Family-Based Vulnerability Discovery for Software Product Lines
Abstract (englisch):
The exploitation of software vulnerabilities by attackers can have disastrous consequences.
Discoveries like Heartbleed strikingly demonstrated that despite this grave danger, serious vulnerabilities frequently go unnoticed. This problem is exacerbated through the introduction of Software Product Lines (SPLs), highly configurable software systems that give rise to a vast array of potentially vulnerable software products. Applying conventional static source code analysis solutions, which are a
common aid for the discovery of vulnerabilities, to these systems faces scalability and completeness issues. To address these issues, researchers introduced the concept of family-based analyses, which aim to analyze an SPL in its entirety rather than
individual products. While family-based analyses have been proposed for various objectives, previous work dedicated to family-based vulnerability discovery has been limited. Notably, there is no solution that leverages the benefits of Query-Based Static Application Security Testing (Q-SAST), which allows vulnerability patterns to be codified into queries controlling the analysis. Corresponding tools provide many benefits and enable convenient detection of even sophisticated vulnerabilities. ... mehr
Discoveries like Heartbleed strikingly demonstrated that despite this grave danger, serious vulnerabilities frequently go unnoticed. This problem is exacerbated through the introduction of Software Product Lines (SPLs), highly configurable software systems that give rise to a vast array of potentially vulnerable software products. Applying conventional static source code analysis solutions, which are a
common aid for the discovery of vulnerabilities, to these systems faces scalability and completeness issues. To address these issues, researchers introduced the concept of family-based analyses, which aim to analyze an SPL in its entirety rather than
individual products. While family-based analyses have been proposed for various objectives, previous work dedicated to family-based vulnerability discovery has been limited. Notably, there is no solution that leverages the benefits of Query-Based Static Application Security Testing (Q-SAST), which allows vulnerability patterns to be codified into queries controlling the analysis. Corresponding tools provide many benefits and enable convenient detection of even sophisticated vulnerabilities. ... mehr
| Zugehörige Institution(en) am KIT | Institut für Informationssicherheit und Verlässlichkeit (KASTEL) |
| Publikationstyp | Hochschulschrift |
| Publikationsdatum | 28.11.2024 |
| Sprache | Englisch |
| Identifikator | KITopen-ID: 1000177489 |
| HGF-Programm | 46.23.03 (POF IV, LK 01) Engineering Security for Mobility Systems |
| Verlag | Karlsruher Institut für Technologie (KIT) |
| Umfang | xii, 107 S. |
| Art der Arbeit | Abschlussarbeit - Master |
| Prüfungsdaten | 28.11.2024 10.12.2024 |
| Schlagwörter | Software Product Lines, Vulnerability Detection, Static Analysis |
| Referent/Betreuer | Schaefer, Ina König, Christoph Pett, Tobias |