Trustworthy software by quality attesting of secure code and repairing flaws

Ferreira, Tomás Cardoso de Oliveira

Trustworthy software by quality attesting of secure code and repairing flaws

Detalhes bibliográficos
Autor(a) principal:	Ferreira, Tomás Cardoso de Oliveira
Data de Publicação:	2024
Tipo de documento:	Dissertação
Idioma:	eng
Título da fonte:	Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)
Texto Completo:	http://hdl.handle.net/10400.5/95600
Resumo:	Tese de Mestrado, Engenharia Informática, 2024, Universidade de Lisboa, Faculdade de Ciências

Metadados do item

id	RCAP_98d71f507dba5223c997e9c7ecde3b94
oai_identifier_str	oai:repositorio.ulisboa.pt:10400.5/95600
network_acronym_str	RCAP
network_name_str	Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)
repository_id_str	https://opendoar.ac.uk/repository/7160
spelling	Trustworthy software by quality attesting of secure code and repairing flawsAnálise Estática de CódigoGuided FuzzingBuffer OverflowCorrecção Automática de códigoSegurança de SoftwareTeses de mestrado - 2024Domínio/Área Científica::Engenharia e Tecnologia::Engenharia Eletrotécnica, Eletrónica e InformáticaTese de Mestrado, Engenharia Informática, 2024, Universidade de Lisboa, Faculdade de CiênciasEmbedded systems exist in many devices like IoT, drones, and cyber-physical systems. The security of these devices can be critical, depending on the context they are integrated and their role (e.g., water plant, car). C is the main language used to develop the software for these devices and is known for missing the bounds of its data types, which leads to vulnerabilities like buffers and integer overflows. These flaws, when exploited, cause severe damage and can put human life in danger. Therefore, it is important the software of these devices be secure. One of the utmost importance of C programs is how to fix its code automatically, employing the right secure code to remove existing vulnerabilities and avoid attacks. On the one hand, developers resort to safe versions of the functions susceptive to be exploited; however, if they are not correctly parameterized, vulnerabilities are not avoided. On the other hand, developers may not write secure code. Both tasks face some challenges. For example, how to remove vulnerabilities and how to attest to whether secure functions are correctly used, what is the right secure code needed to remove them, and where to insert this code. Another challenge is maintaining the application’s correct behavior after applying the code correction. This dissertation will tackle this problem through the use of a proposed solution and OverSafe tool, capable of analyzing the C source code and finding places where a vulnerability might exist. The vulnerability is going to be isolated in a Vulnerable Function Case with bound-checks around the vulnerability and fat-pointers to help the performance of the testing, testing that vulnerability, applying a patch to the vulnerability, and re-testing the patched vulnerability, and applying that patch in the source code, after that the behavior of the application is tested to verify if it is normal behavior is maintained. To evaluate the developed tool, the SARD dataset was used along with custom in-house test subjects to test the pipeline of the achieved solution, and real applications collected from the SourceForge repository were used to test if the tool is capable of analyzing real applications. The tool was capable of finding and correcting 2 vulnerabilities from a group of 6 applications, assuring that the tool satisfies the defined objectives.Medeiros, Ibéria Vitória de SousaRepositório da Universidade de LisboaFerreira, Tomás Cardoso de Oliveira2024-11-22T17:21:33Z202420242024-01-01T00:00:00Zinfo:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/masterThesisapplication/pdfhttp://hdl.handle.net/10400.5/95600enginfo:eu-repo/semantics/openAccessreponame:Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)instname:FCCN, serviços digitais da FCT – Fundação para a Ciência e a Tecnologiainstacron:RCAAP2025-03-17T16:28:13Zoai:repositorio.ulisboa.pt:10400.5/95600Portal AgregadorONGhttps://www.rcaap.pt/oai/openaireinfo@rcaap.ptopendoar:https://opendoar.ac.uk/repository/71602025-05-29T04:16:12.236918Repositórios Científicos de Acesso Aberto de Portugal (RCAAP) - FCCN, serviços digitais da FCT – Fundação para a Ciência e a Tecnologiafalse
dc.title.none.fl_str_mv	Trustworthy software by quality attesting of secure code and repairing flaws
title	Trustworthy software by quality attesting of secure code and repairing flaws
spellingShingle	Trustworthy software by quality attesting of secure code and repairing flaws Ferreira, Tomás Cardoso de Oliveira Análise Estática de Código Guided Fuzzing Buffer Overflow Correcção Automática de código Segurança de Software Teses de mestrado - 2024 Domínio/Área Científica::Engenharia e Tecnologia::Engenharia Eletrotécnica, Eletrónica e Informática
title_short	Trustworthy software by quality attesting of secure code and repairing flaws
title_full	Trustworthy software by quality attesting of secure code and repairing flaws
title_fullStr	Trustworthy software by quality attesting of secure code and repairing flaws
title_full_unstemmed	Trustworthy software by quality attesting of secure code and repairing flaws
title_sort	Trustworthy software by quality attesting of secure code and repairing flaws
author	Ferreira, Tomás Cardoso de Oliveira
author_facet	Ferreira, Tomás Cardoso de Oliveira
author_role	author
dc.contributor.none.fl_str_mv	Medeiros, Ibéria Vitória de Sousa Repositório da Universidade de Lisboa
dc.contributor.author.fl_str_mv	Ferreira, Tomás Cardoso de Oliveira
dc.subject.por.fl_str_mv	Análise Estática de Código Guided Fuzzing Buffer Overflow Correcção Automática de código Segurança de Software Teses de mestrado - 2024 Domínio/Área Científica::Engenharia e Tecnologia::Engenharia Eletrotécnica, Eletrónica e Informática
topic	Análise Estática de Código Guided Fuzzing Buffer Overflow Correcção Automática de código Segurança de Software Teses de mestrado - 2024 Domínio/Área Científica::Engenharia e Tecnologia::Engenharia Eletrotécnica, Eletrónica e Informática
description	Tese de Mestrado, Engenharia Informática, 2024, Universidade de Lisboa, Faculdade de Ciências
publishDate	2024
dc.date.none.fl_str_mv	2024-11-22T17:21:33Z 2024 2024 2024-01-01T00:00:00Z
dc.type.status.fl_str_mv	info:eu-repo/semantics/publishedVersion
dc.type.driver.fl_str_mv	info:eu-repo/semantics/masterThesis
format	masterThesis
status_str	publishedVersion
dc.identifier.uri.fl_str_mv	http://hdl.handle.net/10400.5/95600
url	http://hdl.handle.net/10400.5/95600
dc.language.iso.fl_str_mv	eng
language	eng
dc.rights.driver.fl_str_mv	info:eu-repo/semantics/openAccess
eu_rights_str_mv	openAccess
dc.format.none.fl_str_mv	application/pdf
dc.source.none.fl_str_mv	reponame:Repositórios Científicos de Acesso Aberto de Portugal (RCAAP) instname:FCCN, serviços digitais da FCT – Fundação para a Ciência e a Tecnologia instacron:RCAAP
instname_str	FCCN, serviços digitais da FCT – Fundação para a Ciência e a Tecnologia
instacron_str	RCAAP
institution	RCAAP
reponame_str	Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)
collection	Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)
repository.name.fl_str_mv	Repositórios Científicos de Acesso Aberto de Portugal (RCAAP) - FCCN, serviços digitais da FCT – Fundação para a Ciência e a Tecnologia
repository.mail.fl_str_mv	info@rcaap.pt
_version_	1833601998637760512

Trustworthy software by quality attesting of secure code and repairing flaws

Registros relacionados