Jun Zhu,Jing Xie,Heather Richter Lipford,Bill Chu

DOI: https://doi.org/10.1016/j.jare.2013.11.006

IF: 12.822

2014-01-01

Journal of Advanced Research

Abstract:Many security incidents are caused by software developers’ failure to adhere to secure programming practices. Static analysis tools have been used to detect software vulnerabilities. However, their wide usage by developers is limited by the special training required to write rules customized to application-specific logic. Our approach is interactive static analysis, to integrate static analysis into Integrated Development Environment (IDE) and provide in-situ secure programming support to help developers prevent vulnerabilities during code construction. No additional training is required nor are there any assumptions on ways programs are built. Our work is motivated in part by the observation that many vulnerabilities are introduced due to failure to practice secure programming by knowledgeable developers. We implemented a prototype interactive static analysis tool as a plug-in for Java in Eclipse. Our technical evaluation of our prototype detected multiple zero-day vulnerabilities in a large open source project. Our evaluations also suggest that false positives may be limited to a very small class of use cases.

Eljose E Sajan,Yunpeng Zhang,Liang-Chieh Cheng

DOI: https://doi.org/10.48550/arXiv.1905.04752

2019-05-13

Abstract:Static analyzers are tool sets which are proving to be indispensable to modern programmers. These enable the programmers to detect possible errors and security defects present in the current code base within the implementation phase of the development cycle, rather than relying on a standalone testing phase. Static analyzers typically highlight possible defects within the 'static' source code and thus does not require the source code to be compiled or executed. The Scala programming language has been gaining wider adoption across various industries in recent years. With such a wide adoption of tools of this nature, this paper presents an overview on the static analysis tools available, both commercial and open-source, for the Scala programming language. This paper discusses in detail about the types of defects that each of these tools can detect, limitations of these tools and also provide potential research direction that can improve the current state of static analyzers for the Scala programming language.

Software Engineering

Julien Julien Bertrane,Patrick Cousot,Radhia Cousot,Jérôme Feret,Laurent Mauborgne,Antoine Miné,Xavier Rival

DOI: https://doi.org/10.1145/1921532.1921553

2011-01-24

ACM SIGSOFT Software Engineering Notes

Abstract:Formal methods are increasingly used to help ensuring the correctness of complex, critical embedded software systems. We show how sound semantic static analyses based on Abstract Interpretation may be used to check properties at various levels of a software design: from high level models to low level binary code. After a short introduction to the Abstract Interpretation theory, we present a few current applications: checking for run-time errors at the C level, translation validation from C to assembly, and analyzing SAO models of communicating synchronous systems with imperfect clocks. We conclude by briey proposing some requirements to apply Abstract Interpretation to modeling languages such as UML.

Dalin Zhang,Gang Yin,Dahai Jin,Yunzhan Gong,Tianshuang Wu,Hailong Zhang

DOI: https://doi.org/10.1145/2875913.2875928

2015-01-01

Abstract:In this paper, we propose a hybrid refinement approach to improve the accuracy of static analysis. It keeps condition constraints information during forward dataflow analysis and gets the satisfiability of a warning by a constraint solver taking as input such information and path conditions; data regression analysis can remedy the capability of handling loops and library calls of abstract interpretation technique. It has been implemented in our static analysis tool, Defect Testing System (DTS) and deployed on a internetware environment TRUSTIE. Experiment on a large number of C open source projects shows the great improvement this strategy makes.

Weigang He,Peng Di,Mengli Ming,Chengyu Zhang,Ting Su,Shijie Li,Yulei Sui

DOI: https://doi.org/10.1145/3660781

2024-07-12

Abstract:Static analyzers are playing crucial roles in helping find programming mistakes and security vulnerabilities. The correctness of their analysis results is crucial for the usability in practice. Otherwise, the potential defects in these analyzers (, implementation errors, improper design choices) could affect the soundness (leading to false negatives) and precision (leading to false positives). However, finding the defects in off-the-shelf static analyzers is challenging because these analyzers usually lack clear and complete specifications, and the results of different analyzers may differ. To this end, this paper designs two novel types of automated oracles to find defects in static analyzers with randomly generated programs. The first oracle is constructed by using dynamic program executions and the second one leverages the inferred static analysis results. We applied these two oracles on three state-of-the-art static analyzers: Clang Static Analyzer (CSA), GCC Static Analyzer (GSA), and Pinpoint. We found 38 unique defects in these analyzers, 28 of which have been confirmed or fixed by the developers. We conducted a case study on these found defects followed by several insights and lessons learned for improving and better understanding static analyzers. We have made all the artifacts publicly available at https://github.com/Geoffrey1014/SA_Bugs for replication and benefit the community.

Xin Zhang,Radu Grigore,Xujie Si,Mayur Naik

DOI: https://doi.org/10.1145/3133881

2017-01-01

Abstract:We propose an interactive approach to resolve static analysis alarms. Our approach synergistically combines a sound but imprecise analysis with precise but unsound heuristics, through user interaction. In each iteration, it solves an optimization problem to find a set of questions for the user such that the expected payoff is maximized. We have implemented our approach in a tool, Ursa, that enables interactive alarm resolution for any analysis specified in the declarative logic programming language Datalog. We demonstrate the effectiveness of Ursa on a state-of-the-art static datarace analysis using a suite of 8 Java programs comprising 41-194 KLOC each. Ursa is able to eliminate 74% of the false alarms per benchmark with an average payoff of 12× per question. Moreover, Ursa prioritizes user effort effectively by posing questions that yield high payoffs earlier.

Benno Stein,Bor-Yuh Evan Chang,Manu Sridharan

DOI: https://doi.org/10.1145/3648441

IF: 1.714

2024-02-15

ACM Transactions on Programming Languages and Systems

Abstract:We consider the problem of making expressive, interactive static analyzers compositional . Such a technique could help bring the power of server-based static analyses to integrated development environments (IDEs), updating their results live as the code is modified. Compositionality is key for this scenario, as it enables reuse of already-computed analysis results for unmodified code. Previous techniques for interactive static analysis either lack compositionality, cannot express arbitrary abstract domains, or are not from-scratch consistent. We present demanded summarization, the first algorithm for incremental compositional analysis in arbitrary abstract domains which guarantees from-scratch consistency. Our approach analyzes individual procedures using a recent technique for demanded analysis, computing summaries on demand for procedure calls. A dynamically-updated summary dependency graph enables precise result invalidation after program edits, and the algorithm is carefully designed to guarantee from-scratch-consistent results after edits, even in the presence of recursion and in arbitrary abstract domains. We formalize our technique and prove soundness, termination, and from-scratch consistency. An experimental evaluation of a prototype implementation on synthetic and real-world program edits provides evidence for the feasibility of this theoretical framework, showing potential for major performance benefits over non-demanded compositional analyses.

computer science, software engineering

Tian Tan,Yue Li

DOI: https://doi.org/10.48550/arXiv.2208.00337

2022-07-31

Abstract:Static analysis is a mature field with applications to bug detection, security analysis, and code optimization, etc. To facilitate these applications, static analysis frameworks play an essential role by providing a series of fundamental services such as program abstraction, control flow graph construction, and points-to/alias information computation, etc. However, despite impressive progress of static analysis, and this field has seen several popular frameworks in the last decades, it is still not clear how a static analysis framework should be designed in a way that analysis developers could benefit more: for example, what a good IR (for analysis) ought to look like? What functionalities should the module of fundamental analyses provide to ease client analyses? How to develop and integrate new analysis conveniently? How to manage multiple analyses? To answer these questions, in this work, we discuss the design trade-offs for the crucial components of a static analysis framework, and argue for the most appropriate design by following the HBDC (Harnessing the Best Designs of Classics) principle: for each crucial component, we compare the design choices made for it (possibly) by different classic frameworks such as Soot, WALA, SpotBugs and Doop, and choose arguably the best one, but if none is good enough, we then propose a better design. These selected or newly proposed designs finally constitute Tai-e, a new static analysis framework for Java. Specifically, Tai-e is novel in the designs of several aspects like IR, pointer analysis and development of new analyses, etc., leading to an easy-to-learn, easy-to-use and efficient system. To our knowledge, this is the first work that systematically explores the designs and implementations of various static analysis frameworks, and we believe it provides useful materials and viewpoints for building better static analysis infrastructures.

Programming Languages,Software Engineering

Florian Sihler,Lukas Pietzschmann,Raphael Straub,Matthias Tichy,Andor Diera,Abdelhalim Dahou

2024-01-29

Abstract:CONTEXT The R programming language has a huge and active community, especially in the area of statistical computing. Its interpreted nature allows for several interesting constructs, like the manipulation of functions at run-time, that hinder the static analysis of R programs. At the same time, there is a lack of existing research regarding how these features, or even the R language as a whole are used in practice. OBJECTIVE In this paper, we conduct a large-scale, static analysis of more than 50 million lines of real-world R programs and packages to identify their characteristics and the features that are actually used. Moreover, we compare the similarities and differences between the scripts of R users and the implementations of package authors. We provide insights for static analysis tools like the lintr package as well as potential interpreter optimizations and uncover areas for future research. METHOD We analyze 4230 R scripts submitted alongside publications and the sources of 19450 CRAN packages for over 350000 R files, collecting and summarizing quantitative information for features of interest. RESULTS We find a high frequency of name-based indexing operations, assignments, and loops, but a low frequency for most of R's reflective functions. Furthermore, we find neither testing functions nor many calls to R's foreign function interface (FFI) in the publication submissions. CONCLUSION R scripts and package sources differ, for example, in their size, the way they include other packages, and their usage of R's reflective capabilities. We provide features that are used frequently and should be prioritized by static analysis tools, like operator assignments, function calls, and certain reflective functions like load.

Programming Languages,Software Engineering

Gabor Horvath,Reka Kovacs,Richard Szalay,Zoltan Porkolab

2024-08-11

Abstract:Static analysis is a method of analyzing source code without executing it. It is widely used to find bugs and code smells in industrial software. Besides other methods, the most important techniques are those based on the abstract syntax tree and those performing symbolic execution. Both of these methods found their role in modern software development as they have different advantages and limitations. In this tutorial, we present two problems from the C++ programming language: the elimination of redundant pointers, and the reporting of dangling pointers originating from incorrect use of the std::string class. These two issues have different theoretical backgrounds and finding them requires different implementation techniques. We will provide a step-by-step guide to implement the checkers (software to identify the aforementioned problems) - one based on the abstract syntax analysis method, the other exploring the possibilities of symbolic execution. The methods are explained in great detail and supported by code examples. The intended audience for this tutorial are both architects of static analysis tools and developers who want to understand the advantages and constraints of the different methods.

Software Engineering

Neville Grech,Kyriakos Georgiou,James Pallister,Steve Kerrison,Jeremy Morse,Kerstin Eder

DOI: https://doi.org/10.1145/2764967.2764974

2015-07-16

Abstract:Energy models can be constructed by characterizing the energy consumed by executing each instruction in a processor's instruction set. This can be used to determine how much energy is required to execute a sequence of assembly instructions, without the need to instrument or measure hardware. However, statically analyzing low-level program structures is hard, and the gap between the high-level program structure and the low-level energy models needs to be bridged. We have developed techniques for performing a static analysis on the intermediate compiler representations of a program. Specifically, we target LLVM IR, a representation used by modern compilers, including Clang. Using these techniques we can automatically infer an estimate of the energy consumed when running a function under different platforms, using different compilers. One of the challenges in doing so is that of determining an energy cost of executing LLVM IR program segments, for which we have developed two different approaches. When this information is used in conjunction with our analysis, we are able to infer energy formulae that characterize the energy consumption for a particular program. This approach can be applied to any languages targeting the LLVM toolchain, including C and XC or architectures such as ARM Cortex-M or XMOS xCORE, with a focus towards embedded platforms. Our techniques are validated on these platforms by comparing the static analysis results to the physical measurements taken from the hardware. Static energy consumption estimation enables energy-aware software development, without requiring hardware knowledge.

Programming Languages

Yue Li,Tian Tan,Jingling Xue

DOI: https://doi.org/10.48550/arXiv.1706.04567

2017-06-15

Abstract:Java reflection has been increasingly used in a wide range of software. It allows a software system to inspect and/or modify the behaviour of its classes, interfaces, methods and fields at runtime, enabling the software to adapt to dynamically changing runtime environments. However, this dynamic language feature imposes significant challenges to static analysis, because the behaviour of reflection-rich software is logically complex and statically hard to predict, especially when manipulated frequently by statically unknown string values. As a result, existing static analysis tools either ignore reflection or handle it partially, resulting in missed, important behaviours, i.e., unsound results. Therefore, improving or even achieving soundness in (static) reflection analysis -- an analysis that infers statically the behaviour of reflective code -- will provide significant benefits to many analysis clients, such as bug detectors, security analyzers and program verifiers. This paper makes two contributions: we provide a comprehensive understanding of Java reflection through examining its underlying concept, API and real-world usage, and, building on this, we introduce a new static approach to resolving Java reflection effectively in practice. We have implemented our reflection analysis in an open-source tool, called SOLAR, and evaluated its effectiveness extensively with large Java programs and libraries. Our experimental results demonstrate that SOLAR is able to (1) resolve reflection more soundly than the state-of-the-art reflection analysis; (2) automatically and accurately identify the parts of the program where reflection is resolved unsoundly or imprecisely; and (3) guide users to iteratively refine the analysis results by using lightweight annotations until their specific requirements are satisfied.

Programming Languages,Software Engineering

Tingting Yin,Chao Zhang,Yuandong Ni,Yixiong Wu,Taiyu Wong,Xiapu Luo,Zheming Li,Yu Guo

DOI: https://doi.org/10.1145/3510457.3513076

2022-01-01

Abstract:Smart contracts are usually financial-related, which makes them attractive attack targets. Many static analysis tools have been developed to facilitate the contract audit process, but not all of them take account of two special features of smart contracts: (1) The external variables, like time, are constrained by real-world factors; (2) The internal variables persist between executions. Since these features import implicit constraints into contracts, they significantly affect the performance of static tools, such as causing errors in reachability analysis and resulting in false positives. In this paper, we conduct a systematic study on implicit constraints from three aspects. First, we summarize the implicit constraints in smart contracts. Second, we evaluate the impact of such constraints on the state-of-the-art static tools. Third, we propose a lightweight but effective mitigation method named ConSym to deal with such constraints and integrate it into OSIRIS. The evaluation result shows that ConSym can filter out 96% of false positives and reduce false negatives by two-thirds.

Qiuhan Deng,Dahai Jin

DOI: https://doi.org/10.1109/bmei.2015.7401594

2015-01-01

Abstract:With the rapid development of the software industry, the continuous increasing of software size and complexity, how to guarantee and improve the reliability and the safety of the software has become the focus in the research of computer science. Software testing has become an indispensable part in software's life circle and people are paying more attention to the software. The static analysis is a code analysis technology, which is opposite to the dynamic analysis. The former can detect the latent defects and the security vulnerabilities inside of software and is developing rapidly during the last years. This thesis is based on the C language as the research object, and focuses on generating intermediate files with compiler front-end. This thesis first introduces the principle of C preprocessor and the way of getting the redundant type of the intermediate files based on the file structure after the preprocessing. With the rational analysis, the redundant code in the intermediate files will be removed, and the simplification of the intermediate files are designed and realized, in order to increase the static analysis efficiency. Finally, we based on the software, defect detecting DTS (Defect Testing System) 1. We implement the file simplification module. DTS is used to validate some open source projects in order to prove the feasibility and effectiveness of our method.

HOU Su-ning,CHEN Li-qian,WANG Zhao-fei,WANG Ji

DOI: https://doi.org/10.3969/j.issn.1007-130x.2011.03.018

2011-01-01

Abstract:The validation of program correctness is a challenge problem in computer science.The theory of abstract interpretation provides a general framework for static analysis which can deduce programs' dynamic property automatically.A value range analysis based on abstract interpretation can give the invariant relationship of variables at every program point,which is very important to compilation optimization and error examination.We propose an interprocedural framework that analyses the value range information of numerical programs,which can process C and Fortran programs.The C or Fortran source program is first preprocessed to an uniform representation,and then we draw the semantic equation which is equivalent to the source semantics.Finally,the iterative computation is done on this syntax equation to get the program invariant.Besides,we model some complex syntax structures such as array.The experiment indicates that our framework is very extensive and precise,and can process most problems brought by the usage of array.

Mithun Acharya,Tao Xie,Jun Xu

2006-01-01

Abstract:Software robustness and security are critical to dependable oper- ations of computer systems. Robustness and security of software systems are governed by various temporal properties. Static verifi- cation has been shown to be effective in checking temporal proper- ties. But manually specifying these properties is cumbersome and requires knowledge of the system and source code. Furthermore, many system-specific correctness properties that govern the robust and secure operation of software systems are often not documented by the developers. We design and implement a novel framework to effectively generate a large number of concrete interface robustnes s properties for static verification from a few generic, high-level user specified robustness rules for exception handling. These generic rules are free from any system or interface details, which are auto- matically mined from the source code. We report our experience of applying this framework to test robustness of POSIX-APIs in Redhat-9.0 open source packages. Security properties that dictate the ordering of certain system calls are usually inter-procedural un- like robustness properties. In this paper, we present our ongoing re- search that infers these properties directly from the program source code by applying statistical analysis on model checking traces. We are implementing our ideas in an existing static analyzer that em- ploys pushdown model checking and thegcc compiler.

Eric Bodden

DOI: https://doi.org/10.48550/arXiv.1710.07430

2017-10-20

Abstract:Static code analysis is a powerful approach to detect quality deficiencies such as performance bottlenecks, safety violations or security vulnerabilities already during a software system's implementation. Yet, as current software systems continue to grow, current static-analysis systems more frequently face the problem of insufficient scalability. We argue that this is mainly due to the fact that current static analyses are implemented fully manually, often in general-purpose programming languages such as Java or C, or in declarative languages such as Datalog. This design choice predefines the way in which the static analysis evaluates, and limits the optimizations and extensions static-analysis designers can apply. To boost scalability to a new level, we propose to fuse static-analysis with just-in-time-optimization technology, introducing for the first time static analyses that are managed and inherently self-adaptive. Those analyses automatically adapt themselves to yield a performance/precision tradeoff that is optimal with respect to the analyzed software system and to the analysis itself. Self-adaptivity is enabled by the novel idea of designing a dedicated intermediate representation, not for the analyzed program but for the analysis itself. This representation allows for an automatic optimization and adaptation of the analysis code, both ahead-of-time (through static analysis of the static analysis) as well as just-in-time during the analysis' execution, similar to just-in-time compilers.

Software Engineering

Zhenbo Xu,Jian Zhang,Zhongxing Xu,Jiteng Wang

DOI: https://doi.org/10.1145/2610384.2628050

2014-01-01

Abstract:Symbolic analysis is a commonly used approach for static bug finding. It usually performs a precise path-by-path symbolic simulation from program inputs. A major challenge is its scalability and precision on interprocedural analysis. The former limits the application to large programs. The latter may lead to many false alarms. This paper presents a flexible, scalable and practical static bug detection tool, called Canalyze, for C programs. The flexibility is embodied in our modular design that supports different precision-level constraint solvers and interprocedural analyses. Based on these options, one can enable the less precise options to achieve a more scalable analysis or the more time-consuming options to perform a more precise analysis. Our tool is also practical to analyze real-world applications. It has been applied to some industry systems and open source programs like httpd, lighttpd, etc. And hundreds of newly found bugs were confirmed by the maintainers of our benchmarks.

Huaien Zhang,Yu Pei,Junjie Chen,Shin Hwei Tan

DOI: https://doi.org/10.1145/3611643.3616272

2023-01-01

Abstract:Static analyzers reason about the behaviors of programs without executing them and report issues when they violate pre-defined desirable properties. One of the key limitations of static analyzers is their tendency to produce inaccurate and incomplete analysis results, i.e., they often generate too many spurious warnings and miss important issues. To help enhance the reliability of a static analyzer, developers usually manually write tests involving input programs and the corresponding expected analysis results for the analyzers. Meanwhile, a static analyzer often includes example programs in its documentation to demonstrate the desirable properties and/or their violations. Our key insight is that we can reuse programs extracted either from the official test suite or documentation and apply semantic-preserving transformations to them to generate variants. We studied the quality of input programs from these two sources and found that most rules in static analyzers are covered by at least one input program, implying the potential of using these programs as the basis for test generation. We present Statfier, a heuristic-based automated testing approach for static analyzers that generates program variants via semantic-preserving transformations and detects inconsistencies between the original program and variants (indicate inaccurate analysis results in the static analyzer). To select variants that are more likely to reveal new bugs, Statfier uses two key heuristics: (1) analysis report guided location selection that uses program locations in the reports produced by static analyzers to perform transformations and (2) structure diversity driven variant selection that chooses variants with different program contexts and diverse types of transformations. Our experiments with five popular static analyzers show that Statfier can find 79 bugs in these analyzers, of which 46 have been confirmed.

Guang Chen,Min Zhou,Jiaguang Sun,Xiaoyu Song

DOI: https://doi.org/10.1109/APSEC.2018.00044

2018-01-01

Abstract:Static analysis is an effective way of checking memory safety issues in program. Usually, multiple analysis algorithms usually run together to achieve a precise analysis result. In this paper, a novel analysis frame work over access path is presented for incorporating analysis algorithms. A pointer analysis based on access path works as a base layer, alias and pointer information are automatically handled. An summary based checking algorithm is designed for checking real world project. Moreover, the framework is fully extensible and various analysis can be added as plugins. Experimental results show that our method has good precision on Juliet Test Suite and scales to large software.