开源CC++静态软件缺陷检测工具实证研究
作者:
作者简介:

李广威(1991-),男,博士生,CCF学生会员,主要研究领域为程序分析;李炼(1977-),男,博士,研究员,博士生导师,CCF专业会员,主要研究领域为程序分析,软件安全;袁挺(1994-),男,博士生,主要研究领域为程序分析

通讯作者:

李炼,E-mail:lianli@ict.ac.cn

中图分类号:

TP311

基金项目:

国家自然科学基金(61802368,62090024)


Study of State-of-the-art Open-source C/C++ Static Analysis Tools
Author:
  • 摘要
  • | |
  • 访问统计
  • |
  • 参考文献 [52]
  • |
  • 相似文献 [20]
  • | | |
  • 文章评论
    摘要:

    软件静态缺陷检测是软件安全领域中的一个研究热点.随着使用C/C++语言编写的软件规模和复杂度的逐渐提高,软件迭代速度的逐渐加快,由于静态软件缺陷检测不需要运行目标代码即可发现其中潜藏的缺陷,因而在工业界和学术界受到了更为广泛的关注.近年来涌现出大量使用软件静态分析技术的检测工具,并在不同领域的软件项目中发挥了不可忽视的作用,但是开发者仍然对静态缺陷检测工具缺乏信心.高误报率是C/C++静态缺陷检测工具难以普及的首要原因.因此,选择现有的较为完善的开源C/C++静态缺陷检测工具,在Juliet基准测试集和37个良好维护的开源软件项目上对特定类型缺陷的检测效果进行了深入研究,结合检测工具的具体实现,归纳了导致静态缺陷检测工具产生误报的关键原因.同时,通过研究静态缺陷检测工具的版本迁移轨迹,总结出了当下静态分析工具的发展方向和未来趋势,有助于未来静态分析技术的优化和发展,从而实现静态缺陷检测工具的普及应用.

    Abstract:

    Static software defect detection is an active research topic in the domain of software engineering and software security. Along with the increase of software complexity and size, static software defect detection has been applied in both industry and academy to take the benefit of finding defects in C/C++ programs without execution. A large amount of static analysis tools (SATs) for C/C++ have been developed in recent years, and have played an important role in automatically finding defects in various kinds of C/C++ software projects. In spite of this, developers are still having less confidence on SATs mainly due to the high false positive rate that has been an unsolved problem for a long time. This research dives deep into state-of-the-art static analysis tools for C/C++ and figures out why false positives are raised through the approach of running them on Juliet Test Suite and 37 open-source real-world software projects. With insight of the design and implementation details of the selected open-source SATs, the exact reasons of which result in the high false positive rateare found. Moreover, the effort is also made to trace the tendency of development and the future of state-of-the-art open-source C/C++ SATs.

    参考文献
    [1] Annual Report on China's Cyber Security 2020. http://it.rising.com.cn/d/file/it/dongtai/20210113/2020.pdf
    [2] CVE-Common vulnerabilities and exposures. http://cve.mitre.org/
    [3] NVD-National vulnerability database. https://nvd.nist.gov/
    [4] Vassallo C, Panichella S, Palomba F, Proksch S, Gall HC, Zaidman A. How developers engage with static analysis tools in different contexts. Empirical Software Engineering, 2020, 25(2):1419-1457.
    [5] Revertion of all of the umn.edu commits. https://lore.kernel.org/lkml/20210421130105.1226686-1-gregkh@linuxfoundation.org/
    [6] Johnson B, Song Y, Murphy-Hill E, Bowdidge R. Why don't software developers use static analysis tools to find bugs?In:Proc. of the 35th Int'l Conf. on Software Engineering (ICSE). IEEE, 2013. 672-681.
    [7] Juliet test suite for C/C++. https://samate.nist.gov/SRD/testsuite.php
    [8] Shen Z, Chen S. A survey of automatic software vulnerability detection, program repair, and defect prediction techniques. In:Proc. of the Security and Communication Networks. 2020.
    [9] Li P, Cui B. A comparative study on software vulnerability static analysis techniques and tools. In:Proc. of the 2010 IEEE Int'l Conf. on Information Theory and Information Security. IEEE, 2010. 521-524.
    [10] Zhang J, Zhang C, Xuan JF, Xiong YF, Wang QX, Liang B, Li L, Dou WS, Chen ZB, Chen LQ, Cai Y. Recent progress in program analysis. Ruan Jian Xue Bao/Journal of Software, 2019, 30(1):80-109(in Chinese with English abstract). http://www.jos.org.cn/1000-9825/5651.htm[doi:10.13328/j.cnki.jos.005651]
    [11] Fosdick LD, Osterweil LJ. Data flow analysis in software reliability. ACM Computing Surveys (CSUR), 1976, 8(3):305-330.
    [12] Yang Z, Yang M. Leakminer:Detect information leakage on Android with static taint analysis. In:Proc. of the 3rd World Congress on Software Engineering. IEEE, 2012. 101-104.
    [13] Baier C, Katoen JP. Principles of Model Checking. MIT Press, 2008.
    [14] Cousot P, Cousot R. Static determination of dynamic properties of generalized type unions. ACM SIGOPS Operating Systems Review, 1977, 11(2):77-94.
    [15] Cousot P, Cousot R. Abstract interpretation:A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In:Proc. of the 4th ACM SIGACT-SIGPLAN Symp. on Principles of Programming Languages. 1977. 238-252.
    [16] Cousot P, Cousot R. Systematic design of program analysis frameworks. In:Proc. of the 6th ACM SIGACT-SIGPLAN Symp. on Principles of Programming Languages. 1979. 269-282.
    [17] Dahse J, Schwenk J. RIPS-A static source code analyser for vulnerabilities in PHP scripts. In:Proc. of the Seminar Work (SeminerÇalismasi). Horst Görtz Institute Ruhr-University Bochum, 2010.
    [18] Satyanarayana V, Sekhar M. Static analysis tool for detecting Web application vulnerabilities. Int'l Journal of Modern Engineering Research (IJMER), 2011, 1(1):127-133.
    [19] Nunes PJC, Fonseca J, Vieira M. phpSAFE:A security analysis tool for OOP Web application plugins. In:Proc. of the 45th Annual IEEE/IFIP Int'l Conf. on Dependable Systems and Networks. IEEE, 2015. 299-306.
    [20] Ferschke O, Gurevych I, Rittberger M. FlawFinder:A modular system for predicting quality flaws in Wikipedia. In:Proc. of the CLEF (Online Working Notes/Labs/Workshop). 2012. 1-10.
    [21] Hovemeyer D, Pugh W. Finding bugs is easy. ACM SIGPLAN Notices, 2004, 39(12):92-106.
    [22] PMD source code analyzer. https://pmd.github.io/
    [23] Cppcheck-A tool for static C/C++code analysis. http://cppcheck.net/
    [24] Pereira JDA, Vieira M. On the use of open-source C/C++static analysis tools in large projects. In:Proc. of the 16th European Dependable Computing Conf.(EDCC). IEEE, 2020. 97-102.
    [25] Kirchner F, Kosmatov N, Prevosto V, Signoles J, Yakobowski B. Frama-C:A software analysis perspective. Formal Aspects of Computing, 2015, 27(3):573-609.
    [26] OCLint. https://oclint.org/
    [27] Evans D, Larochelle D. Improving security using extensible lightweight static analysis. IEEE Software, 2002, 19(1):42-51.
    [28] SonarQube. https://www.sonarqube.org/
    [29] CheckMarx. https://www.checkmarx.com/
    [30] Coverity SAST. https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html
    [31] Fortify static code analyzer. https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer
    [32] Facebook infer. https://fbinfer.com/
    [33] Clang static analyzer. https://clang-analyzer.llvm.org/
    [34] Sui Y, Ye D, Xue J. Static memory leak detection using full-sparse value-flow analysis. In:Proc. of the 2012 Int'l Symp. on Software Testing and Analysis. 2012. 254-264.
    [35] Lattner C, Adve V. LLVM:A compilation framework for lifelong program analysis& transformation. In:Proc. of the Int'l Symp. on Code Generation and Optimization (CGO 2004). IEEE, 2004. 75-86.
    [36] Reynolds JC. Separation logic:A logic for shared mutable data structures. In:Proc. of the 17th Annual IEEE Symp. on Logic in Computer Science. IEEE, 2002. 55-74.
    [37] Calcagno C, Distefano D, O'hearn PW, Yang H. Compositional shape analysis by means of bi-abduction. Journal of the ACM (JACM), 2011, 58(6):1-66.
    [38] King JC. Symbolic execution and program testing. Communications of the ACM, 1976, 19(7):385-394.
    [39] Baldoni R, Coppa E, D'elia DC, Demetrescu C, Finocchi I. A survey of symbolic execution techniques. ACM Computing Surveys (CSUR), 2018, 51(3):1-39.
    [40] Sui Y, Xue J. SVF:Interprocedural static value-flow analysis in LLVM. In:Proc. of the 25th Int'l Conf. on Compiler Construction. 2016. 265-266.
    [41] Andersen LO. Program analysis and specialization for the C programming language[Ph.D. Thesis]. DIKU:University of Copenhagen, 1994.
    [42] Whole program LLVM. https://github.com/travitch/whole-program-llvm
    [43] Yan H, Sui Y, Chen S, Xue J. Spatio-temporal context reduction:A pointer-analysis-based static approach for detecting use-after-free vulnerabilities. In:Proc. of the 40th IEEE/ACM Int'l Conf. on Software Engineering (ICSE). IEEE, 2018. 327-337.
    [44] Yan H, Sui Y, Chen S, Xue J. Machine-learning-guided typestate analysis for static use-after-free detection. In:Proc. of the 33rd Annual Computer Security Applications Conf. 2017. 42-54.
    [45] Shi Q, Xiao X, Wu R, Zhou J, Fan G, Zhang C. Pinpoint:Fast and precise sparse value flow analysis for million lines of code. In:Proc. of the 39th ACM SIGPLAN Conf. on Programming Language Design and Implementation. 2018. 693-706.
    [46] Akers SB. Binary decision diagrams. IEEE Trans. on Computers, 1978, 27(6):509-516.
    [47] LGTM-Continuous security analysis. https://lgtm.com/
    [48] Shi Q, Yao P, Wu R, Zhang C. Path-sensitive sparse analysis without path conditions. In:Proc. of the 42nd ACM SIGPLAN Int'l Conf. on Programming Language Design and Implementation. 2021. 930-943.
    [49] Wilson RP, Lam MS. Efficient context-sensitive pointer analysis for C programs. ACM SIGPLAN Notices, 1995, 30(6):1-12.
    [50] Arusoaie A, Ciobâca S, Craciun V, Gavrilut D, Lucanu D. A comparison of open-source static analysis tools for vulnerability detection in C/C++code. In:Proc. of the 19th Int'l Symp. on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC). IEEE, 2017. 161-168.
    [51] Marcilio D, Bonifácio R, Monteiro E, Canedo E, Luz W, Pinto G. Are static analysis violations really fixed?A closer look at realistic usage of sonarqube. In:Proc. of the 27th IEEE/ACM Int'l Conf. on Program Comprehension (ICPC). IEEE, 2019. 209-219.
    附中文参考文献:
    [10] 张健,张超,玄跻峰,熊英飞,王千祥,梁彬,李炼,窦文生,陈振邦,陈立前,蔡彦.程序分析研究进展.软件学报, 2019, 30(1):80-109. http://www.jos.org.cn/1000-9825/5651.htm[doi:10.13328/j.cnki.jos.005651]
    引证文献
    网友评论
    网友评论
    分享到微博
    发 布
引用本文

李广威,袁挺,李炼.开源CC++静态软件缺陷检测工具实证研究.软件学报,2022,33(6):2061-2081

复制
分享
文章指标
  • 点击次数:2565
  • 下载次数: 5611
  • HTML阅读次数: 4132
  • 引用次数: 0
历史
  • 收稿日期:2021-09-05
  • 最后修改日期:2021-10-15
  • 在线发布日期: 2022-01-28
  • 出版日期: 2022-06-06
文章二维码
您是第19705231位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号