David Svoboda
Software Engineering Institute
Publications by David Svoboda
-
Software Security in Rust
March 21, 2023 • Podcast
Joe SibleDavid Svoboda
David Svoboda and Joe Sible talk with Suzanne Miller about the Rust programming language and its security-related features.
learn more -
Automated Code Repair to Ensure Spatial Memory Safety
June 01, 2021 • Presentation
William KlieberRuben MartinsRyan Steele
In this presentation, the authors discuss a technique for repairing C code to protect against potential violations of spatial memory safety.
read -
Integration of Automated Static Analysis Alert Classification and Prioritization with Auditing Tools: Special Focus on SCALe
May 13, 2019 • Technical Report
Lori FlynnEbonie McNeilDavid Svoboda
This report summarizes progress and plans for developing a system to perform automated classification and advanced prioritization of static analysis alerts.
read -
Detecting Leaks of Sensitive Data Due to Stale Reads
October 05, 2018 • Conference Paper
William SnavelyWilliam KlieberRyan Steele
This paper introduces a heuristic-driven dynamic analysis that aims to detect reads that may be accessing stale sensitive data.
read -
How Can I Enforce the SEI CERT C Coding Standard Using Static Analysis?
September 27, 2018 • Presentation
David Svoboda
In this webcast, David Svoboda and Arthur Hicken review the SEI CERT C Coding Standard and why it is necessary.
read -
Prioritizing Alerts from Multiple Static Analysis Tools, Using Classification Models
August 14, 2018 • Conference Paper
Lori FlynnWilliam SnavelyDavid Svoboda
This paper was accepted by the SQUADE workshop at ICSE 2018. It describes the development of several classification models for the prioritization of alerts produced by static analysis tools and how those models were tested for accuracy.
read -
SEI Cyber Minute: SCALe
February 06, 2018 • Video
David Svoboda
The SEI Source Code Analysis Lab (SCALe) gives analysts the ability to focus on the most critical alerts from static analysis.
watch -
Hands-On Tutorial: Auditing Static Analysis Alerts Using a Lexicon and Rules
September 24, 2017 • Presentation
Lori FlynnDavid SvobodaWilliam Snavely
In this tutorial, SEI researchers describe auditing rules and a lexicon that SEI developed.
read -
Avoiding Insecure C++
December 07, 2016 • Presentation
David SvobodaAaron Ballman
This presentation introduces the SEI CERT C++
read -
Beyond errno: Error Handling in C
November 03, 2016 • Presentation
David Svoboda
In this tutorial, David Svoboda examines the technologies available to the C developer for handling errors.
read -
Static Analysis Alert Audits: Lexicon & Rules
November 03, 2016 • Conference Paper
David SvobodaLori FlynnWilliam Snavely
In this paper, the authors provide a suggested set of auditing rules and a lexicon for auditing static analysis alerts.
read -
Exploiting Java Serialization for Fun and Profit
September 22, 2016 • Presentation
David Svoboda
In this presentation, David Svoboda explains how exploits can occur using Java serialization.
read -
The Java Security Architecture: How? and Why?
September 19, 2016 • Presentation
David Svoboda
In this tutorial, David Svoboda describes the design of Java's security architecture and its pros and cons.
read -
Inside the CERT Oracle Secure Coding Standard for Java
September 19, 2016 • Presentation
David Svoboda
In this session, the authors of the CERT Oracle Secure Coding Standard for Java describe how it can be used to secure your Java projects.
read -
Common Exploits and How to Prevent Them
September 08, 2016 • Presentation
David Svoboda
This presentation was given at the 2016 Secure Coding Symposium, where attendees discussed challenges in secure coding and software assurance.
read -
Is Java More Secure Than C?
February 19, 2016 • Podcast
David Svoboda
In this podcast, CERT researcher David Svoboda analyzes secure coding rules for both C and Java to determine if they indeed refute the conventional wisdom that Java is more secure than C.
learn more -
Anatomy of Another Java Zero-Day Exploit
June 02, 2015 • Video
David Svoboda
In this video, David Svoboda demonstrates a public expoit that attacked an unpatched Java Virtual Machine.
watch -
SCALe Analysis of JasPer Codebase
April 01, 2015 • White Paper
David Svoboda
In this paper, David Svoboda provides the findings of a SCALe audit on a codebase.
read -
Improving the Automated Detection and Analysis of Secure Coding Violations
June 27, 2014 • Technical Note
Daniel PlakoshRobert C. SeacordRobert W. Stoddard
This technical note describes the accuracy analysis of the Source Code Analysis Laboratory (SCALe) tools and the characteristics of flagged coding violations.
read -
Pointer Ownership Model
January 06, 2014 • Conference Paper
David SvobodaLutz Wrage
In this paper, the authors describe how the Pointer Ownership Model improves static analysis of C programs for errors involving dynamic memory management.
read -
Mobile SCALe: Rules and Analysis for Secure Java and Android Coding
November 08, 2013 • Technical Report
Lujo Bauer (Carnegie Mellon University, Department of Electrical and Computer Engineering)Lori FlynnLimin Jia (Carnegie Mellon University, Department of Electrical and Computer Engineering)
In this report, the authors describe Android secure coding rules, guidelines, and static analysis developed as part of the Mobile SCALe project.
read -
Java Coding Guidelines for Reliability
September 27, 2013 • Article
Fred Long (Aberystwyth University)Dhruv MohindraRobert C. Seacord
In this sample chapter, the authors describe how to avoid obscure techniques and code that is difficult to understand and maintain when programming in Java.
read -
Don’t Be Pwned: A Short Course on Secure Programming in Java
September 24, 2013 • Presentation
Dean F. SutherlandRobert C. SeacordDavid Svoboda
In this presentation, the developers of the CERT Oracle Secure Coding Standard for Java present real exploits that have compromised Java programs in the field.
read -
Java Security Architecture
September 24, 2013 • Presentation
David Svoboda
In this presentation, given at JavaOne 2013, David Svoboda explains Java's security architecture in detail, including how it was designed to secure Web applets.
read -
Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs
August 05, 2013 • Book
Fred LongDhruv MohindraRobert C. Seacord
In this book, Robert Seacord brings together expert guidelines, recommendations, and code examples to help you use Java code to perform mission-critical tasks.
read -
Pointer Ownership Model
June 10, 2013 • White Paper
David Svoboda
In this paper, David Svoboda describes the Pointer Ownership Model, which can statically identify classes of errors involving dynamic memory in C/C++ programs.
read -
Source Code Analysis Laboratory (SCALe)
April 01, 2012 • Technical Note
Robert C. SeacordWill DormannJames McCurley
In this report, the authors describe the CERT Program's Source Code Analysis Laboratory (SCALe), a conformance test against secure coding standards.
read -
The CERT Oracle Secure Coding Standard for Java: Input Validation and Data Sanitization
October 24, 2011 • Article
Fred Long (Aberystwyth University)David SvobodaDhruv Mohindra
In this sample chapter, the authors provide rules, assesses their risk, and provide noncompliant and compliant code and solutions to validate and sanitize the data.
read -
The CERT Oracle Secure Coding Standard for Java
September 08, 2011 • Book
Fred LongDhruv MohindraRobert C. Seacord
In this book, the authors provide the first comprehensive compilation of code-level requirements for building secure systems in Java.
read -
Source Code Analysis Laboratory (SCALe) for Energy Delivery Systems
December 01, 2010 • Technical Report
Robert C. SeacordWill DormannJames McCurley
In this report, the authors describe the Source Code Analysis Laboratory (SCALe), which tests software for conformance to CERT secure coding standards.
read -
As-If Infinitely Ranged Integer Model
November 01, 2010 • Presentation
Roger Dannenberg (School of Computer Science, Carnegie Mellon University)Thomas Plum (Plum Hall, Inc.)Will Dormann
This ISSRE 2010 paper describes the AIR Integer model for eliminating vulnerabilities resulting from integer overflow, truncation, and unanticipated wrapping.
read -
Java Concurrency Guidelines
May 01, 2010 • Technical Report
Fred LongDhruv MohindraRobert C. Seacord
In this report, the authors describe the CERT Oracle Secure Coding Standard for Java, which provides guidelines for secure coding in Java.
read -
Specifications for Managed Strings, Second Edition
May 01, 2010 • Technical Report
Hal BurchFred LongRaunak Rungta
In this report, the authors describe a managed string library for the C programming language.
read -
As-If Infinitely Ranged Integer Model, Second Edition
April 01, 2010 • Technical Note
Roger Dannenberg (School of Computer Science, Carnegie Mellon University)Will DormannDavid Keaton
In this report, the authors present the as-if infinitely ranged (AIR) integer model, a mechanism for eliminating integral exceptional conditions.
read -
Secure Design Patterns
October 01, 2009 • Technical Report
Chad DoughertyKirk SayreRobert C. Seacord
In this report, the authors describe a set of general solutions to software security problems that can be applied in many different situations.
read -
As-if Infinitely Ranged Integer Model
July 01, 2009 • Technical Note
David KeatonThomas Plum (Plum Hall, Inc.)Robert C. Seacord
In this report, the authors present the as-if infinitely ranged (AIR) integer model, which eliminates integer overflow and integer truncation in C and C++ code.
read -
Evaluation of CERT Secure Coding Rules through Integration with Source Code Analysis Tools
June 01, 2008 • Technical Report
Stephen DewhurstChad DoughertyYurie Ito
In this report, the authors describe a study to evaluate CERT Secure Coding Standards and source code analysis tools in commercial software projects.
read