Filtering false alarms of buffer overflow analysis using SMT solvers

Buffer overflow detection using static analysis can provide a powerful tool for software programmers to find difficult bugs in C programs. Sound static analysis based on abstract interpretation, however, often suffers from false alarm problem. Although more precise abstraction can reduce the number of the false alarms in general, the cost to perform such analysis is often too high to be practical for large software. On the other hand, less precise abstraction is likely to be scalable in exchange for the increased false alarms. In order to attain both precision and scalability, we present a method that first applies less precise abstraction to find buffer overflow alarms fast, and selectively applies a more precise analysis only to the limited areas of code around the potential false alarms. In an attempt to develop the precise analysis of alarm filtering for large C programs, we perform a symbolic execution over the potential alarms found in the previous analysis, which is based on the abstract interpretation. Taking advantage of a state-of-art SMT solver, our precise analysis efficiently filters out a substantial number of false alarms. Our experiment with the test cases from three open source programs shows that our filtering method can reduce about 68% of false alarms on average. (C) 2009 Elsevier B.V. All rights reserved

Mining Fix Patterns for FindBugs Violations

In this paper, we first collect and track a large number of fixed and unfixed violations across revisions of software. The empirical analyses reveal that there are discrepancies in the distributions of violations that are detected and those that are fixed, in terms of occurrences, spread and categories, which can provide insights into prioritizing violations. To automatically identify patterns in violations and their fixes, we propose an approach that utilizes convolutional neural networks to learn features and clustering to regroup similar instances. We then evaluate the usefulness of the identified fix patterns by applying them to unfixed violations. The results show that developers will accept and merge a majority (69/116) of fixes generated from the inferred fix patterns. It is also noteworthy that the yielded patterns are applicable to four real bugs in the Defects4J major benchmark for software testing and automated repair.Comment: Accepted for IEEE Transactions on Software Engineerin

정적 분석기 사용자 편의성 증대에 관한 연구

학위논문 (박사)-- 서울대학교 대학원 : 전기·컴퓨터공학부, 2016. 2. 이광근.정적 분석기의 사용자들이 흔히 겪는 세 가지 문제들 - 허위 경보, 진행정도 예측 불가, 대상 프로그램의 저작권 침해 우려 - 각각에 대한 해결책들을 제시한다. 첫 번째로, 분석기가 발생시킬 수 있는 다수의 허위 경보들을 보다 쉽게 걸러낼 수 있는 방법을 제시한다. 이 기술은 같은 발생 원인을 공유하는 경보들을 묶어, 그 중 대표 경보만을 사용자에게 제시함으로써 사용자가 허위여부를 판별해야 하는 경보 숫자를 줄인다. 둘째로, 복잡한 프로그램들에 대해서 분석이 오래 걸림에도 불구하고 진행율을 알 수 없었던 기존 문제에 대한 해결책을 제시한다. 마지막으 로, 암호화된 대상 프로그램에 대해 분석을 수행할 수 있는 방법을 제시함으로써 분석 서비스 사용시 발생할 수 있는 저작권 침해 가능성을 차단하는 해결책을 제 시한다. 본 논문에서는 위의 기술들을 엄밀히 정의하고 그 기술들이 실제 C 프로 그램 분석에서 성공적으로 적용될 수 있음을 실험적으로 보인다.As programs become larger and more complex, users of static analyzers often encounter three usability issues. Firstly, static analyzers often produce a large number of both true and false alarms that are tedious to classify manually. Secondly, users cannot but wait long time without any progress information during analysis. Lastly, copy-right concerns over software sources hinder extensive uses of static analyzers. In this dissertation, we present our solutions to the three usability issues. To reduce users' alarm-classification efforts, we propose a sound method for clustering static analysis alarms. Our method clusters alarms by discovering sound dependencies between them such that if the dominant alarms of a cluster turns out to be false, all the other alarms in the same cluster are guaranteed to be false. Once clusters are found, users only need to investigate their dominant alarms. Next, we present a progress indicator of static analyzers. Our technique first combines a semantic-based pre-analysis and a statistical method to approximate how a main analysis progresses in terms of lattice height of the abstract domain. Then, we use this information during the main analysis and estimate the analysis current progress. Lastly, we present a static analysis of encrypted programs to resolve users' copy-right concerns over software sources. Users have purchased expensive commercial static analyzers or outsource static analyses on their programs to analysis servers taking the risk of loss of copy-right. Our method allows program owners to encrypt and upload their programs to the static analysis service while the service provider can still analyze the encrypted programs without decrypting them. We have implemented all the methods on top of a realistic static analyzer for C programs and empirically proved that our methods effectively improve the usability.Chapter 1 Overview 1 1.1 Problems 1 1.2 Solutions 3 1.3 Outline 4 Chapter 2 Preliminaries 6 2.1 Concepts 6 2.2 Static Analyses We Use 9 2.2.1 Interval Analysis 9 2.2.2 Octagon Analysis 12 2.2.3 Pointer Analysis 13 Chapter 3 Method 1. Sound Non-statistical Alarm Clustering 14 3.1 Introduction 14 3.1.1 Problem 14 3.1.2 OurSolution 15 3.1.3 Examples 15 3.1.4 Contributions 18 3.1.5 Outline 19 3.2 AlarmClusteringFramework 19 3.2.1 Static Analysis 19 3.2.2 AlarmClustering 19 3.3 Alarm-Clustering Algorithms 24 3.3.1 Algorithm 1: Finding Minimal Dominant Alarms 26 3.3.2 Algorithm 2: Non-Minimal but Efficient 30 3.4 Instances 32 3.4.1 Setting : Baseline Analyzer 34 3.4.2 Clustering using Interval Domain 34 3.4.3 Clustering using Octagon Domain 36 3.4.4 Clustering using Symbolic Execution 39 3.5 Experiments 41 Chapter 4 Method 2. A Progress Bar for Static Analyzers 47 4.1 Introduction 47 4.2 Overall Approach to Progress Estimation 48 4.2.1 Static Analysis 49 4.2.2 ProgressEstimation 49 4.3 Setting 52 4.4 Details on Our Progress Estimation 53 4.4.1 The Height Function 54 4.4.2 Pre-analysis via Partial Flow-Sensitivity 55 4.4.3 Precise Estimation of the Final Height 57 4.5 Experiments 59 4.5.1 Setting 60 4.5.2 Results 60 4.5.3 Discussion 62 4.6 Application to Relational Analyses 63 Chapter 5 Method 3. Static Analysis with Set-closure in Secrecy 65 5.1 Introduction 65 5.2 Background 67 5.2.1 Homomorphic Encryption 68 5.2.2 TheBGV-type crypto system 70 5.2.3 Security Model 71 5.3 A Basic Construction of a Pointer Analysis in Secrecy 71 5.3.1 A Brief Review of a Pointer Analysis 72 5.3.2 The Pointer Analysis in Secrecy 72 5.4 Improvement of the Pointer Analysis in Secrecy 76 5.4.1 Problems of the Basic Approach 76 5.4.2 Overview of Improvement 77 5.4.3 Level-by-levelAnalysis 77 5.4.4 Ciphertext Packing 80 5.4.5 Randomization of Ciphertexts 83 5.5 Experimental Result 83 5.6 Discussion 84 Chapter 6 Related Works 86 6.1 Sound Non-statistical Alarm Clustering 86 6.2 A Progress Bar for StaticAnalyzers 87 6.3 Static Analysis with Set-closure in Secrecy 88 Chapter 7 Conclusions 89 Chapter 8 Appendix 100 A Proofs of Theorems 100 B Progress Graph 107 C Algorithms for the Pointer Analysis in Secrecy 110 초 록 113Docto