs.cmu.edu/~aldrich/courses/654/tools/christopher-analysis-frameworks-06.pdf (17 pages).
  • John Wilander and Mariam Kamkar, A Comparison of Publicly Available Tools for Static Intrusion Prevention, proc 7th Nordic Workshop on Secure IT Systems (Nordsec 2002), November 7-8, 2002, Karlstad, Sweden. Pages 68-84.
Available at http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.13.1979

Technical Algorithm Papers

alphabetical by author's last name

  • Sagar Chaki and Scott Hissam, Certifying the Absence of Buffer Overflows, Technical Note CMU/SEI-2006-TN-030, September 2006.
    Available at http://www.sei.cmu.edu/library/abstracts/reports/06tn030.cfm
  • Christoph Csaliner and Yannis Smaragdakis, Check 'n' Crash: Combining Static Checking and Testing, in Proceedings of 27th international conference on software engineering, May 15-21, 2005.
  • David Hovemeyer and William Pugh. Finding Bugs is Easy, in SIGPLAN Notices (Proceedings of Onward! at OOPSLA 2004), December, 2004
    Available at http://faculty.ycp.edu/~dhovemey/pubs/oopsla2004.pdf (15 pages).
  • Holger Peine, Rules of Thumb for Secure Software Engineering, in Proceedings of 27th International Conference on Software Engineering (ICSM), May 15-21, 2005.
  • Marco Pistoia, Satish Chandra, Stephen J. Fink, and Eran Yahaz, A survey of static analysis methods for identifying security vulnerabilities in software systems, IBM Systems Journal, 46(2):265-288, April-June 2007.
  • Donald J. Reifer, Protecting Yourself Against Malicious Code in COTS, Systems & Software Technology Conference, 18 - 21 April 2005, Salt Lake City, UT
  • Alexander Ivanov Sotirov, Automatic vulnerability detection static source code analysis, A Master's degree Thesis, 2005
  • David Wagner, Jeffrey Foster, Eric Brewer, Alexander Aiken, A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities, in Proceedings of the Network and Distributed Security Symposium, Feb. 2000.
    Available at http://www.cs.berkeley.edu/~daw/papers/overruns-ndss00.pdf

Specific Vulnerabilities

  • Lwin Khin Shar and Hee Beng Kuan Tan, Defeating SQL Injection, IEEE Computer, 46(3), pages 69-77, March 2013.
  • Benjamin A. Kuperman, Carla E. Brodley, Hilmi Ozdoganoglu, T. N. Vijaykumar, and Ankit Jalote, Detection and prevention of stack buffer overflow attacks, CACM, 48(11), pages 50-56, November 2005.
    Available at http://doi.acm.org/10.1145/1096000.1096004
  • Robert H. B. Netzer and Barton P. Miller, What Are Race Conditions? Some Issues and Formalization, University of Wisconsin - Madison, 1992.
    Available at http://www.cs.umd.edu/projects/syschat/raceConditions.pdf

Other Papers

Books

  • Secure Programming with Static Analysis, Brian Chess & Jacob West, Addison-Wesley - ISBN 0-321-42477-8
  • Security Metrics: Replacing Fear, Uncertainty, and Doubt, Andrew Jaquith, Addison-Wesley - ISBN 0-32-134998-9
  • Building Secure Software, John Viega & Gary McGraw, Addison-Wesley - ISBN 0-201-72152-X
  • Exploiting Software, How to Break Code, Greg Hoglund & Gary McGraw, Addison-Wesley - ISBN 0-201-78695-8
  • Secure Programming Cookbook for C and C++, John Viega & Matt Messier, O'Reilly - ISBN 0-59-600394-3
  • Buffer Overflow Attacks, Detect, Exploit, Prevent, James C. Foster, Vitaly Osipov, Nish Bhalla, Niels Heinen, SYNGRESS - ISBN 1-93-226667-4
  • Secure Coding in C and C++, Robert C. Seacord, Addison-Wesley, 2005 - ISBN-13: 978-0321335722
  • Secure Coding - Principles and Practices, Mark G. Graff and Kenneth R. van Wyk, O'Reilly - ISBN 0-59-600242-4
  • 19 Deadly Sins of Software Security, Michael Howard, David LeBlanc, John Viega, McGraw-Hill Osborne Media - ISBN 0-07-226085-8