State Key Laboratory of Computer Architecture (Institute of Computing Technology, Chinese Academy of Sciences), Beijing 100190, China;University of Chinese Academy of Sciences, Beijing 100049, China 在期刊界中查找 在百度中查找 在本站中查找
State Key Laboratory of Computer Architecture (Institute of Computing Technology, Chinese Academy of Sciences), Beijing 100190, China;University of Chinese Academy of Sciences, Beijing 100049, China 在期刊界中查找 在百度中查找 在本站中查找
State Key Laboratory of Computer Architecture (Institute of Computing Technology, Chinese Academy of Sciences), Beijing 100190, China;University of Chinese Academy of Sciences, Beijing 100049, China 在期刊界中查找 在百度中查找 在本站中查找
Static software defect detection is an active research topic in the domain of software engineering and software security. Along with the increase of software complexity and size, static software defect detection has been applied in both industry and academy to take the benefit of finding defects in C/C++ programs without execution. A large amount of static analysis tools (SATs) for C/C++ have been developed in recent years, and have played an important role in automatically finding defects in various kinds of C/C++ software projects. In spite of this, developers are still having less confidence on SATs mainly due to the high false positive rate that has been an unsolved problem for a long time. This research dives deep into state-of-the-art static analysis tools for C/C++ and figures out why false positives are raised through the approach of running them on Juliet Test Suite and 37 open-source real-world software projects. With insight of the design and implementation details of the selected open-source SATs, the exact reasons of which result in the high false positive rateare found. Moreover, the effort is also made to trace the tendency of development and the future of state-of-the-art open-source C/C++ SATs.
[4] Vassallo C, Panichella S, Palomba F, Proksch S, Gall HC, Zaidman A. How developers engage with static analysis tools in different contexts. Empirical Software Engineering, 2020, 25(2):1419-1457.
[5] Revertion of all of the umn.edu commits. https://lore.kernel.org/lkml/20210421130105.1226686-1-gregkh@linuxfoundation.org/
[6] Johnson B, Song Y, Murphy-Hill E, Bowdidge R. Why don't software developers use static analysis tools to find bugs?In:Proc. of the 35th Int'l Conf. on Software Engineering (ICSE). IEEE, 2013. 672-681.
[7] Juliet test suite for C/C++. https://samate.nist.gov/SRD/testsuite.php
[8] Shen Z, Chen S. A survey of automatic software vulnerability detection, program repair, and defect prediction techniques. In:Proc. of the Security and Communication Networks. 2020.
[9] Li P, Cui B. A comparative study on software vulnerability static analysis techniques and tools. In:Proc. of the 2010 IEEE Int'l Conf. on Information Theory and Information Security. IEEE, 2010. 521-524.
[10] Zhang J, Zhang C, Xuan JF, Xiong YF, Wang QX, Liang B, Li L, Dou WS, Chen ZB, Chen LQ, Cai Y. Recent progress in program analysis. Ruan Jian Xue Bao/Journal of Software, 2019, 30(1):80-109(in Chinese with English abstract). http://www.jos.org.cn/1000-9825/5651.htm[doi:10.13328/j.cnki.jos.005651]
[11] Fosdick LD, Osterweil LJ. Data flow analysis in software reliability. ACM Computing Surveys (CSUR), 1976, 8(3):305-330.
[12] Yang Z, Yang M. Leakminer:Detect information leakage on Android with static taint analysis. In:Proc. of the 3rd World Congress on Software Engineering. IEEE, 2012. 101-104.
[13] Baier C, Katoen JP. Principles of Model Checking. MIT Press, 2008.
[14] Cousot P, Cousot R. Static determination of dynamic properties of generalized type unions. ACM SIGOPS Operating Systems Review, 1977, 11(2):77-94.
[15] Cousot P, Cousot R. Abstract interpretation:A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In:Proc. of the 4th ACM SIGACT-SIGPLAN Symp. on Principles of Programming Languages. 1977. 238-252.
[16] Cousot P, Cousot R. Systematic design of program analysis frameworks. In:Proc. of the 6th ACM SIGACT-SIGPLAN Symp. on Principles of Programming Languages. 1979. 269-282.
[17] Dahse J, Schwenk J. RIPS-A static source code analyser for vulnerabilities in PHP scripts. In:Proc. of the Seminar Work (SeminerÇalismasi). Horst Görtz Institute Ruhr-University Bochum, 2010.
[18] Satyanarayana V, Sekhar M. Static analysis tool for detecting Web application vulnerabilities. Int'l Journal of Modern Engineering Research (IJMER), 2011, 1(1):127-133.
[19] Nunes PJC, Fonseca J, Vieira M. phpSAFE:A security analysis tool for OOP Web application plugins. In:Proc. of the 45th Annual IEEE/IFIP Int'l Conf. on Dependable Systems and Networks. IEEE, 2015. 299-306.
[20] Ferschke O, Gurevych I, Rittberger M. FlawFinder:A modular system for predicting quality flaws in Wikipedia. In:Proc. of the CLEF (Online Working Notes/Labs/Workshop). 2012. 1-10.
[21] Hovemeyer D, Pugh W. Finding bugs is easy. ACM SIGPLAN Notices, 2004, 39(12):92-106.
[23] Cppcheck-A tool for static C/C++code analysis. http://cppcheck.net/
[24] Pereira JDA, Vieira M. On the use of open-source C/C++static analysis tools in large projects. In:Proc. of the 16th European Dependable Computing Conf.(EDCC). IEEE, 2020. 97-102.
[25] Kirchner F, Kosmatov N, Prevosto V, Signoles J, Yakobowski B. Frama-C:A software analysis perspective. Formal Aspects of Computing, 2015, 27(3):573-609.
[26] OCLint. https://oclint.org/
[27] Evans D, Larochelle D. Improving security using extensible lightweight static analysis. IEEE Software, 2002, 19(1):42-51.
[34] Sui Y, Ye D, Xue J. Static memory leak detection using full-sparse value-flow analysis. In:Proc. of the 2012 Int'l Symp. on Software Testing and Analysis. 2012. 254-264.
[35] Lattner C, Adve V. LLVM:A compilation framework for lifelong program analysis& transformation. In:Proc. of the Int'l Symp. on Code Generation and Optimization (CGO 2004). IEEE, 2004. 75-86.
[36] Reynolds JC. Separation logic:A logic for shared mutable data structures. In:Proc. of the 17th Annual IEEE Symp. on Logic in Computer Science. IEEE, 2002. 55-74.
[37] Calcagno C, Distefano D, O'hearn PW, Yang H. Compositional shape analysis by means of bi-abduction. Journal of the ACM (JACM), 2011, 58(6):1-66.
[38] King JC. Symbolic execution and program testing. Communications of the ACM, 1976, 19(7):385-394.
[39] Baldoni R, Coppa E, D'elia DC, Demetrescu C, Finocchi I. A survey of symbolic execution techniques. ACM Computing Surveys (CSUR), 2018, 51(3):1-39.
[40] Sui Y, Xue J. SVF:Interprocedural static value-flow analysis in LLVM. In:Proc. of the 25th Int'l Conf. on Compiler Construction. 2016. 265-266.
[41] Andersen LO. Program analysis and specialization for the C programming language[Ph.D. Thesis]. DIKU:University of Copenhagen, 1994.
[42] Whole program LLVM. https://github.com/travitch/whole-program-llvm
[43] Yan H, Sui Y, Chen S, Xue J. Spatio-temporal context reduction:A pointer-analysis-based static approach for detecting use-after-free vulnerabilities. In:Proc. of the 40th IEEE/ACM Int'l Conf. on Software Engineering (ICSE). IEEE, 2018. 327-337.
[44] Yan H, Sui Y, Chen S, Xue J. Machine-learning-guided typestate analysis for static use-after-free detection. In:Proc. of the 33rd Annual Computer Security Applications Conf. 2017. 42-54.
[45] Shi Q, Xiao X, Wu R, Zhou J, Fan G, Zhang C. Pinpoint:Fast and precise sparse value flow analysis for million lines of code. In:Proc. of the 39th ACM SIGPLAN Conf. on Programming Language Design and Implementation. 2018. 693-706.
[46] Akers SB. Binary decision diagrams. IEEE Trans. on Computers, 1978, 27(6):509-516.
[48] Shi Q, Yao P, Wu R, Zhang C. Path-sensitive sparse analysis without path conditions. In:Proc. of the 42nd ACM SIGPLAN Int'l Conf. on Programming Language Design and Implementation. 2021. 930-943.
[49] Wilson RP, Lam MS. Efficient context-sensitive pointer analysis for C programs. ACM SIGPLAN Notices, 1995, 30(6):1-12.
[50] Arusoaie A, Ciobâca S, Craciun V, Gavrilut D, Lucanu D. A comparison of open-source static analysis tools for vulnerability detection in C/C++code. In:Proc. of the 19th Int'l Symp. on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC). IEEE, 2017. 161-168.
[51] Marcilio D, Bonifácio R, Monteiro E, Canedo E, Luz W, Pinto G. Are static analysis violations really fixed?A closer look at realistic usage of sonarqube. In:Proc. of the 27th IEEE/ACM Int'l Conf. on Program Comprehension (ICPC). IEEE, 2019. 209-219.