LONG Xiao-fei,FENG Yan,WANG Rui-jie

DOI: https://doi.org/10.3969/j.issn.1000-7024.2007.03.016

2007-01-01

Abstract:For lackness of knowledge about the context of network hosts,most signature-based NIDSs produce too many false positives,which prevent the administrators from focusing their efforts on real dangerous alerts quickly.A mechanism in NIDS is proposed,which makes a decision before pattern matching to filter unnecessary intrusion rules for matching,by utilizing the software information of the target hosts,to mitigate false positives drastically.This method is implemented in the prototype system.The result of testing on typical intranet shows that this method surely mitigate false positives and improve quality of alerts in NIDS.

Zhi-yuan WAN,Bo ZHOU

DOI: https://doi.org/10.3785/j.issn.1008-973x.2015.04.011

2015-01-01

Abstract:An approach based on static information flow tracking was proposed to detect input validation vulnerabilities in order to reduce the false positive rate of vulnerability detection techniques based on static analysis.The approach was implemented on top of the static code analysis tool FindBugs.The performance and precision of our approach were evaluated.Experimental results show that our approach can effectively detect input validation vulnerabilities.The false positive rate of FindBugs was reduced by 55.7% without significantly slowing the performance.

Han Cui,Menglei Xie,Ting Su,Chengyu Zhang,Shin Hwei Tan

2024-08-25

Abstract:Static code analyzers are widely used to help find program flaws. However, in practice the effectiveness and usability of such analyzers is affected by the problems of false negatives (FNs) and false positives (FPs). This paper aims to investigate the FNs and FPs of such analyzers from a new perspective, i.e., examining the historical issues of FNs and FPs of these analyzers reported by the maintainers, users and researchers in their issue repositories -- each of these issues manifested as a FN or FP of these analyzers in the history and has already been confirmed and fixed by the analyzers' developers. To this end, we conduct the first systematic study on a broad range of 350 historical issues of FNs/FPs from three popular static code analyzers (i.e., PMD, SpotBugs, and SonarQube). All these issues have been confirmed and fixed by the developers. We investigated these issues' root causes and the characteristics of the corresponding issue-triggering programs. It reveals several new interesting findings and implications on mitigating FNs and FPs. Furthermore, guided by some findings of our study, we designed a metamorphic testing strategy to find FNs and FPs. This strategy successfully found 14 new issues of FNs/FPs, 11 of which have been confirmed and 9 have already been fixed by the developers. Our further manual investigation of the studied analyzers revealed one rule specification issue and additional four FNs/FPs due to the weaknesses of the implemented static analysis. We have made all the artifacts (datasets and tools) publicly available at <a class="link-external link-https" href="https://zenodo.org/doi/10.5281/zenodo.11525129" rel="external noopener nofollow">this https URL</a>.

Software Engineering

Zhaoqiang Guo,Tingting Tan,Shiran Liu,Xutong Liu,Wei Lai,Yibiao Yang,Yanhui Li,Lin Chen,Wei Dong,Yuming Zhou

DOI: https://doi.org/10.1109/tse.2023.3329667

IF: 7.4

2023-12-16

IEEE Transactions on Software Engineering

Abstract:Static analysis (SA) tools can generate useful static warnings to reveal the problematic code snippets in a software system without dynamically executing the corresponding source code. In the literature, static warnings are of paramount importance because they can easily indicate specific types of software defects in the early stage of a software development process, which accordingly reduces the maintenance costs by a substantial margin. Unfortunately, due to the conservative approximations of such SA tools, a large number of false positive (FP for short) warnings (i.e., they do not indicate real bugs) are generated, making these tools less effective. During the past two decades, therefore, many false positive mitigation (FPM for short) approaches have been proposed so that more accurate and critical warnings can be delivered to developers. This paper offers a detailed survey of research achievements on the topic of FPM. Given the collected 130 surveyed papers, we conduct a comprehensive investigation from five different perspectives. First, we reveal the research trends of this field. Second, we classify the existing FPM approaches into five different types and then present the concrete research progress. Third, we analyze the evaluation system applied to examine the performance of the proposed approaches in terms of studied SA tools, evaluation scenarios, performance indicators, and collected datasets, respectively. Fourth, we summarize the four types of empirical studies relating to SA warnings to exploit the insightful findings that are helpful to reduce FP warnings. Finally, we sum up 10 challenges unresolved in the literature from the aspects of systematicness, effectiveness, completeness, and practicability and outline possible research opportunities based on three emerging techniques in the future.

engineering, electrical & electronic,computer science, software engineering

Zhen Dong,Artur Andrzejak,Kun Shao

DOI: https://doi.org/10.1109/ICSM.2015.7332463

2015-01-01

Abstract:Software misconfigurations are responsible for a substantial part of today's system failures, causing about one-quarter of all customer-reported issues. Identifying their root causes can be costly in terms of time and human resources. We present an approach to automatically pinpoint such defects without error reproduction. It uses static analysis to infer the correlation degree between each configuration option and program sites affected by an exception. The only run-time information required by our approach is the stack trace of a failure. This is an essential advantage compared to existing approaches which require to reproduce errors or to provide testing oracles. We evaluate our approach on 29 errors from 4 configurable software programs, namely JChord, Randoop, Hadoop, and Hbase. Our approach can successfully diagnose 27 out of 29 errors. For 20 errors, the failure-inducing configuration option is ranked first.

Tianshuang Wu,Junwen Zhang,Dalin Zhang,Dahai Jin

DOI: https://doi.org/10.1007/978-981-10-0421-6_5

2015-01-01

Abstract:In this paper, we present a refinement method of static analysis based on path segment. The dataflow analysis generates the initial defect detection results and the defect path. Then the path constraints that might cause the defect are searched for on the defect path for a reported defect. Finally, all the path constraints are solved by a constraint solver. If no solution is found, the defect is a false positive, otherwise not. The comparative experiment on an embedded software of certain key field and the comparisons with similar tool PC-Lint show that our method has better analytical accuracy and efficiency.

Jinbao Chen,Hongjing Xiang,Luhao Li,Yu Zhang,Boyao Ding,Qingwei Li

2024-11-05

Abstract:Static Application Security Testing(SAST) tools are crucial for early bug detection and code quality but often generate false positives that slow development. Automating false positive mitigation is thus essential for advancing SAST tools. Past efforts use static/dynamic analysis or machine learning. The advent of Large Language Models, adept at understanding natural language and code, offers promising ways to improve the accuracy and usability of SAST tools. However, existing LLM-based methods need improvement in two key areas: first, extracted code snippets related to warnings are often cluttered with irrelevant control and data flows, reducing precision; second, critical code contexts are often missing, leading to incomplete representations that can mislead LLMs and cause inaccurate assessments. To ensure the use of precise and complete code context, thereby avoiding misguidance and enabling LLMs to reach accurate conclusions, we propose LLM4FPM. One of its core components is eCPG-Slicer, which builds an extended code property graph and extracts line-level, precise code context. Moreover, LLM4FPM incorporates FARF algorithm, which builds a file reference graph and then efficiently detects all files related to a warning in linear time, enabling eCPG-Slicer to gather complete code context across these files. We evaluate LLM4FPM on Juliet dataset, where it comprehensively outperforms the baseline, achieving an F1 score above 99% across various CWEs. LLM4FPM leverages a free, open-source model, avoiding costly alternatives and reducing inspection costs by up to $2758 per run on Juliet, with an average inspection time of 4.7 seconds per warning. Our work emphasizes the critical impact of precise and complete code context and highlights the potential of combining program analysis with LLMs, improving the quality and efficiency of software development.

Software Engineering

Chi Li,Yuexing Wang,Min Zhou,Ming Gu

DOI: https://doi.org/10.1109/apsec53868.2021.00054

2021-01-01

Abstract:Precise static analysis is necessary for an industrial environment to ensure reliability and security, which is usually field-sensitive and inter-procedural. However, it faces the problem of insufficient scale capability when being applied to various industrial environments: (1) Field-sensitive analysis can not assure termination if field accesses are modeled by unbounded access paths; (2) Inter-procedural analysis may lead to path explosion problems because of the unbounded length of call chains. While using longer access paths or call chains can improve precision, the analysis may have poor performance in terms of efficiency. Specifically, an industry-strength method should be scalable enough to face different applications. This paper presents a scalable fault detection method based on the precise access path. Precise access path models a memory location with accurate operations and offsets from a source. Points-to relations of variables are used to refine it. It can differentiate elements of aggregate structures and is more precise than the ordinary access path. Based on the precise access path, we perform an inter-procedural analysis with the help of an intra-procedural analysis and combined function summary. Furthermore, our method is designed backward to detect error handling bugs. Compared with the state-of-the-art tools, our method is more scalable, with higher precision and efficiency on both benchmarks and 11 widely-used applications.

Matias Waterloo,Suzette Person,Sebastian Elbaum

DOI: https://doi.org/10.1109/ase.2015.37

2015-11-01

Abstract:Tests are increasingly specified as programs. Expressing tests as code is advantageous in that developers are comfortable writing and running code, and tests can be automated and reused as the software evolves. Tests expressed as code, however, can also contain faults. Some test faults are similar to those found in application code, while others are more subtle, caused by incorrect implementation of testing concepts and processes. These faults may cause a test to fail when it should not, or allow program faults to go undetected. In this work we explore whether lightweight static analyses can be cost-effective in pinpointing patterns associated with faults tests. Our exploration includes a categorization and explanation of test patterns, and their application to 12 open source projects that include over 40K tests. We found that several patterns, detectable through simple and efficient static analyses of just the test code, can detect faults with a low false positive rate, while other patterns would require a more sophisticated and extensive code analysis to be useful.

Jun Zhu,Bill Chu,Heather Richter Lipford,Tyler Thomas

DOI: https://doi.org/10.1145/2752952.2752976

2015-01-01

Abstract:ABSTRACTAccess control vulnerabilities due to programming errors have consistently ranked amongst top software vulnerabilities. Previous research efforts have concentrated on using automatic program analysis techniques to detect access control vulnerabilities in applications. We report a comparative study of six open source PHP applications, and find that implicit assumptions of previous research techniques can significantly limit their effectiveness. We propose a more effective hybrid approach to mitigate access control vulnerabilities. Developers are reminded in-situ of potential access control vulnerabilities, where self-review of code can help them discover mistakes. Additionally, developers are prompted for application-specific access control knowledge, providing samples of code that could be thought of as static analysis by example. These examples are turned into code patterns that can be used in performing static analysis to detect additional access control vulnerabilities and alert the developer to take corrective actions. Our evaluation of six open source applications detected 20 zero-day access control vulnerabilities in addition to finding all access control vulnerabilities detected in previous works.

Ruizhi Gao,W. Eric Wong,Zhenyu Chen,Yabin Wang

DOI: https://doi.org/10.1007/s11219-015-9295-1

2015-01-01

Software Quality Journal

Abstract:Software has become ubiquitous in our daily lives, and with its increasing functionality and complexity comes a frequently tedious and prolonged debugging process. Of the three activities in program debugging (failure detection, fault localization, and bug fixing), the focus of this paper is on the first, failure detection, under the condition that there is no test oracle that can be used to automatically determine the success or failure of all the executions. More precisely, the outputs for many executions have to be verified manually, or the expected outputs are not even available. We want to determine whether there is a solution to help programmers predict the execution results. How good are these predicted results when they are used to help programmers find the locations of bugs? A framework is proposed to reduce the effort on output verification using a strategy based on the Hamming distance or K-Means clustering to predict results of test executions. Such data and the statement coverage of each test case are used to compute the suspiciousness of each statement according to a fault localization technique and produce a ranking for examination to locate bugs. Case studies using 22 programs and seven fault localization techniques were conducted to evaluate the fault localization effectiveness of the proposed framework on 1203 faulty versions, some of which have a single bug and others with multiple bugs. A discussion on factors that may affect the accuracy of execution result prediction and the resulting fault localization effectiveness is also presented. Our data suggests that, in general, with respect to fault localization techniques using execution results verified against the expected outputs, those using predicted execution results can be even more effective than (by examining a smaller number of statements to locate the first faulty statement) or as good as the former (the verified).

Han Wang,Min Zhou,Xi Cheng,Guang Chen,Ming Gu

DOI: https://doi.org/10.1007/978-3-030-04272-1_1

2018-01-01

Abstract:The usability of static analyzers is plagued by excessive false alarms. It is laborious yet error-prone to manually examine the spuriousness of defect reports. Moreover, the inability to preclude overwhelming false alarms deters user's confidence on such tools and severely limits their adoption in development cycles. In this paper, we propose a semantic approach for prioritizing defect reports emitted by static analysis. Our approach evaluates the importance of defect reports by their fatality and priorities defects by their affection to critical functions. Compared to the existing approaches that prioritize defect reports by analyzing external attributes, ours substantially utilizes semantic information derived by static analysis to measure the severity of defect reports more precisely. We have implemented a prototype which is evaluated to real-world code bases, and the results show that our approach can effectively evaluate the severity of defects.

Jian Lin,Liehui Jiang,Yisen Wang,Weiyu Dong

DOI: https://doi.org/10.1109/access.2019.2936139

IF: 3.9

2019-01-01

IEEE Access

Abstract:Value set analysis is a common static binary program analysis approach. Value set analysis attempts to identify a tight over-approximation of the program state at any given point in the program and can be used to detect vulnerability. Existing memory corruption detection analysis technologies based on value set analysis have a high false positive rate, because value set analysis suffers from a lack of accuracy. We observed that two main sources of imprecision in value set analysis are merge operation and failed branch conditions tracking. In order to address above problems, in this paper, we propose a value set analysis refinement approach based on conditional merging and lazy constraint solving. We propose a variable dependence analysis algorithm to divide program paths into subsets and only merge the states which satisfy the condition that the states are from the same subset, which reduces the imprecision from the merging operation. We collect path predicates as path constraint and solve the path constraint using Satisfiability Modulo Theories (SMT) solver lazily to get a tighter number range of the variable when a variable need be refined, which reduces the imprecision from the failed branch conditions tracking. We implement a prototype system RVSA based on the proposed approach and verify its effectiveness according to experimentation. Compared with state-of-the-art approach, the experimental results demonstrate that the false positive rate is reduced by 12.9%. Furthermore, using our proposed approach, 25 zero-day vulnerabilities are found in the Netgear httpd binary.

Bailin Lu,Wei Dong,Liangze Yin,Li Zhang

DOI: https://doi.org/10.1007/978-3-030-04272-1_4

2018-01-01

Abstract:Many static analysis methods and tools have been developed for program bug detection. They are based on diverse theoretical principles, such as pattern matching, abstract interpretation, model checking and symbolic execution. Unfortunately, none of them can meet most requirements for bug finding. Individual tool always faces high false negatives and/or false positives, which is the main obstacle for using them in practice. A direct and promising way to improve the capability of static analysis is to integrate diverse bug finders. In this paper, we first selected five state-of-the-art C/C++ static analysis tools implemented with different theories. We then evaluated them over different defect types and code structures in detail. To increase the precision and recall for tool integration, we studied how to properly employ machine learning algorithms based on features of programs and tools. Evaluation results show that: (1) the abilities of diverse tools are quite different for defect types and code structures, and their overlaps are quite small; (2) the integration based on machine learning can obviously improve the overall performance of static analysis. Finally, we investigated the defect types and code structures which are still challenging for existing tools. They should be addressed in future research on static analysis.

Yonghao Wu,Yong Liu,Weibo Wang,Zheng Li,Xiang Chen,Paul Doyle

DOI: https://doi.org/10.1109/tr.2022.3165126

IF: 5.883

2022-06-04

IEEE Transactions on Reliability

Abstract:To improve the efficiency of the fault localization process, different automatic fault localization approaches have been proposed. Among these approaches, the spectrum-based fault localization (SBFL) approach has been widely used and studied due to its lightweight and high effectiveness. However, while the existence of coincidental correct (CC) test cases can influence the usefulness of SBFL in single-fault programs, their influence on multiple fault programs has not been thoroughly investigated. Therefore, in this article, we conduct a theoretical analysis and an empirical study to investigate the effect of CC test cases on multiple fault localization. The theoretical analysis is based on a suspiciousness calculation formula of SBFL, which divides CC test cases into three categories (specific, irrelevant, and unspecific) according to their association with a specific faulty statement. Following this analysis, we conduct an empirical study on two well-known open-source repositories (SIR and Defects4J), and the experimental results verify the correctness of our theoretical analysis. Specifically, reducing the number of specific CC test cases for a faulty statement can improve or maintain fault localization accuracy, while eliminating irrelevant CC test cases can have a negative effect. Finally, we design a CC test case identification solution based on the isolation-based multiple fault localization approach and demonstrate its effectiveness via a simulation experiment.

engineering, electrical & electronic,computer science, software engineering, hardware & architecture

Chih-Chiang Fang,Chin-Yu Huang

DOI: https://doi.org/10.1109/compsac61105.2024.00243

2024-01-01

Abstract:In software debugging, fault localization (FL) is an essential stage that is used to identify accurate location of faulty statement. It is well known that coverage data plays an important role in FL. In past studies, traditional principal component analysis (PCA) or revised PCA techniques were used to reduce coverage data. However, two kinds of PCA have a great opportunity to remove the actual faulty statement, especially in multiple fault localization. On the other hand, they cannot reflect the status of the statements. In this paper, we propose a novel approach based on revised PCA and incorporate the result of failed and passed test case different combinations to update contribution value of each statement. We used two Linux open-source codes (Sed, Grep) with 4 fault injections to verify the correctness. Preliminary experiments have shown that our proposed method is feasible, scalable, and shorter execution time of FL process, and also can alleviate the situations for removed faulty statements compared to the revised PCA method.

G. Doern

DOI: https://doi.org/10.1055/s-2000-9863

Seminars in Respiratory and Critical Care Medicine

Abstract:Streptococcus pneumoniae S. pneumoniae

Yu-Min Chung,Chin-Yu Huang,Yu-Chi Huang

DOI: https://doi.org/10.1109/PRDC.2008.34

2008-01-01

Abstract:In software development and maintenance, locating faults is generally a complex and time-consuming process. In order to effectively identify the locations of program faults, several approaches have been proposed. Similarity-aware fault localization (SAFL) is a testing-based fault localization method that utilizes testing information to calculate the suspicion probability of each statement. Dicing is also another method that we have used. In this paper, our proposed method focuses on predicates and their influence, instead of on statements in traditional SAFL. In our method, fuzzy theory, matrix calculating, and some probability are used. Our method detects the importance of each predicate and then provides more test data for programmers to analyze the fault locations. Furthermore, programmers will also gain some important information about the program in order to maintain their program accordingly. In order to speed up the efficiency, we also simplified the program. We performed an experimental study for several programs, together with another two testing-based fault localization (TBFL) approaches. These three methods were discussed in terms of different criteria such as line of code and suspicious code coverage. The experimental results show that the proposed method from our study can decrease the number of codes which have more probability of suspicion than real bugs.

Lian Yu,Jun Zhou,Yue Yi,Jianchu Fan,Qianxiang Wang

DOI: https://doi.org/10.1109/qsic.2009.10

2009-01-01

Abstract:Static analysis works well at checking defects that clearly map to source code constructs. Model checking can find defects of deadlocks and routing loops that are not easily detected by static analysis, but faces the problem of state explosion. This paper proposes a hybrid approach to detecting security defects in programs. Fuzzy Inference System is used to infer selection among the two detection approaches. A cluster algorithm is developed to divide a large system into several clusters in order to apply model checking. Ontology based static analysis employs logic reasoning to intelligently detect the defects. We also put forwards strategies to improve performance of the static analysis. At last, we perform experiments to evaluate the accuracy and performance of the hybrid approach.

Seongmin Lee,Shin Hong,Jungbae Yi,Taeksu Kim,Chul-Joo Kim,Shin Yoo

DOI: https://doi.org/10.1109/icst.2019.00048

2019-04-01

Abstract:Static code analysis in Continuous Integration (CI) environment can significantly improve the quality of a software system because it enables early detection of defects without any test executions or user interactions. However, being a conservative over-approximation of system behaviours, static analysis also produces a large number of false positive alarms, identification of which takes up valuable developer time. We present an automated classifier based on Convolutional Neural Networks (CNNs). We hypothesise that many false positive alarms can be classified by identifying specific lexical patterns in the parts of the code that raised the alarm: human engineers adopt a similar tactic. We train a CNN based classifier to learn and detect these lexical patterns, using a total of about 10K historical static analysis alarms generated by six static analysis checkers for over 27 million LOC, and their labels assigned by actual developers. The results of our empirical evaluation suggest that our classifier can be highly effective for identifying false positive alarms, with the average precision across all six checkers of 79.72%.