Error Handling Source Code
Contents |
Software Engineering Volume 5503 of the series Lecture Notes in Computer Science pp 370-384Mining API Error-Handling Specifications from Source CodeMithun AcharyaAffiliated withDepartment of Computer Science, North Carolina State University, Tao XieAffiliated withDepartment of vba code for error handling Computer Science, North Carolina State University Download Chapter (602 KB) Abstract API error-handling
Handler Source Code
specifications are often not documented, necessitating automated specification mining. Automated mining of error-handling specifications is challenging for procedural languages error seeding such as C, which lack explicit exception-handling mechanisms. Due to the lack of explicit exception handling, error-handling code is often scattered across different procedures and files making it difficult to mine error-handling specifications
Error Planting
through manual inspection of source code. In this paper, we present a novel framework for mining API error-handling specifications automatically from API client code, without any user input. In our framework, we adapt a trace generation technique to distinguish and generate static traces representing different API run-time behaviors. We apply data mining techniques on the static traces to mine specifications that define correct handling of API error added by programmer intentionally in the code is called errors. We then use the mined specifications to detect API error-handling violations. Our framework mines 62 error-handling specifications and detects 264 real error-handling defects from the analyzed open source packages. Page %P Close Plain text Look Inside Chapter Metrics Provided by Bookmetrix Reference tools Export citation EndNote (.ENW) JabRef (.BIB) Mendeley (.BIB) Papers (.RIS) Zotero (.RIS) BibTeX (.BIB) Add to Papers Other actions About this Book Reprints and Permissions Share Share this content on Facebook Share this content on Twitter Share this content on LinkedIn Supplementary Material (0) References (18) References1.IEEE Computer Society. IEEE Standard for Information Technology - Portable Operating System Interface POSIX - Part I: System Application Program Interface API, IEEE Std 1003.1b-1993 (1994)2.Acharya, M., Xie, T., Pei, J., Xu, J.: Mining API patterns as partial orders from source code: From usage scenarios to specifications. In: Proc. ESEC/FSE, pp. 25–34 (2007)3.Ammons, G., Bodik, R., Larus, J.: Mining specifications. In: Proc. POPL, pp. 4–16 (2002)4.Bruntink, M., Deursen, A.V., Tourwe, T.: Discovering faults in idiom-based exception handling. In: Proc. ICSE, pp. 242–251 (2006)5.Chang, R.Y., Podgurski, A.: Finding what’s not there: A new approach to revealing neglected conditions in software. In: Proc. ISSTA, pp. 163–173 (2
Possible 1.2 Java Servlets and JSP 1.3 Failing Securely 1.4 Information Burial 2 Generic Error Messages 3 How to Locate the Potentially Vulnerable Code 3.1 JAVA 3.2 .NET 3.3 Classic
Error Added By Programmer Intentionally In The Code Is Called Error Seeding
ASP 4 Vulnerable Patterns for Error Handling 4.1 Page_Error 4.2 Global.asax
Error Handling Exception Handling And Memory Leakage Can Be Determined By Code Review
4.3 Web.config 5 Leading Practice for Error Handling 5.1 Try & Catch (Java/ .NET) 5.2 Releasing error seeding means resources and good housekeeping 5.3 Classic ASP 5.4 Centralised exception handling (Struts Example) 5.5 Classic ASP Error Handling Error Handling is important in a number of ways. http://link.springer.com/chapter/10.1007%2F978-3-642-00593-0_25 It may affect the state of the application, or leak system information to a user. The initial failure to prevent the error may cause the application to traverse into an insecure state. Weak error handling also aids the attacker, as the errors returned may assist them in constructing correct attack vectors. A generic error https://www.owasp.org/index.php/Codereview-Error-Handling page for most errors is recommended. This approach makes it more difficult for attackers to identify signatures of potentially successful attacks. There are methods which can circumvent systems with leading error handling practices which should be kept in mind; Attacks such as blind SQL injection using booleanization or response time characteristics can be used to address such generic responses. The other key area relating to error handling is the premise of "fail securely". Errors induced should not leave the application in an insecure state. Resources should be locked down and released, sessions terminated (if required), and calculations or business logic should be halted (depending on the type of error, of course). An important aspect of secure application development is to prevent information leakage. Error messages give an attacker great insight into the inner workings of an application. The purpose of reviewing the Error Handling code is to assure that the application fails safely under all possible error conditions, expected
DevJolt Awards Channels▼ CloudMobileParallel.NETJVM LanguagesC/C++ToolsDesignTestingWeb DevJolt Awards Design Tweet Permalink The Scourge of Error Handling By Andrew Binstock, December 05, 2012 Return values and exceptions are both inadequate tools for handling errors. But we're stuck with them for the foreseeable http://www.drdobbs.com/architecture-and-design/the-scourge-of-error-handling/240143878 future just as we have been for decades. Our recent five-part tutorial on Google's Go language induced me to dip back into C-style programming. I was impressed with the improvements the Go team has made, particularly in the design of the return value mechanism. Unlike most languages, Go enables you to return multiple values from a function without creating some ad error handling hoc data structure or object to do it. One of the standard return values is an error code, which is accessed conventionally upon the function's return through the err variable. This solution solved a messy problem C's dual use of return values for data and error codes which was necessary due to C's lack of an exception mechanism. To be error added by fair, this problem still exists in a different form in languages that have robust exceptions. For example, in Java, the conventional use of a null return both as an indicator of an error condition and as an actual data item laces codebases with endless tests for null. The problem is so ubiquitous in Java that many JVM scripting languages include shorthand to abbreviate the null checks. More Insights White Papers The Role of the WAN in Your Hybrid Cloud State of Private Cloud Report: Lessons from Early Adopters More >>Reports SaaS and E-Discovery: Navigating Complex Waters SaaS 2011: Adoption Soars, Yet Deployment Concerns Linger More >>Webcasts Catch the Security Breach Before It's Out of Reach 5 Reasons to Choose an Open Platform for Cloud More >> In fact, Go has an exception mechanism as well, but its use is contrary to convention and convention is a central aspect of Go development. It's also not as elaborate as the exception mechanisms in C++ or Java. Its use is supposed to be for truly exceptional circumstances. I believe this is due to Google scale issues (rec
be down. Please try the request again. Your cache administrator is webmaster. Generated Tue, 11 Oct 2016 14:16:05 GMT by s_wx1094 (squid/3.5.20)