开源CC++静态软件缺陷检测工具实证研究

doi:10.13328/j.cnki.jos.006569

微信服务号

微信订阅号

2025年3月16日 7:05 星期日

首页 > 过刊浏览>2022年第33卷第6期 >2061-2081. DOI:10.13328/j.cnki.jos.006569

PDF HTML阅读 XML下载导出引用引用提醒

开源CC++静态软件缺陷检测工具实证研究
DOI:
                        10.13328/j.cnki.jos.006569
                    
CSTR:
                        
                    
作者:
                        李广威李广威
计算机体系结构国家重点实验室(中国科学院 计算技术研究所), 北京 100190;中国科学院大学, 北京 100049
在期刊界中查找
在百度中查找
在本站中查找
袁挺袁挺
计算机体系结构国家重点实验室(中国科学院 计算技术研究所), 北京 100190;中国科学院大学, 北京 100049
在期刊界中查找
在百度中查找
在本站中查找
李炼李炼
计算机体系结构国家重点实验室(中国科学院 计算技术研究所), 北京 100190;中国科学院大学, 北京 100049
在期刊界中查找
在百度中查找
在本站中查找

                    
作者单位:
作者简介:李广威(1991-),男,博士生,CCF学生会员,主要研究领域为程序分析;李炼(1977-),男,博士,研究员,博士生导师,CCF专业会员,主要研究领域为程序分析,软件安全;袁挺(1994-),男,博士生,主要研究领域为程序分析
通讯作者:李炼,E-mail:lianli@ict.ac.cn
中图分类号:TP311
基金项目:国家自然科学基金(61802368,62090024)

Study of State-of-the-art Open-source C/C++ Static Analysis Tools

Author:

LI Guang-Wei
LI Guang-Wei
State Key Laboratory of Computer Architecture (Institute of Computing Technology, Chinese Academy of Sciences), Beijing 100190, China;University of Chinese Academy of Sciences, Beijing 100049, China
在期刊界中查找
在百度中查找
在本站中查找
YUAN Ting
YUAN Ting
State Key Laboratory of Computer Architecture (Institute of Computing Technology, Chinese Academy of Sciences), Beijing 100190, China;University of Chinese Academy of Sciences, Beijing 100049, China
在期刊界中查找
在百度中查找
在本站中查找
LI Lian
LI Lian
State Key Laboratory of Computer Architecture (Institute of Computing Technology, Chinese Academy of Sciences), Beijing 100190, China;University of Chinese Academy of Sciences, Beijing 100049, China
在期刊界中查找
在百度中查找
在本站中查找

Affiliation:

Fund Project:

摘要

图/表

访问统计

参考文献 [52]

相似文献 [20]

引证文献

资源附件

文章评论

摘要:

软件静态缺陷检测是软件安全领域中的一个研究热点.随着使用C/C++语言编写的软件规模和复杂度的逐渐提高,软件迭代速度的逐渐加快,由于静态软件缺陷检测不需要运行目标代码即可发现其中潜藏的缺陷,因而在工业界和学术界受到了更为广泛的关注.近年来涌现出大量使用软件静态分析技术的检测工具,并在不同领域的软件项目中发挥了不可忽视的作用,但是开发者仍然对静态缺陷检测工具缺乏信心.高误报率是C/C++静态缺陷检测工具难以普及的首要原因.因此,选择现有的较为完善的开源C/C++静态缺陷检测工具,在Juliet基准测试集和37个良好维护的开源软件项目上对特定类型缺陷的检测效果进行了深入研究,结合检测工具的具体实现,归纳了导致静态缺陷检测工具产生误报的关键原因.同时,通过研究静态缺陷检测工具的版本迁移轨迹,总结出了当下静态分析工具的发展方向和未来趋势,有助于未来静态分析技术的优化和发展,从而实现静态缺陷检测工具的普及应用.

关键词:软件缺陷检测;静态分析;软件质量保证;源码安全

Abstract:

Static software defect detection is an active research topic in the domain of software engineering and software security. Along with the increase of software complexity and size, static software defect detection has been applied in both industry and academy to take the benefit of finding defects in C/C++ programs without execution. A large amount of static analysis tools (SATs) for C/C++ have been developed in recent years, and have played an important role in automatically finding defects in various kinds of C/C++ software projects. In spite of this, developers are still having less confidence on SATs mainly due to the high false positive rate that has been an unsolved problem for a long time. This research dives deep into state-of-the-art static analysis tools for C/C++ and figures out why false positives are raised through the approach of running them on Juliet Test Suite and 37 open-source real-world software projects. With insight of the design and implementation details of the selected open-source SATs, the exact reasons of which result in the high false positive rateare found. Moreover, the effort is also made to trace the tendency of development and the future of state-of-the-art open-source C/C++ SATs.

Key words:software defect detection;static analysis;software quality assurance;source code security

参考文献

[1] Annual Report on China's Cyber Security 2020. http://it.rising.com.cn/d/file/it/dongtai/20210113/2020.pdf

[2] CVE-Common vulnerabilities and exposures. http://cve.mitre.org/

[3] NVD-National vulnerability database. https://nvd.nist.gov/

[4] Vassallo C, Panichella S, Palomba F, Proksch S, Gall HC, Zaidman A. How developers engage with static analysis tools in different contexts. Empirical Software Engineering, 2020, 25(2):1419-1457.

[5] Revertion of all of the umn.edu commits. https://lore.kernel.org/lkml/20210421130105.1226686-1-gregkh@linuxfoundation.org/

[6] Johnson B, Song Y, Murphy-Hill E, Bowdidge R. Why don't software developers use static analysis tools to find bugs?In:Proc. of the 35th Int'l Conf. on Software Engineering (ICSE). IEEE, 2013. 672-681.

[7] Juliet test suite for C/C++. https://samate.nist.gov/SRD/testsuite.php

[8] Shen Z, Chen S. A survey of automatic software vulnerability detection, program repair, and defect prediction techniques. In:Proc. of the Security and Communication Networks. 2020.

[9] Li P, Cui B. A comparative study on software vulnerability static analysis techniques and tools. In:Proc. of the 2010 IEEE Int'l Conf. on Information Theory and Information Security. IEEE, 2010. 521-524.

[10] Zhang J, Zhang C, Xuan JF, Xiong YF, Wang QX, Liang B, Li L, Dou WS, Chen ZB, Chen LQ, Cai Y. Recent progress in program analysis. Ruan Jian Xue Bao/Journal of Software, 2019, 30(1):80-109(in Chinese with English abstract). http://www.jos.org.cn/1000-9825/5651.htm[doi:10.13328/j.cnki.jos.005651]

[11] Fosdick LD, Osterweil LJ. Data flow analysis in software reliability. ACM Computing Surveys (CSUR), 1976, 8(3):305-330.

[12] Yang Z, Yang M. Leakminer:Detect information leakage on Android with static taint analysis. In:Proc. of the 3rd World Congress on Software Engineering. IEEE, 2012. 101-104.

[13] Baier C, Katoen JP. Principles of Model Checking. MIT Press, 2008.

[14] Cousot P, Cousot R. Static determination of dynamic properties of generalized type unions. ACM SIGOPS Operating Systems Review, 1977, 11(2):77-94.

[15] Cousot P, Cousot R. Abstract interpretation:A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In:Proc. of the 4th ACM SIGACT-SIGPLAN Symp. on Principles of Programming Languages. 1977. 238-252.

[16] Cousot P, Cousot R. Systematic design of program analysis frameworks. In:Proc. of the 6th ACM SIGACT-SIGPLAN Symp. on Principles of Programming Languages. 1979. 269-282.

[17] Dahse J, Schwenk J. RIPS-A static source code analyser for vulnerabilities in PHP scripts. In:Proc. of the Seminar Work (SeminerÇalismasi). Horst Görtz Institute Ruhr-University Bochum, 2010.

[18] Satyanarayana V, Sekhar M. Static analysis tool for detecting Web application vulnerabilities. Int'l Journal of Modern Engineering Research (IJMER), 2011, 1(1):127-133.

[19] Nunes PJC, Fonseca J, Vieira M. phpSAFE:A security analysis tool for OOP Web application plugins. In:Proc. of the 45th Annual IEEE/IFIP Int'l Conf. on Dependable Systems and Networks. IEEE, 2015. 299-306.

[20] Ferschke O, Gurevych I, Rittberger M. FlawFinder:A modular system for predicting quality flaws in Wikipedia. In:Proc. of the CLEF (Online Working Notes/Labs/Workshop). 2012. 1-10.

[21] Hovemeyer D, Pugh W. Finding bugs is easy. ACM SIGPLAN Notices, 2004, 39(12):92-106.

[22] PMD source code analyzer. https://pmd.github.io/

[23] Cppcheck-A tool for static C/C++code analysis. http://cppcheck.net/

[24] Pereira JDA, Vieira M. On the use of open-source C/C++static analysis tools in large projects. In:Proc. of the 16th European Dependable Computing Conf.(EDCC). IEEE, 2020. 97-102.

[25] Kirchner F, Kosmatov N, Prevosto V, Signoles J, Yakobowski B. Frama-C:A software analysis perspective. Formal Aspects of Computing, 2015, 27(3):573-609.

[26] OCLint. https://oclint.org/

[27] Evans D, Larochelle D. Improving security using extensible lightweight static analysis. IEEE Software, 2002, 19(1):42-51.

[28] SonarQube. https://www.sonarqube.org/

[29] CheckMarx. https://www.checkmarx.com/

[30] Coverity SAST. https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html

[31] Fortify static code analyzer. https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer

[32] Facebook infer. https://fbinfer.com/

[33] Clang static analyzer. https://clang-analyzer.llvm.org/

[34] Sui Y, Ye D, Xue J. Static memory leak detection using full-sparse value-flow analysis. In:Proc. of the 2012 Int'l Symp. on Software Testing and Analysis. 2012. 254-264.

[35] Lattner C, Adve V. LLVM:A compilation framework for lifelong program analysis& transformation. In:Proc. of the Int'l Symp. on Code Generation and Optimization (CGO 2004). IEEE, 2004. 75-86.

[36] Reynolds JC. Separation logic:A logic for shared mutable data structures. In:Proc. of the 17th Annual IEEE Symp. on Logic in Computer Science. IEEE, 2002. 55-74.

[37] Calcagno C, Distefano D, O'hearn PW, Yang H. Compositional shape analysis by means of bi-abduction. Journal of the ACM (JACM), 2011, 58(6):1-66.

[38] King JC. Symbolic execution and program testing. Communications of the ACM, 1976, 19(7):385-394.

[39] Baldoni R, Coppa E, D'elia DC, Demetrescu C, Finocchi I. A survey of symbolic execution techniques. ACM Computing Surveys (CSUR), 2018, 51(3):1-39.

[40] Sui Y, Xue J. SVF:Interprocedural static value-flow analysis in LLVM. In:Proc. of the 25th Int'l Conf. on Compiler Construction. 2016. 265-266.

[41] Andersen LO. Program analysis and specialization for the C programming language[Ph.D. Thesis]. DIKU:University of Copenhagen, 1994.

[42] Whole program LLVM. https://github.com/travitch/whole-program-llvm

[43] Yan H, Sui Y, Chen S, Xue J. Spatio-temporal context reduction:A pointer-analysis-based static approach for detecting use-after-free vulnerabilities. In:Proc. of the 40th IEEE/ACM Int'l Conf. on Software Engineering (ICSE). IEEE, 2018. 327-337.

[44] Yan H, Sui Y, Chen S, Xue J. Machine-learning-guided typestate analysis for static use-after-free detection. In:Proc. of the 33rd Annual Computer Security Applications Conf. 2017. 42-54.

[45] Shi Q, Xiao X, Wu R, Zhou J, Fan G, Zhang C. Pinpoint:Fast and precise sparse value flow analysis for million lines of code. In:Proc. of the 39th ACM SIGPLAN Conf. on Programming Language Design and Implementation. 2018. 693-706.

[46] Akers SB. Binary decision diagrams. IEEE Trans. on Computers, 1978, 27(6):509-516.

[47] LGTM-Continuous security analysis. https://lgtm.com/

[48] Shi Q, Yao P, Wu R, Zhang C. Path-sensitive sparse analysis without path conditions. In:Proc. of the 42nd ACM SIGPLAN Int'l Conf. on Programming Language Design and Implementation. 2021. 930-943.

[49] Wilson RP, Lam MS. Efficient context-sensitive pointer analysis for C programs. ACM SIGPLAN Notices, 1995, 30(6):1-12.

[50] Arusoaie A, Ciobâca S, Craciun V, Gavrilut D, Lucanu D. A comparison of open-source static analysis tools for vulnerability detection in C/C++code. In:Proc. of the 19th Int'l Symp. on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC). IEEE, 2017. 161-168.

[51] Marcilio D, Bonifácio R, Monteiro E, Canedo E, Luz W, Pinto G. Are static analysis violations really fixed?A closer look at realistic usage of sonarqube. In:Proc. of the 27th IEEE/ACM Int'l Conf. on Program Comprehension (ICPC). IEEE, 2019. 209-219.

附中文参考文献:
[10] 张健,张超,玄跻峰,熊英飞,王千祥,梁彬,李炼,窦文生,陈振邦,陈立前,蔡彦.程序分析研究进展.软件学报, 2019, 30(1):80-109. http://www.jos.org.cn/1000-9825/5651.htm[doi:10.13328/j.cnki.jos.005651]

引用本文

李广威,袁挺,李炼.开源CC++静态软件缺陷检测工具实证研究.软件学报,2022,33(6):2061-2081

复制

文章指标

点击次数:2565
下载次数: 5611
HTML阅读次数: 4132
引用次数: 0

历史

收稿日期:2021-09-05
最后修改日期:2021-10-15
录用日期:
在线发布日期: 2022-01-28
出版日期: 2022-06-06

微信服务号

微信订阅号

引用本文

分享

文章指标

历史

文章二维码

微信服务号

微信订阅号

引用本文

分享

微信扫一扫：分享

文章指标

历史

文章二维码