Jordan Samhi,René Just,Tegawendé F. Bissyandé,Michael D. Ernst,Jacques Klein

2024-07-11

Abstract:Static analysis is sound in theory, but an implementation may unsoundly fail to analyze all of a program's code. Any such omission is a serious threat to the validity of the tool's output. Our work is the first to measure the prevalence of these omissions. Previously, researchers and analysts did not know what is missed by static analysis, what sort of code is missed, or the reasons behind these omissions. To address this gap, we ran 13 static analysis tools and a dynamic analysis on 1000 Android apps. Any method in the dynamic analysis but not in a static analysis is an unsoundness. Our findings include the following. (1) Apps built around external frameworks challenge static analyzers. On average, the 13 static analysis tools failed to capture 61% of the dynamically-executed methods. (2) A high level of precision in call graph construction is a synonym for a high level of unsoundness; (3) No existing approach significantly improves static analysis soundness. This includes those specifically tailored for a given mechanism, such as DroidRA to address reflection. It also includes systematic approaches, such as EdgeMiner, capturing all callbacks in the Android framework systematically. (4) Modeling entry point methods challenges call graph construction which jeopardizes soundness.

Software Engineering

Zhiyuan Wan,Bo Zhou

DOI: https://doi.org/10.1109/ITAIC.2011.6030179

2011-01-01

Abstract:Recently automated test generation tools that implement variations of symbolic execution technology have demonstrated their ability to find subtle errors. However, one challenge they all face is how to effectively handle the exponential number of paths in large, realistic programs. This paper presents Directed Systematic Dynamic Testing approach, or DSDT for short, that combines compositional systematic dynamic testing with a search heuristic based on block-coverage. The approach tests program under test compositionally and directs the path exploration along the program point with the lowest block-coverage. We implemented our algorithm on top of jFuzz for testing Java program and evaluated our approach on testing a Java implementation of red-black tree. The preliminary experimental results show that Directed Systematic Dynamic Testing approach can efficiently achieve the code coverage of program under test. © 2011 IEEE.

Zhiyuan Wan,Bo Zhou

DOI: https://doi.org/10.3785/j.issn.1008-973X.2015.06.005

2015-01-01

Abstract:A points-to analysis approach was proposed to generate partial call graphs of application part without analyzing the method bodies of libraries. A set of rules was bulit to model the interaction between application and libraries in order to infer the pointer information libraries. The approach was implemented based on the Soot program analysis framework. The performance, completeness and precision of generated call graphs were evaluated on 14 Java benchmarks. The experimental results showed that the proposed approach was faster than Averroes and Spark call graph construction approaches by a factor of 4.9 xand13. 7xrespectively. Meanwhile, the proposed approach can construct complete and precise partial call graphs.

Darius Foo,Jason Yeo,Hao Xiao,Asankhaya Sharma

DOI: https://doi.org/10.48550/arXiv.1909.00973

2019-09-03

Software Engineering

Abstract:Developers today use significant amounts of open source code, surfacing the need for ways to automatically audit and upgrade library dependencies, and giving rise to the subfield of Software Composition Analysis (SCA). SCA products are concerned with three tasks: discovering dependencies, checking the reachability of vulnerable code for false positive elimination, and automated remediation. The latter two tasks rely on call graphs of application and library code to check whether vulnerability-specific sinks identified in libraries are used by applications. However, statically-constructed call graphs introduce both false positives and false negatives on real-world projects. In this paper, we develop a novel, modular means of combining call graphs derived from both static and dynamic analysis to improve the performance of false positive elimination. Our experiments indicate significant performance improvements.

Neville Grech,George Fourtounis,Adrian Francalanza,Yannis Smaragdakis

DOI: https://doi.org/10.48550/arXiv.1905.02088

2019-05-06

Programming Languages

Abstract:Static analyses aspire to explore all possible executions in order to achieve soundness. Yet, in practice, they fail to capture common dynamic behavior. Enhancing static analyses with dynamic information is a common pattern, with tools such as Tamiflex. Past approaches, however, miss significant portions of dynamic behavior, due to native code, unsupported features (e.g., invokedynamic or lambdas in Java), and more. We present techniques that substantially counteract the unsoundness of a static analysis, with virtually no intrusion to the analysis logic. Our approach is reified in the HeapDL toolchain and consists in taking whole-heap snapshots during program execution, that are further enriched to capture significant aspects of dynamic behavior, regardless of the causes of such behavior. The snapshots are then used as extra inputs to the static analysis. The approach exhibits both portability and significantly increased coverage. Heap information under one set of dynamic inputs allows a static analysis to cover many more behaviors under other inputs. A HeapDL-enhanced static analysis of the DaCapo benchmarks computes 99.5% (median) of the call-graph edges of unseen dynamic executions (vs. 76.9% for the Tamiflex tool).

Gábor Antal,Péter Hegedűs,Zoltán Tóth,Rudolf Ferenc,Tibor Gyimóthy

DOI: https://doi.org/10.48550/arXiv.2405.07206

2024-05-12

Abstract:The popularity and wide adoption of JavaScript both at the client and server side makes its code analysis more important than ever before. Most of the algorithms for vulnerability analysis, coding issue detection, or type inference rely on the call graph representation of the underlying program. Despite some obvious advantages of dynamic analysis, static algorithms should also be considered for call graph construction as they do not require extensive test beds for programs and their costly execution and tracing. In this paper, we systematically compare five widely adopted static algorithms - implemented by the npm call graph, IBM WALA, Google Closure Compiler, Approximate Call Graph, and Type Analyzer for JavaScript tools - for building JavaScript call graphs on 26 WebKit SunSpider benchmark programs and 6 real-world <a class="link-external link-http" href="http://Node.js" rel="external noopener nofollow">this http URL</a> modules. We provide a performance analysis as well as a quantitative and qualitative evaluation of the results. We found that there was a relatively large intersection of the found call edges among the algorithms, which proved to be 100 precise. However, most of the tools found edges that were missed by all others. ACG had the highest precision followed immediately by TAJS, but ACG found significantly more call edges. As for the combination of tools, ACG and TAJS together covered 99% of the found true edges by all algorithms, while maintaining a precision as high as 98%. Only two of the tools were able to analyze up-to-date multi-file <a class="link-external link-http" href="http://Node.js" rel="external noopener nofollow">this http URL</a> modules due to incomplete language features support. They agreed on almost 60% of the call edges, but each of them found valid edges that the other missed.

Software Engineering

Jun Zhu,Jing Xie,Heather Richter Lipford,Bill Chu

DOI: https://doi.org/10.1016/j.jare.2013.11.006

IF: 12.822

2014-01-01

Journal of Advanced Research

Abstract:Many security incidents are caused by software developers’ failure to adhere to secure programming practices. Static analysis tools have been used to detect software vulnerabilities. However, their wide usage by developers is limited by the special training required to write rules customized to application-specific logic. Our approach is interactive static analysis, to integrate static analysis into Integrated Development Environment (IDE) and provide in-situ secure programming support to help developers prevent vulnerabilities during code construction. No additional training is required nor are there any assumptions on ways programs are built. Our work is motivated in part by the observation that many vulnerabilities are introduced due to failure to practice secure programming by knowledgeable developers. We implemented a prototype interactive static analysis tool as a plug-in for Java in Eclipse. Our technical evaluation of our prototype detected multiple zero-day vulnerabilities in a large open source project. Our evaluations also suggest that false positives may be limited to a very small class of use cases.

Tao Xie,David Notkin

2001-01-01

Abstract:A dynamic call graph is the invocation relation that represents a specific set of runtime executions of a program. Dynamic call graph extraction is a typical application of dynamic analysis to aid compiler optimization, performance analysis, program understanding, etc. In this paper, we empirically compare the results of nine Java dynamic call graph extractors quantitatively and qualitatively. We investigate those differences among the dynamic call graph extracted by different tools mainly caused by different underlying Java program instrumentation techniques and other design decisions. A comparison between static call graph and dynamic call graph shows software engineering tools for program understanding place a different requirement on dynamic call graph from compilers or profilers whose main purpose is optimization or performance tuning. Dynamic call graphs require some complementary static information and an effective representation to aid program understanding. Choosing an appropriate instrumentation technique, integrating static and dynamic information, and providing flexible user manipulation for dynamic call graphs can better facilitate program understanding task. In this paper, we discuss the study and sketch the design considerations for an effective dynamic call graph tool to support program understanding.

Yue Li,Tian Tan,Jingling Xue

DOI: https://doi.org/10.1007/978-3-662-48288-9_10

2015-01-01

Abstract:We introduce Solar, the first reflection analysis that allows its soundness to be reasoned about when some assumptions are met and produces significantly improved under-approximations otherwise. In both settings, Solar has three novel aspects: (1) lazy heap modeling for reflective allocation sites, (2) collective inference for improving the inferences on related reflective calls, and (3) automatic identification of "problematic" reflective calls that may threaten its soundness, precision and scalability, thereby enabling their improvement via lightweight annotations. We evaluate Solar against two state-of-the-art solutions, Doop and Elf, with the three treated as under-approximate reflection analyses, using 11 large Java benchmarks and applications. Solar is significantly more sound while achieving nearly the same precision and running only several-fold more slowly, subject to only 7 annotations in 3 programs.

S. Tucker Taft

DOI: https://doi.org/10.1007/s10009-024-00762-1

2024-08-31

International Journal on Software Tools for Technology Transfer

Abstract:CodePeer is a static analysis tool based on compiler optimization techniques such as static single assignment and value numbering. CodePeer infers and reports on implicit preconditions for each function of the program, based on limitations it identifies within the algorithm of the function. Presuming these inferred preconditions are satisfied, CodePeer then simulates the execution of each function, and identifies places where a program might still fail at run time, due to violating some run-time check or an error that leads to undefined behavior. CodePeer uses static single assignment and global value numbering to ensure that the determination of possible run-time values of each variable and expression encountered during the simulation of the execution of each function is both sound and precise. The approximations performed to ensure that the determination of possible values converges in the face of loops and recursion are systematic and based on the kinds of conservative analysis performed by compiler optimizers. The output of CodePeer includes for each function an enumeration of its global inputs and global outputs and inferred preconditions and postconditions. The output also includes, interspersed within a listing of the source of the function, an identification of the places where possible run-time failures or undefined behavior could occur. This output is designed to support code review, which gives the tool its CodePeer name.

computer science, software engineering

Jiawei Han,Chao Liu

2008-01-01

Abstract:Recent years have seen great advances in software engineering and programming languages. Unfortunately, software is still far from bug-free, even for those deployed. Static analysis is a good approach to eliminating numerous bugs, but its conservative nature of analysis unavoidably constrains its capacity. Dynamic analysis, on the other hand, utilizes program runtime execution data, which complements static approaches. This thesis describes three dynamic techniques that leverage program runtime data to improve software quality.First, we present a statistical debugging algorithm, called S OBER, which automatically localizes software faults without any prior knowledge of the program semantics. This statistical debugging alleviates the high cost associated with manual debugging. Featuring a similar rationale to hypothesis testing, SOBER quantifies the fault relevance of each predicate in a principled way. We systematically evaluate S OBER under the same setting as previous studies, and compare S OBER with other seven algorithms. The result clearly demonstrates the advantages of SOBER over existing approaches.Second, we discuss automated program failure triage, which is a closely related problem with automated debugging. Recent software systems usually feature an automated failure reporting component, with which a huge number of failures are collected from software end-users. In order to effectively leverage the valuable program failure data, the collected failures need to be first triaged, i.e., to locate the most severe failures, and to assign them to appropriate developers. Lying in the center of failure triage is failure indexing, which tries to group failures due to the fault together. In this thesis, we propose a statistical debugging-based approach to program failure triage, called R-PROXIMITY, which better indexes failures and facilitates failure assignment than existing approaches. Finally, we describe a program dynamic slicing-based approach to failure indexing, which complements R-PROXIMITY. R-PROXIMITY is a quality failure indexing tool, but its effectiveness relies on a sufficient number of correct executions, which may or may not be available in practice. The proposed dynamic slicing-based approach does not require any correct executions, and hence perfectly complements R-PROXIMITY . All the three techniques are subject to three mid-sized programs grep, gzip, and flex, and the result validates their advancement of the state of the art.

Weigang He,Peng Di,Mengli Ming,Chengyu Zhang,Ting Su,Shijie Li,Yulei Sui

DOI: https://doi.org/10.1145/3660781

2024-07-12

Abstract:Static analyzers are playing crucial roles in helping find programming mistakes and security vulnerabilities. The correctness of their analysis results is crucial for the usability in practice. Otherwise, the potential defects in these analyzers (, implementation errors, improper design choices) could affect the soundness (leading to false negatives) and precision (leading to false positives). However, finding the defects in off-the-shelf static analyzers is challenging because these analyzers usually lack clear and complete specifications, and the results of different analyzers may differ. To this end, this paper designs two novel types of automated oracles to find defects in static analyzers with randomly generated programs. The first oracle is constructed by using dynamic program executions and the second one leverages the inferred static analysis results. We applied these two oracles on three state-of-the-art static analyzers: Clang Static Analyzer (CSA), GCC Static Analyzer (GSA), and Pinpoint. We found 38 unique defects in these analyzers, 28 of which have been confirmed or fixed by the developers. We conducted a case study on these found defects followed by several insights and lessons learned for improving and better understanding static analyzers. We have made all the artifacts publicly available at https://github.com/Geoffrey1014/SA_Bugs for replication and benefit the community.

Qing Gao,Shikun Zhang,Xianglong Chen,Sen Ma,Sihao Shao,Yulei Sui,Guoliang Zhao,Luyao Ma,Xiao Ma,Fuyao Duan,Xiao Deng

DOI: https://doi.org/10.1145/3196321.3196367

2018-01-01

Abstract:To obtain precise and sound results, most of existing static analyzers require whole program analysis with complete source code. However, in reality, the source code of an application always interacts with many third-party libraries, which are often not easily accessible to static analyzers. Worse still, more than 30% of legacy projects [1] cannot be compiled easily due to complicated configuration environments (e.g., third-party libraries, compiler options and macros), making ideal "whole-program analysis" unavailable in practice. This paper presents CoBOT [2], a static analysis tool that can detect bugs in the presence of incomplete code. It analyzes function APIs unavailable in application code by either using function summarization or automatically downloading and analyzing the corresponding library code as inferred from the application code and its configuration files. The experiments show that CoBOT is not only easy to use, but also effective in detecting bugs in real-world programs with incomplete code. Our demonstration video is at: https://youtu.be/bhjJp3e7LPM.

Qing Gao,Sen Ma,Sihao Shao,Yulei Sui,Guoliang Zhao,Luyao Ma,Xiao Ma,Fuyao Duan,Xiao Deng,Shikun Zhang,Xianglong Chen

DOI: https://doi.org/10.1145/3196321.3196367

2018-01-01

Abstract:To obtain precise and sound results, most of existing static analyzers require whole program analysis with complete source code. However, in reality, the source code of an application always interacts with many third-party libraries, which are often not easily accessible to static analyzers. Worse still, more than 30% of legacy projects [1] cannot be compiled easily due to complicated configuration environments (e.g., third-party libraries, compiler options and macros), making ideal "whole-program analysis" unavailable in practice. This paper presents CoBOT [2], a static analysis tool that can detect bugs in the presence of incomplete code. It analyzes function APIs unavailable in application code by either using function summarization or automatically downloading and analyzing the corresponding library code as inferred from the application code and its configuration files. The experiments show that CoBOT is not only easy to use, but also effective in detecting bugs in real-world programs with incomplete code. Our demonstration video is at: https://youtu.be/bhjJp3e7LPM.

Yulu Cao,Lin Chen,Zhifei Chen,Jiacheng Zhong,Xiaowei Zhang,Linzhang Wang

DOI: https://doi.org/10.1142/s0218194024500104

IF: 1.007

2024-01-01

International Journal of Software Engineering and Knowledge Engineering

Abstract:Call graphs facilitate various tasks in software engineering. However, for the dynamic language Python, the complex language features and external library dependencies pose enormous challenges for building the call graphs of real projects. Some program analysis techniques used for call graph construction in other languages are impractical for Python. In this paper, we present STAR, a practical technique for the construction of Python static call graphs. We reformulate call graph construction as an entity identification task. STAR leverages inter-module summary and cross-project dependencies to construct a fine-grained entity knowledge base to identify the possible nodes and edges of the call graph in the code, and then construct the call graph. Our evaluation of three benchmarks shows that (1) STAR improves recall in three benchmarks compared to three baseline tools. Especially, STAR improves the recall of reachable nodes and reachable edges compared with the state-of-the-art tool by 11.3% and 9.8%, respectively; (2) STAR achieves comparable performance as three baseline tools in execution time and memory usage and is more efficient in large projects; (3) STAR can be effectively used for the task of detecting vulnerability propagation with real-world cases. We expect our results will attract more exploration of practical methods and improve the application of Python call graphs.

George Fourtounis,Yannis Smaragdakis

DOI: https://doi.org/10.4230/LIPIcs.ECOOP.2019.15

2020-01-08

Abstract:Java 7 introduced programmable dynamic linking in the form of the invokedynamic framework. Static analysis of code containing programmable dynamic linking has often been cited as a significant source of unsoundness in the analysis of Java programs. For example, Java lambdas, introduced in Java 8, are a very popular feature, which is, however, resistant to static analysis, since it mixes invokedynamic with dynamic code generation. These techniques invalidate static analysis assumptions: programmable linking breaks reasoning about method resolution while dynamically generated code is, by definition, not available statically. In this paper, we show that a static analysis can predictively model uses of invokedynamic while also cooperating with extra rules to handle the runtime code generation of lambdas. Our approach plugs into an existing static analysis and helps eliminate all unsoundness in the handling of lambdas (including associated features such as method references) and generic invokedynamic uses. We evaluate our technique on a benchmark suite of our own and on third-party benchmarks, uncovering all code previously unreachable due to unsoundness, highly efficiently.

Programming Languages

Bailin Lu,Wei Dong,Liangze Yin,Li Zhang

DOI: https://doi.org/10.1007/978-3-030-04272-1_4

2018-01-01

Abstract:Many static analysis methods and tools have been developed for program bug detection. They are based on diverse theoretical principles, such as pattern matching, abstract interpretation, model checking and symbolic execution. Unfortunately, none of them can meet most requirements for bug finding. Individual tool always faces high false negatives and/or false positives, which is the main obstacle for using them in practice. A direct and promising way to improve the capability of static analysis is to integrate diverse bug finders. In this paper, we first selected five state-of-the-art C/C++ static analysis tools implemented with different theories. We then evaluated them over different defect types and code structures in detail. To increase the precision and recall for tool integration, we studied how to properly employ machine learning algorithms based on features of programs and tools. Evaluation results show that: (1) the abilities of diverse tools are quite different for defect types and code structures, and their overlaps are quite small; (2) the integration based on machine learning can obviously improve the overall performance of static analysis. Finally, we investigated the defect types and code structures which are still challenging for existing tools. They should be addressed in future research on static analysis.

Gabor Horvath,Reka Kovacs,Zoltan Porkolab

2024-08-04

Abstract:Static analysis is the analysis of a program without executing it, usually carried out by an automated tool. Symbolic execution is a popular static analysis technique used both in program verification and in bug detection software. It works by interpreting the code, introducing a symbol for each value unknown at compile time (e.g. user-given inputs), and carrying out calculations symbolically. The analysis engine strives to explore multiple execution paths simultaneously, although checking all paths is an intractable problem, due to the vast number of possibilities. We focus on an error finding framework called the Clang Static Analyzer, and the infrastructure built around it named CodeChecker. The emphasis is on achieving end-to-end scalability. This includes the run time and memory consumption of the analysis, bug presentation to the users, automatic false positive suppression, incremental analysis, pattern discovery in the results, and usage in continuous integration loops. We also outline future directions and open problems concerning these tools. While a rich literature exists on program verification software, error finding tools normally need to settle for survey papers on individual techniques. In this paper, we not only discuss individual methods, but also how these decisions interact and reinforce each other, creating a system that is greater than the sum of its parts. Although the Clang Static Analyzer can only handle C-family languages, the techniques introduced in this paper are mostly language-independent and applicable to other similar static analysis tools.

Software Engineering

Avi Hayoun,Veselin Raychev,Jack Hair

2024-04-19

Abstract:Static analysis is a growing application of software engineering, leading to a range of essential security tools, bug-finding tools, as well as software verification. Recent years show an increase of universal static analysis tools that validate a range of properties and allow customizing parts of the scanner to validate additional properties or "static analysis rules". A commonly used language to describe a range of static analysis applications is Datalog. Unfortunately, the language is still non-trivial to use, leading to analysis that is difficult to implement in a precise but performant way. In this work, we aim to make building custom static analysis tools much easier for developers, while at the same time, providing a familiar framework for application security and static analysis experts. Our approach introduces a language called StarLang, a variant of Datalog which only includes programs with a fast runtime by the means of having low time complexity of its decision procedure.

Programming Languages,Logic in Computer Science,Software Engineering

Joanna C. S. Santos,Mehdi Mirakhorli,Ali Shokri

DOI: https://doi.org/10.1145/3649851

2024-09-02

Abstract:Object serialization and deserialization are widely used for storing and preserving objects in files, memory, or database as well as for transporting them across machines, enabling remote interaction among processes and many more. This mechanism relies on reflection, a dynamic language that introduces serious challenges for static analyses. Current state-of-the-art call graph construction algorithms do not fully support object serialization/deserialization, i.e., they are unable to uncover the callback methods that are invoked when objects are serialized and deserialized. Since call graphs are a core data structure for multiple types of analysis (e.g., vulnerability detection), an appropriate analysis cannot be performed since the call graph does not capture hidden (vulnerable) paths that occur via callback methods. In this paper, we present Seneca, an approach for handling serialization with improved soundness in the context of call graph construction. Our approach relies on taint analysis and API modeling to construct sound call graphs. We evaluated our approach with respect to soundness, precision, performance, and usefulness in detecting untrusted object deserialization vulnerabilities. Our results show that Seneca can create sound call graphs with respect to serialization features. The resulting call graphs do not incur significant runtime overhead and were shown to be useful for performing identification of vulnerable paths caused by untrusted object deserialization.

Software Engineering