Software Integrity Tester

JOSEPH N. ANTAKI, ABBY E. BEIZER, EDWARD F. KLEIN, SEAN D. LAWTON, KRISTELLE JEAN M. LUCERO,
and JAMIE T. WALDER

Many computer programs have vulnerabilities that may be exploited by malicious parties. Several of these vulnerabilities are a result of the developer’s coding style. Whether they arise from oversight or lack of knowledge, these vulnerabilities pose a serious threat to the integrity of a system.
Our research was to explore whether an efficient Software Integrity Tester (SIT) could be developed to search through developer code and present warnings if specific vulnerabilities are detected.
Research into vulnerability detection and existing detection tools yielded the finding that many available static analysis tools focus on one or few languages. We wanted to allow for future expansion to a large computer programming language set, starting with Ada, C++, and Java. Open-source static analysis tools also tend towards hard-coded vulnerability analysis, causing the addition of new vulnerabilities over time to require knowledge of the tool’s codebase. We wanted a design to be updatable using Java reflection, allowing the creation of an analysis algorithm to be added to the SIT’s vulnerability database without altering related source code. To detect vulnerabilities, we parse code for patterns and regular expressions. Research into designs that render code exploitable was necessary in determining the best methods of detecting common vulnerabilities and preventing the SIT from generating false warnings. Suggested mitigation strategies for the detected vulnerabilities are shared with the SIT’s user based on detection solutions.