Automatic detection of safety and security vulnerabilities in open source software

Growing software quality requirements have raised the stakes on software safety and security. Building secure software focuses on techniques and methodologies of design and implementation in order to avoid exploitable vulnerabilities. Unfortunately, coding errors have become common with the inexorable growth tendency of software size and complexity. According to the US National Institute of Standards and Technology (NIST), these coding errors lead to vulnerabilities that cost the US economy $60 billion each year. Therefore, tracking security and safety errors is considered as a fundamental cornerstone to deliver software that are free from severe vulnerabilities. The main objective of this thesis is the elaboration of efficient, rigorous, and practical techniques for the safety and security evaluation of source code. To tackle safety errors related to the misuse of type and memory operations, we present a novel type and effect discipline that extends the standard C type system with safety annotations and static safety checks. We define an inter-procedural, flow-sensitive, and alias-sensitive inference algorithm that automatically propagates type annotations and applies safety checks to programs without programmers' interaction. Moreover, we present a dynamic semantics of our C core language that is compliant with the ANSI C standard. We prove the consistency of the static semantics with respect to the dynamic semantics. We show the soundness of our static analysis in detecting our targeted set of safety errors. To tackle system-specific security properties, we present a security verification framework that combines static analysis and model-checking. We base our approach on the GCC compiler and its GIMPLE representation of source code to extract model-checkable abstractions of programs. For the verification process, we use an off-the-shelf pushdown system model-checker, and turn it into a fully-fledged security verification framework. We also allow programmers to define a wide range of security properties using an automata-based specification approach. To demonstrate the efficiency and the scalability of our approach, we conduct extensive experiments and case studies on large scale open-source software to verify their compliance with a representative set of the CERT standard secure coding rules

Security Evaluation and Hardening of Free and Open Source Software (FOSS)

Recently, Free and Open Source Software (FOSS) has emerged as an alternative to Commercial-Off- The-Shelf (COTS) software. Now, FOSS is perceived as a viable long-term solution that deserves careful consideration because of its potential for significant cost savings, improved reliability, and numerous advantages over proprietary software. However, the secure integration of FOSS in IT infrastructures is very challenging and demanding. Methodologies and technical policies must be adapted to reliably compose large FOSS-based software systems. A DRDC Valcartier-Concordia University feasibility study completed in March 2004 concluded that the most promising approach for securing FOSS is to combine advanced design patterns and Aspect-Oriented Programming (AOP). Following the recommendations of this study a three years project have been conducted as a collaboration between Concordia University, DRDC Valcartier, and Bell Canada. This paper aims at presenting the main contributions of this project. It consists of a practical framework with the underlying solid semantic foundations for the security evaluation and hardening of FOSS

Epidemiology of heart failure and long-term follow-up outcomes in a north-African population: Results from the NAtional TUnisian REgistry of Heart Failure (NATURE-HF)

International audienceThe NATURE-HF registry was aimed to describe clinical epidemiology and 1-year outcomes of outpatients and inpatients with heart failure (HF). This is a prospective, multicenter, observational survey conducted in Tunisian Cardiology centers. A total of 2040 patients were included in the study. Of these, 1632 (80%) were outpatients with chronic HF (CHF). The mean hospital stay was 8.7 ± 8.2 days. The mortality rate during the initial hospitalization event for AHF was 7.4%. The all-cause 1-year mortality rate was 22.8% among AHF patients and 10.6% among CHF patients. Among CHF patients, the older age, diabetes, anemia, reduced EF, ischemic etiology, residual congestion and the absence of ACEI/ ARBs treatment were independent predictors of 1-year cumulative rates of rehospitalization and mortality. The female sex and the functional status were independent predictors of 1-year all-cause mortality and rehospitalization in AHF patients. This study confirmed that acute HF is still associated with a poor prognosis, while the mid-term outcomes in patients with chronic HF seems to be improved. Some differences across countries may be due to different clinical characteristics and differences in healthcare systems