Cloud-Based Source Code Security and Vulnerabilities Analysis Tool for C/C++ Software Systems

摘要

A study is presented that examines the distribution and the usage of some unsafe functions, and their alternatives, that are known to introduce security vulnerabilities in two software systems both written in C/C++ as well as comparing the performance and efficiency of a web/cloud based analysis tool to a desktop based analysis tool. Multiple versions of Bitcoin and Curl were examined in our study to notice a trend over time. In our study, a static analysis is applied to each system, and the number of calls to unsafe functions and their alternatives is recorded and tallied. Additionally, we applied the analysis with both the cloud based web application and the desktop based solutions. The results of our study show that vulnerable functions such as, strcmp, sscanf, and memcpy are the most common unsafe functions that are used in the software systems. This information is important because it can allow those who educate in the fields of software engineering and computer science to better prepare their students to implement a coding practice that is secure and sustainable. As well as providing information for educators, this also gives engineers in the field a more effective and efficient way of refactoring their code to clean their systems from vulnerabilities by focusing on the unsafe code that is the most prevalent to their system. The historical data for the two systems, is presented over a five version period. The data shows that for both systems the number of unsafe calls are increasing from version to version. This is an alarming trend that both contradicts and is quite surprising, because of the growing use of Bitcoin and Curl. Another component of this study is the difference in performance between the cloud based web application analysis and the desktop based analysis. The hopes of the cloud based web application analysis tool is to allow for greater accessibility and the ability to track a software system from version to version. Currently, the web application allows a user to login and upload an XML version of their source code using srcML and the results of the analysis, presented as graphs, are stored in their account.