ISSTA 2022
Mon 18 - Fri 22 July 2022 Online

This paper reports on our experience implementing a technique for sifting through static analysis reports using dynamic symbolic execution. Our insight is that if a static analysis tool produces a partial trace through the program under analysis, annotated with conditions that the analyser believes are important for the bug to trigger, then a dynamic symbolic execution tool may be able to exploit the trace by (a) guiding the search heuristically so that paths that follow the trace most closely are prioritised for exploration, and (b) pruning the search using the conditions associated with each step of the trace. This may allow the bug to be quickly confirmed using dynamic symbolic execution, if it turns out to be a true positive, yielding an input that triggers the bug.

To experiment with this approach, we have implemented the idea in a tool chain that allows the popular open-source static analysis tools Clang Static Analyzer (CSA) and Infer to be combined with the popular open-source dynamic symbolic execution engine KLEE. Our results highlight two interesting negative results. First, while fault injection experiments show the promise of our technique, they also reveal that the traces provided by static analysis tools are not that useful in guiding the search. Second, we have systematically applied CSA and Infer to a large corpus of real-world applications that are suitable for analysis with KLEE, and find that the static analysers are rarely able to find non-trivial true positive bug reports for this set of applications.

We believe our case study can inform static analysis and dynamic symbolic execution tool developers as to where improvements may be necessary, and serve as a call to arms for researchers interested in combining symbolic execution and static analysis to identify more suitable benchmark suites for evaluation of research ideas.

Wed 20 Jul

Displayed time zone: Seoul change

16:20 - 17:40
Session 3-1: Static Analysis and Specifications Testing CTechnical Papers at ISSTA 1
Chair(s): Ding Li Peking University
16:20
20m
Talk
A Large-scale Study of Usability Criteria addressed by Static Analysis Tools
Technical Papers
Marcus Nachtigall Heinz Nixdorf Institute, Paderborn University, Michael Schlichtig Heinz Nixdorf Institute, Paderborn University, Eric Bodden University of Paderborn; Fraunhofer IEM
DOI
16:40
20m
Talk
An Empirical Study on the Effectiveness of Static C/C++ Analyzers for Vulnerability Detection
Technical Papers
Stephan Lipp Technical University of Munich, Sebastian Banescu Technical University of Munich, Alexander Pretschner TU Munich
DOI Pre-print
17:00
20m
Talk
Combining Static Analysis Error Traces with Dynamic Symbolic Execution (Experience Paper)
Technical Papers
Frank Busse Imperial College London, Pritam Gharat Imperial College London, Cristian Cadar Imperial College London, UK, Alastair F. Donaldson Imperial College London
DOI Pre-print
17:20
20m
Talk
Path-Sensitive Code Embedding via Contrastive Learning for Software Vulnerability Detection
Technical Papers
Xiao Cheng University of Technology Sydney, Guanqin Zhang University of Technology Sydney, Haoyu Wang Huazhong University of Science and Technology, China, Yulei Sui University of New South Wales
DOI

Thu 21 Jul

Displayed time zone: Seoul change

03:00 - 04:00
Session 1-7: Static Analysis and Specifications Testing ATechnical Papers at ISSTA 1
Chair(s): Raghavan Komondoor IISc Bengaluru
03:00
20m
Talk
A Large-scale Study of Usability Criteria addressed by Static Analysis Tools
Technical Papers
Marcus Nachtigall Heinz Nixdorf Institute, Paderborn University, Michael Schlichtig Heinz Nixdorf Institute, Paderborn University, Eric Bodden University of Paderborn; Fraunhofer IEM
DOI
03:20
20m
Talk
An Empirical Study on the Effectiveness of Static C/C++ Analyzers for Vulnerability Detection
Technical Papers
Stephan Lipp Technical University of Munich, Sebastian Banescu Technical University of Munich, Alexander Pretschner TU Munich
DOI Pre-print
03:40
20m
Talk
Combining Static Analysis Error Traces with Dynamic Symbolic Execution (Experience Paper)
Technical Papers
Frank Busse Imperial College London, Pritam Gharat Imperial College London, Cristian Cadar Imperial College London, UK, Alastair F. Donaldson Imperial College London
DOI Pre-print