Sen Ma,MingYang Jiao,ShiKun Zhang,Wen Zhao,Dong Wei Wang

DOI: https://doi.org/10.1109/issrew.2015.7392049

2015-01-01

Abstract:This paper proposes a practical static analysis tool named LUKE, for detecting null pointer dereferences (NPD) in C programs. LUKE first uses a guarded value-dependence graph (VDG) to track the dependence relations of values, and then detects NPD by solving the graph reachability problem on its VDG. To improve accuracy as well as scalability, the detection algorithm leverages heuristic inference algorithms and the results of control dependences analysis. We evaluated LUKE on 10 large-scale open source projects, and the results show that LUKE has a false positive rate of only 4.3%, which is much lower than Clang, Saturn and Calysto. The analysis speed is also 4.6X, 15.5X and 17.9X faster, respectively. On the evaluated benchmarks, LUKE succeeds in finding a superset of the bugs reported by the published tools we investigated. We also show that LUKE scales to 416,500 lines of code, the largest benchmark we had.

Zhi-yuan WAN,Bo ZHOU

DOI: https://doi.org/10.3785/j.issn.1008-973x.2015.04.011

2015-01-01

Abstract:An approach based on static information flow tracking was proposed to detect input validation vulnerabilities in order to reduce the false positive rate of vulnerability detection techniques based on static analysis.The approach was implemented on top of the static code analysis tool FindBugs.The performance and precision of our approach were evaluated.Experimental results show that our approach can effectively detect input validation vulnerabilities.The false positive rate of FindBugs was reduced by 55.7% without significantly slowing the performance.

Meng Yan,Xin Xia,Yuanrui Fan,Ahmed E. Hassan,David Lo,Shanping Li

DOI: https://doi.org/10.1109/tse.2020.2978819

IF: 7.4

2022-01-01

IEEE Transactions on Software Engineering

Abstract:Defect localization aims to locate buggy program elements (e.g., buggy files, methods or lines of code) based on defect symptoms, e.g., bug reports or program spectrum. However, when we receive the defect symptoms, the defect has been exposed and negative impacts have been introduced. Thus, one challenging task is: whether we can locate buggy program prior to the appearance of the defect symptom (e.g., when buggy program elements are being committed to a version control system). We refer to this type of defect localization as “Just-In-Time (JIT) Defect localization”. Although many prior studies have proposed various JIT defect identification methods to identify whether a new change is buggy, these prior methods do not locate the suspicious positions. Thus, JIT defect localization is the next step of JIT defect identification (i.e., after a buggy change is identified, suspicious source code lines are located). To address this problem, we propose a two-phase framework, i.e., JIT defect identification and JIT defect localization. Given a new change, JIT defect identification will identify it as buggy change or clean change first. If a new change is identified as buggy, JIT defect localization will rank the source code lines introduced by the new change according to their suspiciousness scores. The source code lines ranked at the top of the list are estimated as the defect location. For JIT defect identification phase, we use 14 change-level features to build a classifier by following existing approach. For JIT defect localization phase, we propose a JIT defect localization approach that leverages software naturalness with the N-gram model. To evaluate the proposed framework, we conduct an empirical study on 14 open source projects with a total of 177,250 changes. The results show that software naturalness is effective for our JIT defect localization. Our model achieves a reasonable performance, and outperforms the two baselines (i.e., random guess and a static bug finder (i.e., PMD)) by a substantial margin in terms of four ranking measures.

Yang Bai,Yuping Wang

DOI: https://doi.org/10.3969/j.issn.2095-2783.2014.10.009

2014-01-01

Abstract:Null pointer dereference error is a common bug,which is hard to detect and avoid.A flow-sensitive,path-sensitive and context-sensitive static analysis method is proposed,combined traditional static analysis methods and symbolic execution.Global pointers,local pointers and pointers as function parameters are modeled to simplify the positions of pointers.Pointer states are passed among functions.Constraint solving method is used to determine the path reachability.When completing analyzing a func-tion,pointer states are merged.Furthermore,manual bug trigger conditions annotation is used to improve the efficiency.Experi-ments show that the method is feasible and efficient for all kinds of null pointer dereference errors.

Lei Xue,Chenxiong Qian,Hao Zhou,Xiapu Luo,Yajin Zhou,Yuru Shao,Alvin T. S. Chan

DOI: https://doi.org/10.1109/tifs.2018.2866347

IF: 7.231

2019-01-01

IEEE Transactions on Information Forensics and Security

Abstract:For performance and compatibility reasons, developers tend to use native code in their applications (or simply apps). This makes a bidirectional data flow through multiple contexts, i.e., the Java context and the native context, in Android apps. Unfortunately, this interaction brings serious challenges to existing dynamic analysis systems, which fail to capture the data flow across different contexts. In this paper, we first performed a large-scale study on apps using native code and reported some observations. Then, we identified several scenarios where data flow cannot be tracked by existing systems, leading to uncaught information leakage. Based on these insights, we designed and implemented NDroid, an efficient dynamic taint analysis system that could track the data flow between both Java context and native context. The evaluation of real apps demonstrated the effectiveness of NDroid in identifying information leakage with reasonable performance overhead.

Jian Xu,Zhenyu Zhang,W. K. Chan,T. H. Tse,Shanping Li

DOI: https://doi.org/10.1016/j.infsof.2012.08.006

IF: 3.9

2012-01-01

Information and Software Technology

Abstract:Context: Existing fault-localization techniques combine various program features and similarity coefficients with the aim of precisely assessing the similarities among the dynamic spectra of these program features to predict the locations of faults. Many such techniques estimate the probability of a particular program feature causing the observed failures. They often ignore the noise introduced by other features on the same set of executions that may lead to the observed failures. It is unclear to what extent such noise can be alleviated. Objective: This paper aims to develop a framework that reduces the noise in fault-failure correlation measurements. Method: We develop a fault-localization framework that uses chains of key basic blocks as program features and a noise-reduction methodology to improve on the similarity coefficients of fault-localization techniques. We evaluate our framework on five base techniques using five real-life median-scaled programs in different application domains. We also conduct a case study on subjects with multiple faults. Results: The experimental result shows that the synthesized techniques are more effective than their base techniques by almost 10%. Moreover, their runtime overhead factors to collect the required feature values are practical. The case study also shows that the synthesized techniques work well on subjects with multiple faults. Conclusion: We conclude that the proposed framework has a significant and positive effect on improving the effectiveness of the corresponding base techniques.

Sam Estep,Jenna Wise,Jonathan Aldrich,Éric Tanter,Johannes Bader,Joshua Sunshine

DOI: https://doi.org/10.48550/arXiv.2105.06081

2021-07-15

Abstract:Static analysis tools typically address the problem of excessive false positives by requiring programmers to explicitly annotate their code. However, when faced with incomplete annotations, many analysis tools are either too conservative, yielding false positives, or too optimistic, resulting in unsound analysis results. In order to flexibly and soundly deal with partially-annotated programs, we propose to build upon and adapt the gradual typing approach to abstract-interpretation-based program analyses. Specifically, we focus on null-pointer analysis and demonstrate that a gradual null-pointer analysis hits a sweet spot, by gracefully applying static analysis where possible and relying on dynamic checks where necessary for soundness. In addition to formalizing a gradual null-pointer analysis for a core imperative language, we build a prototype using the Infer static analysis framework, and present preliminary evidence that the gradual null-pointer analysis reduces false positives compared to two existing null-pointer checkers for Infer. Further, we discuss ways in which the gradualization approach used to derive the gradual analysis from its static counterpart can be extended to support more domains. This work thus provides a basis for future analysis tools that can smoothly navigate the tradeoff between human effort and run-time overhead to reduce the number of reported false positives.

Programming Languages

Md. Fahim Sultan,Tasmin Karim,Md. Shazzad Hossain Shaon,Mohammad Wardat,Mst Shapna Akter

2024-11-30

Abstract:Software security is crucial in any field where breaches can exploit sensitive data, and lead to financial losses. As a result, vulnerability detection becomes an essential part of the software development process. One of the key steps in maintaining software integrity is identifying vulnerabilities in the source code before deployment. A security breach like CWE-476, which stands for NULL pointer dereferences (NPD), is crucial because it can cause software crashes, unpredictable behavior, and security vulnerabilities. In this scientific era, there are several vulnerability checkers, where, previous tools often fall short in analyzing specific feature connections of the source code, which weakens the tools in real-world scenarios. In this study, we propose another novel approach using a fine-tuned Large Language Model (LLM) termed "DeLLNeuN". This model leverages the advantage of various layers to reduce both overfitting and non-linearity, enhancing its performance and reliability. Additionally, this method provides dropout and dimensionality reduction to help streamline the model, making it faster and more efficient. Our model showed 87% accuracy with 88% precision using the Draper VDISC dataset. As software becomes more complex and cyber threats continuously evolve, the need for proactive security measures will keep growing. In this particular case, the proposed model looks promising to use as an early vulnerability checker in software development.

Software Engineering

Ping CHEN,Hao HAN,Xiao-bing SHEN,Xin-chun YIN,Bing MAO,Li XIE

2010-01-01

Tien Tzu Hsueh Pao/Acta Electronica Sinica

Abstract:In recent years, Integer bugs have been rising sharply and become a potential threat as it is often hidden behind other bugs. In this paper, we propose a tool which can automatically detect Integer bugs. We implement the tool based on static and dynamic program analysis. In the static phase, the tool decompiles a binary and creates the suspect instruction set. In the dynamic phase, it monitors the instructions in the suspect set and generates the test cases to further detect which instructions are real Integer bugs. Our tool has two advantages. First, it provides more accurate and sufficient type information. Second, static analysis reduces the instructions which are monitored at runtime. Experimental results shows that our tool can efficiently detect the Integer bugs in several real-world programs. In addition, our tool has no false negatives and low false positives.

Linna Xie,Lu,Shunjie Ding,Yu Pei,Minxue Pan,Tian Zhang

DOI: https://doi.org/10.1145/3457913.3457940

2021-01-01

Abstract:Developers often neglect to handle exceptions, which leads to exception handling defects that affect the robustness of applications or even cause crashes. To improve the robustness of android applications while reducing the development burden of developers, we present Fixeh and Automatic Detection Tool, as an approach that can automatically detect exception handling defects related to external resources. By implanting exception control codes into the input application, Fixeh helps applications throw exceptions at the specified call position while running the UI test. During running the UI test, Automatic Detection Tool generates a limited number of exception trigger patterns by using suspicious call filtering algorithm and traversal algorithm. After collecting and analyzing the running results under these patterns, the exception handling defects will be detected. We evaluate our approach by applying it to detect anomalies in 6 different types of applications with stable operation. We conducted 1422 rounds of experiments under different exception triggering patterns, and we observed abnormalities in 517 rounds. A comparison with other related work shows that our approach can detect defects more effectively. Through the analysis of our experiments, we confirmed 39 exception handling defects related to external resources. Finally, we summarized three common types of defects from them.

Ming Zhang,Zonghua Gu,Hong Li,Nenggan Zheng

DOI: https://doi.org/10.1109/access.2018.2852805

IF: 3.9

2018-01-01

IEEE Access

Abstract:Safety-critical embedded systems in application domains, such as aerospace, automotive, and industrial automation, must satisfy dual requirements of fault-tolerance and real-time predictability. Control flow checking is an effective technique for improving embedded systems’ reliability by online monitoring and checking of software control flow to detect runtime deviations from the control flow graph. However, inserting instrumentation code in every basic block incurs significant execution time overhead, which may cause the program to violate its timing constraints. In this paper, we propose to selectively instrument a subset of code regions that are larger than basic blocks, called super-nodes, in order to make the program partially resilient to control flow errors while keeping the program worst-case execution time (WCET) below a given upper bound. WCET analysis is invoked to estimate the program WCET and to identify the corresponding worst-case execution path (WCEP). An ILP formulation is used to judiciously select a subset of super-nodes on the WCEP for instrumentation, so that the best fault detection coverage is achieved without violating the given WCET upper bound. The optimization is repeated for each identified WCEP until the program WCET satisfies the WCET upper bound. Experimental results demonstrate significant improvements of fault detection coverage compared with related work.

Jun Zhu,Jing Xie,Heather Richter Lipford,Bill Chu

DOI: https://doi.org/10.1016/j.jare.2013.11.006

IF: 12.822

2014-01-01

Journal of Advanced Research

Abstract:Many security incidents are caused by software developers’ failure to adhere to secure programming practices. Static analysis tools have been used to detect software vulnerabilities. However, their wide usage by developers is limited by the special training required to write rules customized to application-specific logic. Our approach is interactive static analysis, to integrate static analysis into Integrated Development Environment (IDE) and provide in-situ secure programming support to help developers prevent vulnerabilities during code construction. No additional training is required nor are there any assumptions on ways programs are built. Our work is motivated in part by the observation that many vulnerabilities are introduced due to failure to practice secure programming by knowledgeable developers. We implemented a prototype interactive static analysis tool as a plug-in for Java in Eclipse. Our technical evaluation of our prototype detected multiple zero-day vulnerabilities in a large open source project. Our evaluations also suggest that false positives may be limited to a very small class of use cases.

Guangtai Liang,Qian Wu,Qianxiang Wang,Hong Mei

DOI: https://doi.org/10.1109/COMPSAC.2012.22

2012-01-01

Abstract:Failing to release unneeded system resources such as I/O streams can result in resource leaks, which can lead to performance degradation and system crashes. Existing resource-leak detectors are usually based on predefined defect patterns to detect resource leaks in software. However, they typically report too many false positives and negatives, and also lack effective warning prioritization. Our empirical investigation shows that, their predefined defect patterns are not precise enough, and moreover, their used defect detection processes are not suitable enough for the defect patterns. In our approach, we introduce a novel Expressive Defect Pattern Specification Notation (EDPSN). With EDPSN, a resource-leak defect pattern can be defined more precisely by specifying conditional method calls and more expressively by including guiding information for the defect detection and warning prioritization process, such as the characteristics of its preferred defect detection process and the effective prioritization impact factors for its related warnings. Based on the EDPSN-based defect pattern, our approach tries to flexibly tune out a suitable defect detection and warning prioritization process. Through evaluations on three real-world projects (Eclipse-3.0.1, JBoss-3.0.6, and Weka-3.6.4), we show that our approach achieves high average precision (96%) and recall (74%), 26% and 49% higher than existing approaches, respectively.

Ankush Das,Akash Lal

DOI: https://doi.org/10.48550/arXiv.1702.05807

2017-02-20

Abstract:Precise analysis of pointer information plays an important role in many static analysis techniques and tools today. The precision, however, must be balanced against the scalability of the analysis. This paper focusses on improving the precision of standard context and flow insensitive alias analysis algorithms at a low scalability cost. In particular, we present a semantics-preserving program transformation that drastically improves the precision of existing analyses when deciding if a pointer can alias NULL. Our program transformation is based on Global Value Numbering, a scheme inspired from compiler optimizations literature. It allows even a flow-insensitive analysis to make use of branch conditions such as checking if a pointer is NULL and gain precision. We perform experiments on real-world code to measure the overhead in performing the transformation and the improvement in the precision of the analysis. We show that the precision improves from 86.56% to 98.05%, while the overhead is insignificant.

Programming Languages

Fangcheng Qiu,Zhipeng Gao,Xin Xia,David Lo,John Grundy,Xinyu Wang

DOI: https://doi.org/10.1109/tse.2021.3135875

IF: 7.4

2021-01-01

IEEE Transactions on Software Engineering

Abstract:During software development and maintenance, defect localization is an essential part of software quality assurance. Even though different techniques have been proposed for defect localization, i.e., information retrieval (IR)-based techniques and spectrum-based techniques, they can only work after the defect has been exposed, which can be too late and costly to adapt to the newly introduced bugs in the daily development. There are also many JIT defect prediction tools that have been proposed to predict the buggy commit. But these tools do not locate the suspicious buggy positions in the buggy commit. To assist developers to detect bugs in time and avoid introducing them, just-in-time (JIT) bug localization techniques have been proposed, which is targeting to locate suspicious buggy code after a change commit has been submitted. In this paper, we propose a novel JIT defect localization approach, named DeepDL (Deep Learning-based defect localization), to locate defect code lines within a defect introducing change. DeepDL employs a neural language model to capture the semantics of the code lines, in this way, the naturalness of each code line can be learned and converted to a suspiciousness score. The core of our DeepDL is a deep learning-based neural language model. We train the neural language model with previous snapshots (history versions) of a project so that it can calculate the naturalness of a piece of code. In its application, for a given new code change, DeepDL automatically assigns a suspiciousness score to each code line and sorts these code lines in descending order of this score. The code lines at the top of the list are considered as potential defect locations. Our tool can assist developers efficiently check buggy lines at an early stage, which is able to reduce the risk of introducing bugs in time and improve the developers’ confidence in the reliability of their software. We conducted an extensive experiment on 14 open source Java projects with a total of 11,615 buggy changes. We evaluate the experimental results considering four evaluation metrics. The experimental results show that our method outperforms the state-of-the-art by a substantial margin.

engineering, electrical & electronic,computer science, software engineering

Pingyan Wang,Shaoying Liu

DOI: https://doi.org/10.1142/s0218194024500013

IF: 1.007

2024-02-23

International Journal of Software Engineering and Knowledge Engineering

Abstract:International Journal of Software Engineering and Knowledge Engineering, Ahead of Print. Pointer analysis is the underlying technique of many static analysis tools for vulnerability discovery. It has proved to be effective in identifying a variety of vulnerabilities, such as buffer overflow vulnerabilities and injection vulnerabilities. However, most existing pointer analysis approaches require whole-program availability, i.e. the program to be analyzed should be complete, which may hinder a timely analysis during the coding phase. In this paper, we present two approaches, exhaustive and demand-driven pointer analyses, both of which are applied to a paradigm known as Human–Machine Pair Programming. The ideas enable us to discover security flaws as early as in the coding phase. In this paper, we describe in detail how our approaches maintain flow sensitivity and propagate points-to and taint information in an incremental fashion. We conduct an evaluation of our approaches on SecuriBench Micro and show that the approaches can capture all the potential vulnerabilities in the test cases, though several false alarms are reported.

computer science, artificial intelligence,engineering, electrical & electronic, software engineering

Yuexing Wang,Min Zhou,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1109/apsec48747.2019.00044

2019-01-01

Abstract:Precise pointer analysis is desired since many program analyses benefit from it both in precision and performance. There are several dimensions of pointer analysis precision, flow sensitivity, context sensitivity, field sensitivity and path sensitivity. The more dimensions a pointer analysis considers, the more accurate its results will be. However, considering all dimensions is difficult because the trade-off between precision and efficiency should be balanced. This paper presents a flow, context, field and quasi path sensitive pointer analysis algorithm for C programs. Our algorithm runs on a control flow automaton, a key structure for our analysis to be flow sensitive. During the analysis process, we use function summaries to get context information. Elements of aggregate structures are handled to improve precision. We collect path conditions to filter unreachable paths and make all points-to relations gated. For efficiency, we propose a multi-entry mechanism. The algorithm is implemented in TsmartGP, which is an extension of CPAchecker. Our algorithm is compared with some state-of-the-art algorithms and TsmartGP is compared with cppcheck and Clang Static Analyzer by detecting uninitialized pointer errors in 13 real-world applications. The experimental results show that our algorithm is more accurate and TsmartGP can find more errors than other tools.

Yue Li,Tian Tan,Anders Moller,Yannis Smaragdakis

DOI: https://doi.org/10.1145/3276511

2018-01-01

Proceedings of the ACM on Programming Languages

Abstract:Context sensitivity is an essential technique for ensuring high precision in Java pointer analyses. It has been observed that applying context sensitivity partially, only on a select subset of the methods, can improve the balance between analysis precision and speed. However, existing techniques are based on heuristics that do not provide much insight into what characterizes this method subset. In this work, we present a more principled approach for identifying precision-critical methods, based on general patterns of value flows that explain where most of the imprecision arises in context-insensitive pointer analysis. Accordingly, we provide an efficient algorithm to recognize these flow patterns in a given program and exploit them to yield good tradeoffs between analysis precision and speed. Our experimental results on standard benchmark and real-world programs show that a pointer analysis that applies context sensitivity partially, only on the identified precision-critical methods, preserves effectively all (98.8%) of the precision of a highly-precise conventional context-sensitive pointer analysis (2-object-sensitive with a context-sensitive heap), with a substantial speedup (on average 3.4X, and up to 9.2X).

Christopher L. Conway,Kedar S. Namjoshi,Dennis Dams,Stephen A. Edwards

DOI: https://doi.org/10.1007/11513988_45

2005-01-01

Abstract:Automaton-based static program analysis has proved to be an effective tool for bug finding. Current tools generally re-analyze a program from scratch in response to a change in the code, which can result in much duplicated effort. We present an inter-procedural algorithm that analyzes incrementally in response to program changes and present experiments for a null-pointer dereference analysis. It shows a substantial speed-up over re-analysis from scratch, with a manageable amount of disk space used to store information between analysis runs.

Yu Wang,Fengjuan Gao,Linzhang Wang,Ke Wang

DOI: https://doi.org/10.48550/arXiv.1907.05579

2019-07-12

Software Engineering

Abstract:We present an alternative approach to creating static bug finders. Instead of relying on human expertise, we utilize deep neural networks to train static analyzers directly from data. In particular, we frame the problem of bug finding as a classification task and train a classifier to differentiate the buggy from non-buggy programs using Graph Neural Network (GNN). Crucially, we propose a novel interval-based propagation mechanism that leads to a significantly more efficient, accurate and scalable generalization of GNN. We have realized our approach into a framework, NeurSA, and extensively evaluated it. In a cross-project prediction task, three neural bug detectors we instantiate from NeurSA are effective in catching null pointer dereference, array index out of bound and class cast bugs in unseen code. We compare NeurSA against several static analyzers (e.g. Facebook Infer and Pinpoint) on a set of null pointer dereference bugs. Results show that NeurSA is more precise in catching the real bugs and suppressing the spurious warnings. We also apply NeurSA to several popular Java projects on GitHub and discover 50 new bugs, among which 9 have been fixed, and 3 have been confirmed.