SMT-Based False Positive Elimination in Static Program Analysis

Junker, Maximilian; Huuck, Ralf; Fehnker, Ansgar; Knapp, Alexander

doi:10.1007/978-3-642-34281-3_23

Cited by 27 publications

(19 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

Section: Related Workmentioning

confidence: 99%

“…In the first category, the information is iteratively exchanged between the two techniques [3], [8], [9]. For example, Brat et al [3] and Junker et al [9] have combined these two in such a way static analysis component iteratively exchanges information with the model checker. In the second category, static analysis and model checking are cascaded by using one after the other in a fixed order [6], [12], [14], [15], [17], [19].…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Efficient elimination of false positives using static analysis

Muske¹,

Khedker

2015

2015 IEEE 26th International Symposium on Software Reliability Engineering (ISSRE)

View full text Add to dashboard Cite

Bug detection using static analysis has been found useful in practice for ensuring software quality and reliability. However, it often requires sifting through a large number of warnings. This can be handled by generating an assertion corresponding to each warning and verifying the assertion using a model checker to classify the warning as an error or a false positive. Since model checking over larger code fragments is non-scalable and expensive, it is useful to model check a given assertion with a small calling context length. For this, the variables receiving values from outside the context are initialized with arbitrary values generated by non-deterministic choice functions. The calling context length is then gradually increased on a need basis to include callers higher up in the call chains. While this aids scalability by keeping the calling context as small as possible, it requires multiple calls to model checker for the same assertion, requiring a considerable amount of time.We present a static analysis to expedite false positive elimination. It is based on the following observation: When the variables involved in an assertion are allowed to take arbitrary values at the point of assertion, the assertion is most likely to be violated by some or the other combination of values. In such cases, usage of a model checker is redundant as it does not aid in resolution of the corresponding warning. Our data flow analysis identifies (an over-approximated set of) such variables using a novel lattice so that model checking of assertions involving such variables can be avoided. Our empirical evaluation demonstrates that, on an average, the proposed static analysis avoids 49.49% of the total model checking calls, and it reduces the false positives elimination time by 39.28%. However, this gain is achieved at the cost of missing 2.78% false positives which could have been eliminated otherwise.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Efficient elimination of false positives using static analysis

Muske¹,

Khedker

2015

2015 IEEE 26th International Symposium on Software Reliability Engineering (ISSRE)

View full text Add to dashboard Cite

show abstract

“…Hash code matching [25] and coding pattern analysis [12] can be used for identifying recurring violations. Model checking techniques [66], [67] and constraint solvers [68], [69] can also verify true violations and prune false positive. As discussed in Section 3.5, trivial violations reported by FindBugs can be treated as false positives by developers, but they cannot be identified by previous work since they are negligible issues and too trivial to be addressed by developers.…”

Section: Static Analysismentioning

confidence: 99%

Mining Fix Patterns for FindBugs Violations

Liu

Kim

Bissyandé

et al. 2021

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

Several static analysis tools, such as Splint or FindBugs, have been proposed to the software development community to help detect security vulnerabilities or bad programming practices. However, the adoption of these tools is hindered by their high false positive rates. If the false positive rate is too high, developers may get acclimated to violation reports from these tools, causing concrete and severe bugs being overlooked. Fortunately, some violations are actually addressed and resolved by developers. We claim that those violations that are recurrently fixed are likely to be true positives, and an automated approach can learn to repair similar unseen violations. However, there is lack of a systematic way to investigate the distributions on existing violations and fixed ones in the wild, that can provide insights into prioritizing violations for developers, and an effective way to mine code and fix patterns which can help developers easily understand the reasons of leading violations and how to fix them.In this paper, we first collect and track a large number of fixed and unfixed violations across revisions of software. The empirical analyses reveal that there are discrepancies in the distributions of violations that are detected and those that are fixed, in terms of occurrences, spread and categories, which can provide insights into prioritizing violations. To automatically identify patterns in violations and their fixes, we propose an approach that utilizes convolutional neural networks to learn features and clustering to regroup similar instances. We then evaluate the usefulness of the identified fix patterns by applying them to unfixed violations. The results show that developers will accept and merge a majority (69/116) of fixes generated from the inferred fix patterns. It is also noteworthy that the yielded patterns are applicable to four real bugs in the Defects4J major benchmark for software testing and automated repair.

show abstract

“…However, these approaches still suffers from the scalability problem in practice. To avoid path explosion problem, many approaches rely on symbolic evaluation [24], [25]. To check whether a path is infeasible, the path is symbolically executed to generate a symbolic expression representing the path.…”

Section: Related Workmentioning

confidence: 99%

Heuristic Path Pruning Algorithm Based on Error Handling Pattern Recognition in Detecting Vulnerability

Chen

Zhang

Cheng

et al. 2013

2013 IEEE 37th Annual Computer Software and Applications Conference Workshops

View full text Add to dashboard Cite

Using symbolic execution in path sensitive detection of software vulnerabilities develop quickly recently. It has a lot of application and research progress. However, symbolic execution still suffers from the scalability problem in practice, especially when applied to large scale or very complex programs. In this paper, we propose a new heuristic path pruning algorithm based on non-fatal error handling(NFEH) pattern recognition. Firstly, it use three patterns to recognize NFEH module in binary code and then stop analyzing NFEH branches when using symbolic execution. To demonstrate the effectiveness of this new approach, we have implemented a prototype tool PrunEbt based on a binary static integer vulnerability detecting tool (Statictaint). Experimental results are quite encouraging. PrunEbt can effectively recognize NFEH modules in binary program, significantly reduce the search space and have no omissions of true vulnerabilities. At last, it has detected one zero-day integer vulnerability in widely used image recognition library Libpng v1.5.13.

show abstract

SMT-Based False Positive Elimination in Static Program Analysis

Cited by 27 publications

References 24 publications

Efficient elimination of false positives using static analysis

Efficient elimination of false positives using static analysis

Mining Fix Patterns for FindBugs Violations

Heuristic Path Pruning Algorithm Based on Error Handling Pattern Recognition in Detecting Vulnerability

Contact Info

Product

Resources

About