Jun Zhu,Jing Xie,Heather Richter Lipford,Bill Chu

DOI: https://doi.org/10.1016/j.jare.2013.11.006

IF: 12.822

2014-01-01

Journal of Advanced Research

Abstract:Many security incidents are caused by software developers’ failure to adhere to secure programming practices. Static analysis tools have been used to detect software vulnerabilities. However, their wide usage by developers is limited by the special training required to write rules customized to application-specific logic. Our approach is interactive static analysis, to integrate static analysis into Integrated Development Environment (IDE) and provide in-situ secure programming support to help developers prevent vulnerabilities during code construction. No additional training is required nor are there any assumptions on ways programs are built. Our work is motivated in part by the observation that many vulnerabilities are introduced due to failure to practice secure programming by knowledgeable developers. We implemented a prototype interactive static analysis tool as a plug-in for Java in Eclipse. Our technical evaluation of our prototype detected multiple zero-day vulnerabilities in a large open source project. Our evaluations also suggest that false positives may be limited to a very small class of use cases.

Haibin Shen,Jimin Wang,Lingdi Ping,Kang Sun

DOI: https://doi.org/10.1007/11689522_32

2006-01-01

Abstract:Flexible features of C can be misused and result in potential vulnerabilities which are hard to detect by performing only static checking. Existing tools either give up run-time type checking or employ a type system whose granularity is too coarse (it does not differentiate between pointer types) so that many errors may go undetected. This paper presents a dynamic checking approach to conquer them. A type system that is based on the physical layout of data types and has the proper granularity has been employed. Rules for propagating dynamic types and checking for compatibility of types during execution of the target program are also set up. Then a model of dynamic type checking on this type system to capture run-time type errors is built. Experimental results show that it can catch most errors, including those may become system vulnerabilities and the overhead is moderate.

Colin S. Gordon

DOI: https://doi.org/10.48550/arXiv.1810.06600

2018-10-16

Abstract:Designing a static analysis is generally a substantial undertaking, requiring significant expertise in both program analysis and the domain of the program analysis, and significant development resources. As a result, most program analyses target properties that are universallly of interest (e.g., absence of null pointer dereference) or nearly so (e.g., deadlock freedom). However, many interesting program properties that would benefit from static checking are specific to individual programs, or sometimes programs utilizing a certain library. It is impractical to devote program analysis and verification experts to these problems. We propose instead to work on example-based synthesis of program analyses within well-understood domains like type qualifier systems and effect systems. The dynamic behaviors behind the classes of problems these systems prevent correspond to examples that developers who lack expertise in static analysis can readily provide (data flow paths, or stack traces).

Programming Languages

Philipp Dominik Schubert,Ben Hermann,Eric Bodden

DOI: https://doi.org/10.1007/978-3-030-17465-1_22

2019-01-01

Abstract:Static program analysis is used to automatically determine program properties, or to detect bugs or security vulnerabilities in programs. It can be used as a stand-alone tool or to aid compiler optimization as an intermediary step. Developing precise, inter-procedural static analyses, however, is a challenging task, due to the algorithmic complexity, implementation effort, and the threat of state explosion which leads to unsatisfactory performance. Software written in C and C++ is notoriously hard to analyze because of the deliberately unsafe type system, unrestricted use of pointers, and (for C++) virtual dispatch. In this work, we describe the design and implementation of the LLVM-based static analysis framework PhASAR for C/C++ code. PhASAR allows data-flow problems to be solved in a fully automated manner. It provides class hierarchy, call-graph, points-to, and data-flow information, hence requiring analysis developers only to specify a definition of the data-flow problem. PhASAR thus hides the complexity of static analysis behind a high-level API, making static program analysis more accessible and easy to use. PhASAR is available as an open-source project. We evaluate PhASAR’s scalability during whole-program analysis. Analyzing 12 real-world programs using a taint analysis written in PhASAR, we found PhASAR’s abstractions and their implementations to provide a whole-program analysis that scales well to real-world programs. Furthermore, we peek into the details of analysis runs, discuss our experience in developing static analyses for C/C++, and present possible future improvements. Data or code related to this paper is available at: [34].

Vincenzo Arceri,Isabella Mastroeni

DOI: https://doi.org/10.4204/EPTCS.299.5

2019-08-20

Abstract:In recent years, dynamic languages, such as JavaScript or Python, have been increasingly used in a wide range of fields and applications. Their tricky and misunderstood behaviors pose a hard challenge for static analysis of these programming languages. A key aspect of any dynamic language program is the multiple usage of strings, since they can be implicitly converted to another type value, transformed by string-to-code primitives or used to access an object-property. Unfortunately, string analyses for dynamic languages still lack precision and do not take into account some important string features. Moreover, string obfuscation is very popular in the context of dynamic language malicious code, for example, to hide code information inside strings and then to dynamically transform strings into executable code. In this scenario, more precise string analyses become a necessity. This paper is placed in the context of static string analysis by abstract interpretation and proposes a new semantics for string analysis, placing a first step for handling dynamic languages string features.

Programming Languages,Formal Languages and Automata Theory

Naman Jain,Shubham Gandhi,Atharv Sonwane,Aditya Kanade,Nagarajan Natarajan,Suresh Parthasarathy,Sriram Rajamani,Rahul Sharma

2023-07-24

Abstract:Static analysis tools are traditionally used to detect and flag programs that violate properties. We show that static analysis tools can also be used to perturb programs that satisfy a property to construct variants that violate the property. Using this insight we can construct paired data sets of unsafe-safe program pairs, and learn strategies to automatically repair property violations. We present a system called \sysname, which automatically repairs information flow vulnerabilities using this approach. Since information flow properties are non-local (both to check and repair), \sysname also introduces a novel domain specific language (DSL) and strategy learning algorithms for synthesizing non-local repairs. We use \sysname to synthesize strategies for repairing two types of information flow vulnerabilities, unvalidated dynamic calls and cross-site scripting, and show that \sysname successfully repairs several hundred vulnerabilities from open source {\sc JavaScript} repositories, outperforming neural baselines built using {\sc CodeT5} and {\sc Codex}. Our datasets can be downloaded from \url{<a class="link-external link-http" href="http://aka.ms/StaticFixer" rel="external noopener nofollow">this http URL</a>}.

Software Engineering

Laurent Hubert,Nicolas Barré,Frédéric Besson,Delphine Demange,Thomas Jensen,Vincent Monfort,David Pichardie,Tiphaine Turpin

DOI: https://doi.org/10.1007/978-3-642-18070-5_7

2010-07-20

Abstract:Static analysis is a powerful technique for automatic verification of programs but raises major engineering challenges when developing a full-fledged analyzer for a realistic language such as Java. This paper describes the Sawja library: a static analysis framework fully compliant with Java 6 which provides OCaml modules for efficiently manipulating Java bytecode programs. We present the main features of the library, including (i) efficient functional data-structures for representing program with implicit sharing and lazy parsing, (ii) an intermediate stack-less representation, and (iii) fast computation and manipulation of complete programs.

Programming Languages

Zhenbo Xu,Jian Zhang,Zhongxing Xu,Jiteng Wang

DOI: https://doi.org/10.1145/2610384.2628050

2014-01-01

Abstract:Symbolic analysis is a commonly used approach for static bug finding. It usually performs a precise path-by-path symbolic simulation from program inputs. A major challenge is its scalability and precision on interprocedural analysis. The former limits the application to large programs. The latter may lead to many false alarms. This paper presents a flexible, scalable and practical static bug detection tool, called Canalyze, for C programs. The flexibility is embodied in our modular design that supports different precision-level constraint solvers and interprocedural analyses. Based on these options, one can enable the less precise options to achieve a more scalable analysis or the more time-consuming options to perform a more precise analysis. Our tool is also practical to analyze real-world applications. It has been applied to some industry systems and open source programs like httpd, lighttpd, etc. And hundreds of newly found bugs were confirmed by the maintainers of our benchmarks.

Rajendra Kumar Solanki

2024-01-28

Abstract:In our times, when the world is increasingly becoming more dependent on software programs, writing bug-free, correct programs is crucial. Program verification based on formal methods can guarantee this by detecting run-time errors in safety-critical systems to avoid possible adverse impacts on human life and save time and money.

Programming Languages,Computation and Language

HOU Su-ning,CHEN Li-qian,WANG Zhao-fei,WANG Ji

DOI: https://doi.org/10.3969/j.issn.1007-130x.2011.03.018

2011-01-01

Abstract:The validation of program correctness is a challenge problem in computer science.The theory of abstract interpretation provides a general framework for static analysis which can deduce programs' dynamic property automatically.A value range analysis based on abstract interpretation can give the invariant relationship of variables at every program point,which is very important to compilation optimization and error examination.We propose an interprocedural framework that analyses the value range information of numerical programs,which can process C and Fortran programs.The C or Fortran source program is first preprocessed to an uniform representation,and then we draw the semantic equation which is equivalent to the source semantics.Finally,the iterative computation is done on this syntax equation to get the program invariant.Besides,we model some complex syntax structures such as array.The experiment indicates that our framework is very extensive and precise,and can process most problems brought by the usage of array.

Anas Shatnawi,Hafedh Mili,Manel Abdellatif,Yann-Gaël Guéhéneuc,Naouel Moha,Geoffrey Hecht,Ghizlane El Boussaidi,Jean Privat

DOI: https://doi.org/10.48550/arXiv.1906.00815

2019-06-03

Abstract:Identifying dependency call graphs of multilanguage software systems using static code analysis is challenging. The different languages used in developing today's systems often have different lexical, syntactical, and semantic rules that make thorough analysis difficult. Also, they offer different modularization and dependency mechanisms, both within and between components. Finally, they promote and--or require varieties of frameworks offering different sets of services, which introduce hidden dependencies, invisible with current static code analysis approaches. In this paper, we identify five important challenges that static code analysis must overcome with multilanguage systems and we propose requirements to handle them. Then, we present solutions of these requirements to handle JEE applications, which combine server-side Java source code with a number of client-side Web dialects (e.g., JSP, JSF) while relying on frameworks (e.g., Web and EJB containers) that create hidden dependencies. Finally, we evaluate our implementations of the solutions by developing a set of tools to analyze JEE applications to build a dependency call graph and by applying these tools on two sample JEE applications. Our evaluation shows that our tools can solve the identified challenges and improve the recall in the identification of multilanguage dependencies compared to standard JEE static code analysis and, thus, indirectly that the proposed requirements are useful to build multilanguage static code analysis.

Software Engineering

Marco Pistoia

DOI: https://doi.org/10.1145/2810103.2812703

2015-10-12

Abstract:Program analysis has become an essential tool to verify the correctness of programs before these are deployed to end users&#x27; computers and devices. Detecting security problems in today&#x27;s mobile applications by just relying on manual code inspection is unrealistic. Testing is also limited because there is often no guarantee that all the possible paths of execution of an application are tested under all the possible inputs, and so false negatives may arise. Static analysis is a very promising solution but suffers from the dual problem of false positives. A combination of static and dynamic analysis mitigates the disadvantages that arise when static and dynamic analysis are executed individually and is, therefore, the recommended solution to detect and correct application-level cyber security attacks in mobile applications. This tutorial presents both static and dynamic analysis approaches to enforce privacy of mobile applications, and includes a hands-on lab that teaches the audience how to use create a static-analysis solution that verifies the integrity and confidentiality of the data managed by the program itself.

Jesko Hecking-Harbusch,Jochen Quante,Maximilian Schlund

DOI: https://doi.org/10.48550/arXiv.2310.16468

2023-10-25

Abstract:Modern automotive software is highly complex and consists of millions lines of code. For safety-relevant automotive software, it is recommended to use sound static program analysis to prove the absence of runtime errors. However, the analysis is often perceived as burdensome by developers because it runs for a long time and produces many false alarms. If the analysis is performed on the integrated software system, there is a scalability problem, and the analysis is only possible at a late stage of development. If the analysis is performed on individual modules instead, this is possible at an early stage of development, but the usage context of modules is missing, which leads to too many false alarms. In this case study, we present how automatically inferred contracts add context to module-level analysis. Leveraging these contracts with an off-the-shelf tool for abstract interpretation makes module-level analysis more precise and more scalable. We evaluate this framework quantitatively on industrial case studies from different automotive domains. Additionally, we report on our qualitative experience for the verification of large-scale embedded software projects.

Software Engineering

Julien Julien Bertrane,Patrick Cousot,Radhia Cousot,Jérôme Feret,Laurent Mauborgne,Antoine Miné,Xavier Rival

DOI: https://doi.org/10.1145/1921532.1921553

2011-01-24

ACM SIGSOFT Software Engineering Notes

Abstract:Formal methods are increasingly used to help ensuring the correctness of complex, critical embedded software systems. We show how sound semantic static analyses based on Abstract Interpretation may be used to check properties at various levels of a software design: from high level models to low level binary code. After a short introduction to the Abstract Interpretation theory, we present a few current applications: checking for run-time errors at the C level, translation validation from C to assembly, and analyzing SAO models of communicating synchronous systems with imperfect clocks. We conclude by briey proposing some requirements to apply Abstract Interpretation to modeling languages such as UML.

Lizhe YAO,Qiang WU,Changyu LIANG,Qingkai ZENG

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.09.055

2006-01-01

Abstract:With the development of Internet and distributed systems,software security is becoming a research hotspot.However in the past several years,most researches focused on the static code analysis.In this paper,a method of dynamic code analysis is proposed to apply the model checking into interpreted languages.The classification and formal description of temporal safety properties are discussed for managing and maintaining them.In practice,the method is applied in the Perl interpreter to implement dynamic analysis on CGI scripts.

Gabor Horvath,Reka Kovacs,Richard Szalay,Zoltan Porkolab

2024-08-11

Abstract:Static analysis is a method of analyzing source code without executing it. It is widely used to find bugs and code smells in industrial software. Besides other methods, the most important techniques are those based on the abstract syntax tree and those performing symbolic execution. Both of these methods found their role in modern software development as they have different advantages and limitations. In this tutorial, we present two problems from the C++ programming language: the elimination of redundant pointers, and the reporting of dangling pointers originating from incorrect use of the std::string class. These two issues have different theoretical backgrounds and finding them requires different implementation techniques. We will provide a step-by-step guide to implement the checkers (software to identify the aforementioned problems) - one based on the abstract syntax analysis method, the other exploring the possibilities of symbolic execution. The methods are explained in great detail and supported by code examples. The intended audience for this tutorial are both architects of static analysis tools and developers who want to understand the advantages and constraints of the different methods.

Software Engineering

Amit Seal Ami,Kevin Moran,Denys Poshyvanyk,Adwait Nadkarni

DOI: https://doi.org/10.1109/SP54263.2024.00019

2024-06-19

Abstract:The demand for automated security analysis techniques, such as static analysis based security testing (SAST) tools continues to increase. To develop SASTs that are effectively leveraged by developers for finding vulnerabilities, researchers and tool designers must understand how developers perceive, select, and use SASTs, what they expect from the tools, whether they know of the limitations of the tools, and how they address those limitations. This paper describes a qualitative study that explores the assumptions, expectations, beliefs, and challenges experienced by developers who use SASTs. We perform in-depth, semi-structured interviews with 20 practitioners who possess a diverse range of software development expertise, as well as a variety of unique security, product, and organizational backgrounds. We identify $17$ key findings that shed light on developer perceptions and desires related to SASTs, and also expose gaps in the status quo - challenging long-held beliefs in SAST design priorities. Finally, we provide concrete future directions for researchers and practitioners rooted in an analysis of our findings.

Cryptography and Security,Software Engineering

Hongliang Liang,Lei Wang,Dongyang Wu,Jiuyun Xu

DOI: https://doi.org/10.2991/ijndc.2016.4.3.1

2016-01-01

International Journal of Networked and Distributed Computing

Abstract:Program bugs may result in unexpected software error, crash or serious security attack. Static program analysis is one of the most common methods to find program bugs. In this paper we present MLSA -- a static analysis tool based on LLVM Intermediate Representation (IR), which can analyze programs written in multiple programming languages. MLSA combines symbolic execution with Z3 SMT solver to find bugs. At present, MLSA can detect some kinds of bugs, such as divide zero error, pointer overflow and dead code. Moreover, as a framework, MLSA follows the scalability and extensibility principles, which can help detect other types of bugs. Experiments show that MLSA is effective in finding bugs in real world software.

Lian Yu,Jun Zhou,Yue Yi,Ping Li,Qianxiang Wang

DOI: https://doi.org/10.1109/compsac.2008.73

2008-01-01

Abstract:Typical enterprise and military software systems consist of millions of lines of code with complicated dependence on diverse library abstractions. Manually debugging these codes imposes developers overwhelming workload and difficulties. To address software quality concerns efficiently, this paper proposes an ontology-based static analysis approach to automatically detect bugs in the source code of Java programs. First, we elaborate bug list collected, classify bugs into different categories, and translate bug patterns into SWRL (semantic Web rule language) rules using an ontology tool, Protege. An ontology model of Java program is created according to Java program specification using Protege as well. Both SWRL rules and the program ontology model are exported in OWL (Web ontology language) format. Second, Java source code under analysis is parsed into the abstract syntax tree (AST), which is automatically mapped to the individuals of the program ontology model. SWRL bridge takes in the exported OWL file (representing the SWRL rules model and program ontology model) and the individuals created for the Java code, conduits to Jess (a rule engine), and obtains inference results indicating any bugs. We perform experiments to compare bug detection capability with well-known FindBugs tool. A prototype of bug detector tool is developed to show the validity of the proposed static analysis approach.

Tim Blok,Ansgar Fehnker

DOI: https://doi.org/10.4995/HEAD17.2017.5533

2017-09-30

Abstract:This paper describes how to adapt a static code analyzer to help novice programmers. Current analyzers have been built to give feedback to experienced programmers who build new applications or systems. The type of feedback and the type of analysis of these tools focusses on mistakes that are relevant within that context, and help with debugging the system. When teaching novice programmers this type of advice is often not particularly useful. It would be instead more useful to use these techniques to find problem in the understanding of students of important programming concepts. This paper first explores in what respect static analyzers support the learning and teaching of programming can be implemented based on existing static analysis technology. It presents an extension to static analyzer PMD was made so that feedback messages appear which are easier to understand for novice programmers. To answer the question if these techniques are able to find conceptual mistakes that are characteristic for novice programmers make, we ran it over a number of student projects, and compared these results with publicly available mature software projects.

Software Engineering