Skip to main content
Shaping Europe’s digital future
Projects story | Publication

A source code analysis toolbox for software security assurance

The STANCE Consortium, co-funded under the EU FP7 programme, has announced the successful completion of the R&D Project that has developed source code analysis tools for security and safety-critical applications. The project brings trust and security to software-driven systems used in critical industrial areas (such as networks, trusted computing platforms and web applications), and will reduce computer-related threats, errors and malfunctions. The originality of the project lies in using static analysis for an exhaustive detection of all faults of a given kind.

project logo

STANCE

The immunity to malicious third parties is a fundamental security feature of a system. Ensuring this feature in information and communication technologies is a requirement for establishing a trustworthy Information Society. Several strategies can be explored to deal with this problem. One of them, called program analysis, relies on formal techniques that semi-automatically detect unintended behaviours in software systems. This approach allows the verification and secure exploitation of legacy and commercial-off-the-shelf components.


However, program analysis techniques for security are still in their infancy. They face several challenges, among which the incomplete detection of security flaws, and limited support both for programming languages and industrial verification procedures. These challenges are hindering the adoption of program analysis tools as part of the practices in security assurance and the compliance checks of certification standards.


The objective of STANCE has been to drive scientific and technological breakthroughs in the domain of software security. Over three and a half years, STANCE has defined, implemented and validated a set of program analysis tools capable of verifying the security of complex software systems made in C, C++ and Java. STANCE has built on existing assets: formal methods, state-of-the-art static and dynamic program analysis tools, security evaluation expertise. Industry-specific knowledge has been used and significantly extended. The resulting program analysis toolbox and supporting methods are increasing the trustworthiness and the cost-effectiveness of existing security-oriented processes. These innovations are durably altering the domain of software security assurance, with broad consequences on its legal, societal, and economic aspects.

STANCE project website