Article

Test-Driving Static Analysis Tools in Search of C Code Vulnerabilities

Authors:

George Chatzieleftheriou,

Panagiotis KatsarosAuthors Info & Claims

COMPSACW '11: Proceedings of the 2011 IEEE 35th Annual Computer Software and Applications Conference Workshops

Pages 96 - 103

https://doi.org/10.1109/COMPSACW.2011.26

Published: 18 July 2011 Publication History

Abstract

Recently, a number of tools for automated code scanning came in the limelight. Due to the significant costs associated with incorporating such a tool in the software lifecycle, it is important to know what defects are detected and how accurate and efficient the analysis is. We focus specifically on popular static analysis tools for C code defects. Existing benchmarks include the actual defects in open source programs, but they lack systematic coverage of possible code defects and the coding complexities in which they arise. We introduce a test suite implementing the discussed requirements for frequent defects selected from public catalogues. Four open source and two commercial tools are compared in terms of their effectiveness and efficiency of their detection capability. A wide range of C constructs is taken into account and appropriate metrics are computed, which show how the tools balance inherent analysis tradeoffs and efficiency. The results are useful for identifying the appropriate tool, in terms of cost-effectiveness, while the proposed methodology and test suite may be reused.

Cited By

View all

Lipp SBanescu SPretschner ARyu SSmaragdakis Y(2022)An empirical study on the effectiveness of static C code analyzers for vulnerability detectionProceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3533767.3534380(544-555)Online publication date: 18-Jul-2022
https://dl.acm.org/doi/10.1145/3533767.3534380
Stroggylos KMitropoulos DTzermias ZPapadopoulos PRafailidis FSpinellis DIoannidis SKatsaros PSokratis KMichael HTheodoros ADimosthenis AElias CTheodora VMara N(2014)Securing Legacy Code with the TRACER PlatformProceedings of the 18th Panhellenic Conference on Informatics10.1145/2645791.2645796(1-6)Online publication date: 2-Oct-2014
https://dl.acm.org/doi/10.1145/2645791.2645796
Rafailidis FPanagos IKatsaros PArvanitidis AKetikidis PMargaritis KVlahavas IChatzigeorgiou AEleftherakis GStamelos I(2013)Inlined monitors for security policy enforcement in web applicationsProceedings of the 17th Panhellenic Conference on Informatics10.1145/2491845.2491861(75-82)Online publication date: 19-Sep-2013
https://dl.acm.org/doi/10.1145/2491845.2491861
Show More Cited By

Recommendations

Can static analysis tools find more defects?: A qualitative study of design rule violations found by code review
Abstract
Static analysis tools find defects in code, checking code against rules to reveal potential defects. Many studies have evaluated these tools by measuring their ability to detect known defects in code. But these studies measure the current state of ...
Comparing Static Security Analysis Tools Using Open Source Software
SERE-C '12: Proceedings of the 2012 IEEE Sixth International Conference on Software Security and Reliability Companion

Software vulnerabilities present a significant impediment to the safe operation of many computer applications, both proprietary and open source. Fortunately, many static analysis tools exist to identify potential security issues. We present the results ...
FOSS version differentiation as a benchmark for static analysis security testing tools
ESEC/FSE 2017: Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering

We propose a novel methodology that allows automatic construction of benchmarks for Static Analysis Security Testing (SAST) tools based on real-world software projects by differencing vulnerable and fixed versions in FOSS repositories. The methodology ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

COMPSACW '11: Proceedings of the 2011 IEEE 35th Annual Computer Software and Applications Conference Workshops

July 2011

520 pages

ISBN:9780769544595

Publisher

IEEE Computer Society

United States

Publication History

Published: 18 July 2011

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 13 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Lipp SBanescu SPretschner ARyu SSmaragdakis Y(2022)An empirical study on the effectiveness of static C code analyzers for vulnerability detectionProceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3533767.3534380(544-555)Online publication date: 18-Jul-2022
https://dl.acm.org/doi/10.1145/3533767.3534380
Stroggylos KMitropoulos DTzermias ZPapadopoulos PRafailidis FSpinellis DIoannidis SKatsaros PSokratis KMichael HTheodoros ADimosthenis AElias CTheodora VMara N(2014)Securing Legacy Code with the TRACER PlatformProceedings of the 18th Panhellenic Conference on Informatics10.1145/2645791.2645796(1-6)Online publication date: 2-Oct-2014
https://dl.acm.org/doi/10.1145/2645791.2645796
Rafailidis FPanagos IKatsaros PArvanitidis AKetikidis PMargaritis KVlahavas IChatzigeorgiou AEleftherakis GStamelos I(2013)Inlined monitors for security policy enforcement in web applicationsProceedings of the 17th Panhellenic Conference on Informatics10.1145/2491845.2491861(75-82)Online publication date: 19-Sep-2013
https://dl.acm.org/doi/10.1145/2491845.2491861
Slaby JStrejček JTrtík M(2013)ClabureDBProceedings of the 14th International Conference on Verification, Model Checking, and Abstract Interpretation - Volume 773710.1007/978-3-642-35873-9_17(268-274)Online publication date: 20-Jan-2013
https://dl.acm.org/doi/10.1007/978-3-642-35873-9_17
Ibing A(2013)SMT-Constrained Symbolic Execution for Eclipse CDT/CodanRevised Selected Papers of the SEFM 2013 Collocated Workshops on Software Engineering and Formal Methods - Volume 836810.1007/978-3-319-05032-4_9(113-124)Online publication date: 23-Sep-2013
https://dl.acm.org/doi/10.1007/978-3-319-05032-4_9
Karampaglis ZMentis ARafailidis FTsolakidis PAmpatzoglou A(2012)Secure Migration of Legacy Applications to the WebRevised Selected Papers of the SEFM 2012 Satellite Events on Information Technology and Open Source: Applications for Education, Innovation, and Sustainability - Volume 799110.1007/978-3-642-54338-8_19(229-243)Online publication date: 1-Oct-2012
https://dl.acm.org/doi/10.1007/978-3-642-54338-8_19
Cuoq PKirchner FKosmatov NPrevosto VSignoles JYakobowski B(2012)Frama-CProceedings of the 10th international conference on Software Engineering and Formal Methods10.1007/978-3-642-33826-7_16(233-247)Online publication date: 1-Oct-2012
https://dl.acm.org/doi/10.1007/978-3-642-33826-7_16

Abstract

Cited By

Recommendations

Can static analysis tools find more defects?: A qualitative study of design rule violations found by code review

Comparing Static Security Analysis Tools Using Open Source Software

FOSS version differentiation as a benchmark for static analysis security testing tools

Comments

Information

Published In

Publisher

Publication History

Author Tags

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Share

Share this Publication link

Share on social media

Affiliations