FuzzSlice: Pruning False Positives in Static Analysis Warnings through Function-Level Fuzzing
Manual confirmation of static analysis reports is a daunting task. This is due to both the large number of warnings and the high density of false positives among them. Fuzzing techniques have been proposed to verify static analysis warnings. However, a major limitation is that fuzzing the whole project to reach all static analysis warnings is not feasible. This can take several days and exponential machine time to increase code coverage linearly. Therefore, we propose FuzzSlice, a novel framework that automatically prunes possible false positives among static analysis warnings. Unlike prior work that mostly focuses on confirming true positives among static analysis warnings, which inevitably requires end-to-end fuzzing, FuzzSlice focuses on ruling out potential false positives, which are the majority in static analysis reports. The key insight that we base our work on is that a warning that does not yield a crash when fuzzed at the function level in a given time budget is most likely a false positive. To achieve this, FuzzSlice first aims to generate compilable code slices at the function level. Then, FuzzSlice fuzzes these code slices instead of the entire binary to prune possible false positives. FuzzSlice is also unlikely to misclassify a true bug as a false positive because the crashing input can be reproduced by a fuzzer at the function level as well. We evaluate FuzzSlice on the Juliet synthetic dataset and real-world complex C projects: openssl, tmux and openssh-portable. Our evaluation shows that the ground truth in the Juliet dataset had 864 false positives which were all detected by FuzzSlice. For the open-source repositories, we were able to get the developers from two of these open-source repositories to independently label these warnings. FuzzSlice automatically identifies 33 possible false positives out of 53 false positives confirmed by developers in these two repositories. This implies that FuzzSlice can reduce the number of false positives by 62.26% in the open-source repositories and by 100% in the Juliet dataset.
Wed 17 AprDisplayed time zone: Lisbon change
16:00 - 17:30 | Security 2Research Track / Software Engineering in Practice / Journal-first Papers / New Ideas and Emerging Results at Grande Auditório Chair(s): Diomidis Spinellis Athens University of Economics and Business & Delft University of Technology | ||
16:00 15mTalk | PonziGuard: Detecting Ponzi Schemes on Ethereum with Contract Runtime Behavior Graph (CRBG) Research Track Ruichao Liang Wuhan University, Jing Chen Wuhan University, Kun He Wuhan University, Yueming Wu Nanyang Technological University, Gelei Deng Nanyang Technological University, Ruiying Du Wuhan University, Cong Wu The University of Hong Kong | ||
16:15 15mTalk | FuzzSlice: Pruning False Positives in Static Analysis Warnings through Function-Level Fuzzing Research Track Aniruddhan Murali University of Waterloo, Noble Saji Mathews University of Waterloo, Canada, Mahmoud Alfadel University of Waterloo, Mei Nagappan University of Waterloo, Meng Xu University of Waterloo DOI Pre-print | ||
16:30 15mTalk | LibvDiff: Library Version Difference Guided OSS Version Identification in Binaries Research Track Chaopeng Dong University of Chinese Academy of Sciences & Institute of Information Engineering Chinese Academy of Sciences, China, Siyuan Li University of Chinese Academy of Sciences & Institute of Information Engineering Chinese Academy of Sciences, China, shouguo yang Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China, Yang Xiao Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Yongpan Wang University of Chinese Academy of Sciences & Institute of Information Engineering Chinese Academy of Sciences, China, Hong Li Institute of Information Engineering at Chinese Academy of Sciences, Zhi Li Institute of Information Engineering, Chinese Academy of Sciences, China, Limin Sun Institute of Information Engineering, Chinese Academy of Sciences, School of Cyber Security, University of Chinese Academy of Sciences, | ||
16:45 15mTalk | PrivacyCAT: Privacy-Aware Code Analysis at Scale Software Engineering in Practice Ke Mao Meta, Cons Ahs Meta, Sopot Cela Meta, Dino Distefano Meta, Nick Gardner Meta, Radu Grigore Meta, Per Gustafsson Meta, Ákos Hajdu Meta, Timotej Kapus Meta, Matteo Marescotti Meta, Gabriela Cunha Sampaio Meta, Thibault Suzanne Meta | ||
17:00 7mTalk | Software in the Manufacturing Industry: Emerging Security Challenge Areas for IIoT Platforms Software Engineering in Practice Yannick Landeck fortiss GmbH, Dian Balta fortiss GmbH, Martin Wimmer Siemens AG, Christian Knierim Siemens AG DOI | ||
17:07 7mTalk | Detecting and Characterizing Propagation of Security Weaknesses in Puppet-based Infrastructure Management Journal-first Papers Link to publication DOI Pre-print | ||
17:14 7mTalk | Synthesis of Allowlists for Runtime Protection against SQLi New Ideas and Emerging Results Kostyantyn Vorobyov Oracle Labs, François Gauthier Oracle Labs, Paddy Krishnan Oracle Labs, Australia |