An Empirical Study on the Effectiveness of Static C/C++ Analyzers for Vulnerability Detection
Thu 21 Jul 2022 03:20 - 03:40 at ISSTA 1 - Session 1-7: Static Analysis and Specifications Testing A Chair(s): Raghavan Komondoor
Static code analysis is often used to scan source code for potential security vulnerabilities. Given the wide range of existing solutions implementing different analysis approaches, it is very challenging to perform an objective comparison between static analysis tools to determine which ones are most effective at detecting vulnerabilities. Existing studies generally are limited in that: (1) they use synthetic benchmark datasets, whose vulnerabilities do not reflect the complexity of vulnerabilities that can be found in practice; and/or (2) they do not provide differentiated analyses w.r.t. the types of vulnerabilities output by the static analyzers. Hence their conclusions about an analyzer’s capability to detect vulnerabilities may not generalize to real-world programs. In this paper, we propose a methodology for automatically evaluating the effectiveness of static code analyzers based on validated CVE reports. We evaluate five free and open-source (FOS) and one commercial static C/C++ analyzer(s) against 27 FOS software projects containing a total of 1.15 million lines of code and 192 vulnerabilities (ground truth). While static C/C++ analyzers have been shown to perform well in benchmarks with synthetic bugs, our results indicate that state-of-the-art tools miss in-between 47% and 80% of the vulnerabilities in a benchmark set of real-world programs. Moreover, our study finds that this false negative rate can be reduced to 30% to 69% when combining the results of static analyzers, at the cost of 15 percentage points more functions flagged as vulnerable. Many vulnerabilities hence remain undetected, especially those beyond the classical memory-related software vulnerabilities.
Wed 20 JulDisplayed time zone: Seoul change
16:20 - 17:40 | Session 3-1: Static Analysis and Specifications Testing CTechnical Papers at ISSTA 1 Chair(s): Ding Li Peking University | ||
16:20 20mTalk | A Large-scale Study of Usability Criteria addressed by Static Analysis Tools Technical Papers Marcus Nachtigall Heinz Nixdorf Institute, Paderborn University, Michael Schlichtig Heinz Nixdorf Institute, Paderborn University, Eric Bodden University of Paderborn; Fraunhofer IEM DOI | ||
16:40 20mTalk | An Empirical Study on the Effectiveness of Static C/C++ Analyzers for Vulnerability Detection Technical Papers Stephan Lipp Technical University of Munich, Sebastian Banescu Technical University of Munich, Alexander Pretschner TU Munich DOI Pre-print | ||
17:00 20mTalk | Combining Static Analysis Error Traces with Dynamic Symbolic Execution (Experience Paper) Technical Papers Frank Busse Imperial College London, Pritam Gharat Imperial College London, Cristian Cadar Imperial College London, UK, Alastair F. Donaldson Imperial College London DOI Pre-print | ||
17:20 20mTalk | Path-Sensitive Code Embedding via Contrastive Learning for Software Vulnerability Detection Technical Papers Xiao Cheng University of Technology Sydney, Guanqin Zhang University of Technology Sydney, Haoyu Wang Huazhong University of Science and Technology, China, Yulei Sui University of New South Wales DOI |
Thu 21 JulDisplayed time zone: Seoul change
03:00 - 04:00 | Session 1-7: Static Analysis and Specifications Testing ATechnical Papers at ISSTA 1 Chair(s): Raghavan Komondoor IISc Bengaluru | ||
03:00 20mTalk | A Large-scale Study of Usability Criteria addressed by Static Analysis Tools Technical Papers Marcus Nachtigall Heinz Nixdorf Institute, Paderborn University, Michael Schlichtig Heinz Nixdorf Institute, Paderborn University, Eric Bodden University of Paderborn; Fraunhofer IEM DOI | ||
03:20 20mTalk | An Empirical Study on the Effectiveness of Static C/C++ Analyzers for Vulnerability Detection Technical Papers Stephan Lipp Technical University of Munich, Sebastian Banescu Technical University of Munich, Alexander Pretschner TU Munich DOI Pre-print | ||
03:40 20mTalk | Combining Static Analysis Error Traces with Dynamic Symbolic Execution (Experience Paper) Technical Papers Frank Busse Imperial College London, Pritam Gharat Imperial College London, Cristian Cadar Imperial College London, UK, Alastair F. Donaldson Imperial College London DOI Pre-print |