Targeted Greybox Fuzzing with Static Lookahead Analysis

Automatic test generation typically aims to generate inputs that explore new paths in the program under test in order to find bugs. Existing work has, therefore, focused on guiding the exploration toward program parts that are more likely to contain bugs by using an offline static analysis. In this paper, we introduce a novel technique for targeted greybox fuzzing using an online static analysis that guides the fuzzer toward a set of target locations, for instance, located in recently modified parts of the program. This is achieved by first semantically analyzing each program path that is explored by an input in the fuzzer's test suite. The results of this analysis are then used to control the fuzzer's specialized power schedule, which determines how often to fuzz inputs from the test suite. We implemented our technique by extending a state-of-the-art, industrial fuzzer for Ethereum smart contracts and evaluate its effectiveness on 27 real-world benchmarks. Using an online analysis is particularly suitable for the domain of smart contracts since it does not require any code instrumentation---instrumentation to contracts changes their semantics. Our experiments show that targeted fuzzing significantly outperforms standard greybox fuzzing for reaching 83% of the challenging target locations (up to 14x of median speed-up)

QChecker: Detecting Bugs in Quantum Programs via Static Analysis

Static analysis is the process of analyzing software code without executing the software. It can help find bugs and potential problems in software that may only appear at runtime. Although many static analysis tools have been developed for classical software, due to the nature of quantum programs, these existing tools are unsuitable for analyzing quantum programs. This paper presents QChecker, a static analysis tool that supports finding bugs in quantum programs in Qiskit. QChecker consists of two main modules: a module for extracting program information based on abstract syntax tree (AST), and a module for detecting bugs based on patterns. We evaluate the performance of QChecker using the Bugs4Q benchmark. The evaluation results show that QChecker can effectively detect various bugs in quantum programs.Comment: This paper will be appeared in the proceedings of the 4th International Workshop on Quantum Software Engineering (Q-SE 2023) on May 14, 202

Diagnose network failures via data-plane analysis

Diagnosing problems in networks is a time-consuming and error-prone process. Previous tools to assist operators primarily focus on analyzing control plane configuration. Configuration analysis is limited in that it cannot find bugs in router software, and is harder to generalize across protocols since it must model complex configuration languages and dynamic protocol behavior. This paper studies an alternate approach: diagnosing problems through static analysis of the data plane. This approach can catch bugs that are invisible at the level of configuration files, and simplifies unified analysis of a network across many protocols and implementations. We present Anteater, a tool for checking invariants in the data plane. Anteater translates high-level network invariants into boolean satisfiability problems, checks them against network state using a SAT solver, and reports counterexamples if violations have been found. Applied to a large campus network, Anteater revealed 23 bugs, including forwarding loops and stale ACL rules, with only five false positives. Nine of these faults are being fixed by campus network operators

Simple and Effective Static Analysis to Find Bugs

Much research in recent years has focused on using static analysis to find bugs in software. Many new approaches employing sophisticated program analysis techniques---inter-procedural, context-sensitive, or path-sensitive---have been developed. However, comparatively little work has been done on determining what bugs can be found using <i>simple</i> analysis techniques. We have found that simple static analysis techniques are effective at finding hundreds or thousands of serious software defects in several large commercial software applications. In our research, we have attempted to characterize the bugs that can be found in production software using simple analysis techniques. Examples of simple analysis techniques include inspection of class hierarchies and method signatures, sequential scanning of program instructions using a state machine recognizer, intra-procedural dataflow analysis, and flow-insensitive whole program analysis. To determine what bugs may be found using these techniques, we performed <i>bug-driven</i> research. Starting from examples of real bugs, we tried to develop simple analysis techniques to find similar bugs. Using this approach, we found a large number of serious bugs in production applications and libraries with a relatively low percentage of false positives. The types of bugs our analysis uncovered in production code include null pointer dereferences, infinite recursive loops, data races, deadlocks, and missed thread notifications. One product of this work is a static analysis tool called FindBugs, which analyzes Java programs at the bytecode level. We have distributed FindBugs under an open-source license, and it has been widely adopted by commercial organizations and open-source projects. FindBugs has been downloaded more than 110,000 times since its initial release. Our work makes several contributions to the field. First, we have cataloged many commonly-occurring bug patterns, described effective ways of finding occurrences of those patterns automatically, and classified common reasons why these bugs occur. Second, we have measured the accuracy of our bug detectors on production software and student programming projects, validating the effectiveness of the underlying static analysis techniques. Finally, we have described techniques for determining when static analysis warnings are added or removed as software evolves

Improving Software Quality Attributes of PS Using Stylecop

Software product quality improvement is a desired attribute and a strenuous effort is required to achieve that Static Code Analysis SCA is used to find coding bugs Stylecop is an SCA tool from Microsoft In this paper SCA and stylecop usages are discussed Also a comparison of Software Testing software Metrics Source Code Analysis SCA is done Product PS designed by author1 and author2 is introduced PS application is analyzed using static SCA tool Stylecop After analysis recommendations were applied to PS The results showed improved software quality attribute

WYSIWIB: A Declarative Approach to Finding API Protocols and Bugs in Linux Code

International audienceEliminating OS bugs is essential to ensuring the reliability of infrastructures ranging from embedded systems to servers. Several tools based on static analysis have been proposed for finding bugs in OS code. They have, however, emphasized scalability over usability, making it difficult to focus the tools on specific kinds of bugs and to relate the results to patterns in the source code. We propose a declarative approach to bug finding in Linux OS code using a control-flow based program search engine. Our approach is WYSIWIB (What You See Is Where It Bugs), since the programmer expresses specifications for bug finding using a syntax close to that of ordinary C code. The key advantage of our approach is that search specifications can be easily tailored, to eliminate false positives or catch more bugs. We present three case studies that have allowed us to find hundreds of potential bugs

How Effective are Smart Contract Analysis Tools? Evaluating Smart Contract Static Analysis Tools Using Bug Injection

Security attacks targeting smart contracts have been on the rise, which have led to financial loss and erosion of trust. Therefore, it is important to enable developers to discover security vulnerabilities in smart contracts before deployment. A number of static analysis tools have been developed for finding security bugs in smart contracts. However, despite the numerous bug-finding tools, there is no systematic approach to evaluate the proposed tools and gauge their effectiveness. This paper proposes SolidiFI, an automated and systematic approach for evaluating smart contract static analysis tools. SolidiFI is based on injecting bugs (i.e., code defects) into all potential locations in a smart contract to introduce targeted security vulnerabilities. SolidiFI then checks the generated buggy contract using the static analysis tools, and identifies the bugs that the tools are unable to detect (false-negatives) along with identifying the bugs reported as false-positives. SolidiFI is used to evaluate six widely-used static analysis tools, namely, Oyente, Securify, Mythril, SmartCheck, Manticore and Slither, using a set of 50 contracts injected by 9369 distinct bugs. It finds several instances of bugs that are not detected by the evaluated tools despite their claims of being able to detect such bugs, and all the tools report many false positivesComment: ISSTA 202