Using static analysis for finding security vulnerabilities and critical errors in source code

Using static analysis for finding security vulnerabilities and critical errors in source code

Static analysis is a popular way of finding given patterns in source or binary code (e.g., coding style errors, violations of project guidelines of using specific libraries or language features, critical errors, security vulnerabilities, malicious code). In this paper we review the static analysis t...

Full description

Bibliographic Details
Main Authors: Arutyun Avetisyan, Andrey Belevantsev, Alexey Borodin, Vladimir Nesov
Format: Article
Language:English
Published: Ivannikov Institute for System Programming of the Russian Academy of Sciences 2018-10-01
Series:Труды Института системного программирования РАН
Subjects:
статический анализ
анализ потока данных
интервальный анализ
межпроцедурный анализ
уязвимости
Online Access:https://ispranproceedings.elpub.ru/jour/article/view/1026
Description
Summary:Static analysis is a popular way of finding given patterns in source or binary code (e.g., coding style errors, violations of project guidelines of using specific libraries or language features, critical errors, security vulnerabilities, malicious code). In this paper we review the static analysis tool developed in ISP RAS for finding critical errors and security vulnerabilities in C/C++ source code. The tool uses interprocedural unsound dataflow analysis and allows performing fully automatic analysis resulting in 40-80% true positive rate which is on par with the best commercial tools in this area.
ISSN:2079-8156
2220-6426

Similar Items