SSVChecker: A Static Security Vulnerability Eclipse Interface



About | Demo | Download | Members | Publications | Sourceforge Page




About SSVChecker | top



SSVChecker in Eclipse Screenshot

SSVChecker (Static Security Vulnerability Checker) is an Eclipse plug-in tool developed to aid software developers in identifying potential security vulnerabilities during software development in a user-friendly, commonly used IDE. SSVChecker provides an interface in which software developers can execute any existing static analysis security vulnerability detection tool(s) and view the results from one or more these tools.

SSVChecker provides software developers with the following unique features:

  • Provides features not found in other security vulnerability detection tools (e.g., union and intersection of the results of multiple tools) that better aids developers in identifying potential security vulnerabilities.
  • Modifies the traditional operations of union and intersection (i.e., allowing multiple descriptions of potential vulnerabilities detected on the same line of source code), providing more information for each vulnerability, to assist developers in correcting potential security vulnerabilities.
  • Adapts to the results of user-performed analysis to prevent repeatedly reporting user-dismissed security vulnerabilities allowing developers to concentrate on those flagged security vulnerabilities that still warrant attention.
  • Operates on a user-friendly, generic framework allowing for the inclusion of future static security vulnerability detection tools.

With these features, SSVChecker provides an interface in which both novice and expert software developers can develop secure software applications with the assistance of detection tools that can flag potential security vulnerabilities, provide explanations of the security flaw and provide suggestions for removing the possible security vulnerability.



SSVChecker Demonstration | top

You can now view a demonstration of SSVChecker here (you will need Macromedia Flash Player installed). This demonstration will give a brief overview of the features of SSVChecker and show how to use the tool from within the Eclipse IDE.

Note: the SSVChecker example demonstration was made using DebugMode's Wink 2.0.



Download SSVChecker | top

If you have Eclipse installed you can use the update site, http://ssvchecker.sourceforge.net/update.

You must download the latest version of tools for SSVChecker to work. The version of SSVChecker corresponds with what tools package to download. The latest is 0.1.3. Download here.

SSVChecker is compatible with the following tools:

  • RATS (Download Source)
  • Pixy (Download Source)
  • expat (Download Source)
  • PHPLint (Download Source)
  • tuits4 (Download Source)
  • Phantm (Download Source)
  • Notice for tuits4: tuits4 is based off of ITS4 from Cigital. It was modified May of 2006. It has been modified as follows:
    ITS4 was modified to reduce the number of false positives by adding some additional analysis to reduce the number of reported vulnerabilities produced for the printf function. Further, to help reduce the number of vulnerabilities not reported, ITS4 was modified to include a number of additional vulnerable, Windows-specific functions so that they, too, would be checked during execution.



    SSVChecker Members | top

    • Josh Dehlinger, Graduate Student, Department of Computer Science, Iowa State University
    • Qian Feng, Software Engineer, ABC Virtual Communications
    • Lan Hu, Graduate Student, Department of Computer Science, Utah State University
    • Eric Oestrich, Undergraduate Student, Department of Computer & Information Sciences, Towson University
    • Michael Smith, Undergraduate Student, Department of Computer & Information Sciences, Towson University



    SSVChecker Related Publications | top

    • Josh Dehlinger, Qian Feng and Lan Hu, "SSVChecker: Unifying Static Security Vulnerability Detection Tools in an Eclipse Plug-In," To appear at Eclipse Technology Exchange Workshop at OOPSLA 2006 (ETX 2006), Portland, OR October 22-23, 2006.
    • Josh Dehlinger, Qian Feng and Lan Hu, "SSVChecker: A Tool to Unify and Exploit Multiple Static Security Vulernablity Detection Tools," Poster, To appear at Eclipse Technology Exchange (ETX) Poster Reception at OOPSLA 2006 , Portland, OR October 23, 2006.