Filetype PDF | Posted on 06 Feb 2023 | 3 years ago
Authentication
digital resources
238x Filetype PDF File size 0.05 MB Source: www.diva-portal.org
Linköping University | Department of Computer and Information Science
Master’s thesis, 30 ECTS | Datateknik
2021| LIU-IDA/LITH-EX-A--21/018--SE
Using the SEI CERT Secure Cod-
ing Standard to Reduce Vulnera-
bilities
JohanFisch
Carl Haglund
Supervisors : Senyang Huang, Rahul Hiran, Ioannis Avgouleas
Examiner: Andrei Gurtov
Linköpings universitet
SE–58183Linköping
+4613281000,www.liu.se
Upphovsrätt
DettadokumenthållstillgängligtpåInternet-ellerdessframtidaersättare-under25årfrånpublicer-
ingsdatumunderförutsättningattingaextraordinäraomständigheteruppstår.
Tillgång till dokumentet innebär tillstånd för var och en att läsa, ladda ner, skriva ut enstaka ko-
pior för enskilt bruk och att använda det oförändrat för ickekommersiell forskning och för undervis-
ning. Överföring av upphovsrätten vid en senare tidpunkt kan inte upphäva detta tillstånd. All annan
användning av dokumentet kräver upphovsmannens medgivande. För att garantera äktheten, säker-
hetenochtillgängligheten finns lösningar av teknisk och administrativ art.
Upphovsmannensideellarättinnefattarrättattblinämndsomupphovsmanidenomfattningsom
godsedkrävervidanvändningavdokumentetpåovanbeskrivnasättsamtskyddmotattdokumentet
ändraseller presenteras i sådan form eller i sådant sammanhang som är kränkande för upphovsman-
nenslitterära eller konstnärliga anseende eller egenart.
För ytterligare information om Linköping University Electronic Press se förlagets hemsida
http://www.ep.liu.se/.
Copyright
The publishers will keep this document online on the Internet - or its possible replacement - for a
period of 25 years starting from the date of publication barring exceptional circumstances.
Theonlineavailabilityofthedocumentimpliespermanentpermissionforanyonetoread,todown-
load, or to print out single copies for his/hers own use and to use it unchanged for non-commercial
research and educational purpose. Subsequent transfers of copyright cannot revoke this permission.
Allotherusesofthedocumentareconditionalupontheconsentofthecopyrightowner. Thepublisher
hastakentechnicalandadministrativemeasurestoassureauthenticity,securityandaccessibility.
Accordingtointellectualpropertylawtheauthorhastherighttobementionedwhenhis/herwork
is accessed as described above and to be protected against infringement.
For additional information about the Linköping University Electronic Press and its procedures
for publication and for assurance of document integrity, please refer to its www home page:
http://www.ep.liu.se/.
©JohanFisch
Carl Haglund
Abstract
Security is a critical part of every software developed today and it will be even more
importantgoingforwardwhenmoredevicesaregettingconnectedtotheinternet. Bystriv-
ing to improve the quality of the code, in particular the security aspects, there might be a
reduction in the number of vulnerabilities and improvements of the software developed.
Bylookingatissues from past problems and studying the code in question to see whether
it follows the SEI CERT secure coding standards, it is possible to tell if compliance to this
standard would be helpful to reduce future problems. In this thesis an analysis of vulner-
abilities, written in C and C++, reported in Common Vulnerabilities and Exposures (CVE),
will be done to verify whether applying the SEI CERT secure coding standard will help
reduce vulnerabilities. This study also evaluates the SEI CERT rule coverage of three dif-
ferent static analysis tools, Rosecheckers, PVS-Studio and CodeChecker by executing them
on these vulnerabilities. By using three different metrics, true positive, false negative and
the run time. The results of the study are promising since it shows that compliance to the
SEI CERT standard does indeed reduce vulnerabilities. Of the analyzed vulnerabilities it
wasfoundthatabout60%ofthesecouldhavebeenavoided,ifthestandardhadbeenfol-
lowed. Theresultsofthetoolswereofgreatinterestaswell,itshowedthatthetoolsdidnot
performaswellasthemanualanalysis,however,allofthemfoundsomeSEICERTrulevi-
olations in different areas. Conclusively, a combination of manual analysis and these three
static analysis tools would have resulted in the highest number of vulnerabilities avoided.
Acknowledgments
Wewouldliketothank Ericsson and their employees that have been involved in our work.
AspecialthanksgoesouttoRahulHiran,oursupervisoratEricsson. Withouthisinteresting
ideas and help throughout the whole process, the results of the thesis would not have been
the same. We would also like to thank the developers of the tool CodeChecker at Ericsson,
especiallyDanielKruppwhotookthetimetohaveameetingwithusandexplainmoreabout
the tool. Appreciation also goes out to Linköping University. We would like to thank our
supervisors Senyang Huang and Ioannis Avgouleas as well as our examiner Andrei Gurtov
whohaveassisted us with the thesis writing and provided us with interesting and valuable
thoughts about the area.
iv
no reviews yet
Please Login to review.
