Using static analysis for finding security vulnerabilities and critical errors in source code

Using static analysis for finding security vulnerabilities and critical errors in source code

Static analysis is a popular way of finding given patterns in source or binary code (e.g., coding style errors, violations of project guidelines of using specific libraries or language features, critical errors, security vulnerabilities, malicious code). In this paper we review the static analysis t...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Trudy Instituta sistemnogo programmirovaniâ 2018-10, Vol.21
Hauptverfasser: Arutyun Avetisyan, Andrey Belevantsev, Alexey Borodin, Vladimir Nesov
Format: Artikel
Sprache:eng
Schlagworte:
анализ потока данных
интервальный анализ
межпроцедурный анализ
статический анализ
уязвимости
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:Static analysis is a popular way of finding given patterns in source or binary code (e.g., coding style errors, violations of project guidelines of using specific libraries or language features, critical errors, security vulnerabilities, malicious code). In this paper we review the static analysis tool developed in ISP RAS for finding critical errors and security vulnerabilities in C/C++ source code. The tool uses interprocedural unsound dataflow analysis and allows performing fully automatic analysis resulting in 40-80% true positive rate which is on par with the best commercial tools in this area.
ISSN:2079-8156
2220-6426