Source Code Vulnerability Assessment Methodology; Final rept

摘要

Coding errors and security vulnerabilities are routinely introduced into application source code for both malicious and non-malicious purposes. The U.S. Army Research Laboratory (ARL) Survivability/Lethality Analysis Directorate (SLAD), Information and Electronic Protection Division (IEPD) has developed a security-focused source Code Analysis Methodology (CAM) to identify, exploit, and mitigate vulnerabilities found in software developed for use in U.S. Army systems. Because of the classified nature of the results obtained via the CAM on actual systems, it is not possible to present these results in an unclassified forum. Instead, the work presented here provides a proof-of- concept of the CAM and exploit development process by generating an exploit for a buffer overflow vulnerability found in a free software application. A buffer overflow vulnerability presents a serious threat to the security of a software system and provides one example of the coding errors and security issues that the CAM is designed to detect, exploit, and mitigate against. The work described here provides an example of the process that is followed to ultimately determine the appropriate mitigations and countermeasures that will protect and enhance Soldier and system survivability via the CAM.