Source Code Vulnerability Assessment Methodology

Report No. ARL-TR-4571
Authors: Diana Villa and Daniel Landin
Date/Pages: September 2008; 34 pages
Abstract: Coding errors and security vulnerabilities are routinely introduced into application source code for both malicious and non-malicious purposes. The U.S. Army Research Laboratory (ARL) Survivability/Lethality Analysis Directorate (SLAD), Information and Electronic Protection Division (IEPD) has developed a security-focused source Code Analysis Methodology (CAM) to identify, exploit, and mitigate vulnerabilities found in software developed for use in U.S. Army systems. Because of the classified nature of the results obtained via the CAM on actual systems, it is not possible to present these results in an unclassified forum. Instead, the work presented here provides a proof-of-concept of the CAM and exploit development process by generating an exploit for a buffer overflow vulnerability found in a free software application. A buffer overflow vulnerability presents a serious threat to the security of a software system and provides one example of the coding errors and security issues that the CAM is designed to detect, exploit, and mitigate against. The work described here provides an example of the process that is followed to ultimately determine the appropriate mitigations and countermeasures that will protect and enhance Soldier and system survivability via the CAM.
Distribution: Approved for public release
  Download Report ( 0.443 MBytes )
If you are visually impaired or need a physical copy of this report, please visit and contact DTIC.

Last Update / Reviewed: September 1, 2008