Visualising Source Code For Auditing presented at HITBSecConf Malaysia 2006

by Lisa Thalheim,

Tags: Security Wireless Auditing Development

Summary : Presentation Title:Presentation Details:Auditing large amounts of source code can be a challenging task. With ever-growing software, hardly anyone has the time (aka money) and patience to read each and every single line of code there is. Thus, a crucial point is to get an overview of the code, to identify potentially interesting areas of code, understand how different parts of the code interrelate, sometimes even to reverse engineer the architecture implicitly contained in source code, for the documentation on the particular code is often either outdated or nonexistent. This pinpointing of interesting areas within the code is especially important and useful when professionally auditing for security-relevant bugs in given code.The purpose of this talk is to show how information visualization techniques as well as techniques from compiler design can be used to help an auditor to quicklier and better understand large amounts of source code and thereby become a more efficient auditor. I will also show the latest development of Charles, a tool I develop to implement and assess the various source visualization ideas.This ongoing work has developed from my professional experiences as a code auditor as well as from my private investigations into publicly availablesource code.About Lisa:Lisa has spent a good part of the last seven years making and breaking software. She has worked in the field of wireless network security, biometrics, and bug finding in source and binaries. After four years of professional experience in software engineering and coding, she started working as a freelance computer security consultant two years ago, auditing software for security issues in both source and binary form. In the remaining time, she has worked on her duties as a student and is about to complete her diploma degree of Computer Science at the Humboldt University of Berlin, working on the issue of Security in Grid Computing.