Program analysis with risk-based classification of dynamic invariants for logical error detection

Abstract The logical errors in programs causing deviations from the intended functionality cannot be detected by automated source code analysis, which mainly focuses on known defects and code vulnerabilities. To this end, we introduce a combination of analysis techniques implemented in a proof-of-concept prototype called PLATO. First, a set of dynamic invariants is inferred from the source code that represents the program's logic. The code is instrumented with assertions from the invariants, which are subsequently valuated through the program's symbolic execution. The findings are ranked using a fuzzy logic system with two scales characterizing their impact: (i) a Severity scale for the execution paths' characteristics and their Information Gain , (ii) a Reliability scale based on the measured Computational Density. Real, as well as synthetic applications with at least four different types of logical errors were analyzed. The method's effectiveness was assessed based on a dataset from 25 experiments. Albeit not without restrictions, the proposed automated analysis seems able to detect a wide variety of logical errors, while it filters out the false positives.

[1]  Lalit Bansal,et al.  An Effective Implementation of Improved Halstead Metrics for Software Parameters Analysis , 2014 .

[2]  C. Lee Giles,et al.  What's the code?: automatic classification of source code archives , 2002, KDD.

[3]  V. Novák,et al.  Mathematical Principles of Fuzzy Logic , 1999 .

[4]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[5]  Koushik Sen DART: Directed Automated Random Testing , 2009, Haifa Verification Conference.

[6]  Wilfred J. Hansen,et al.  Measurement of program complexity by the pair: (Cyclomatic Number, Operator Count) , 1978, SIGP.

[7]  Stephen McCamant,et al.  The Daikon system for dynamic detection of likely invariants , 2007, Sci. Comput. Program..

[8]  Dimitris Gritzalis,et al.  Automated Detection of Logical Errors in Programs , 2014, CRiSIS.

[9]  A. Zeller Isolating cause-effect chains from computer programs , 2002, SIGSOFT '02/FSE-10.

[10]  George K. Baah Statistical causal analysis for fault localization , 2012 .

[11]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[12]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[13]  Michael R. Lowry,et al.  Combining unit-level symbolic execution and system-level concrete execution for testing nasa software , 2008, ISSTA '08.

[14]  Sarfraz Khurshid,et al.  Feedback-driven dynamic invariant discovery , 2014, ISSTA 2014.

[15]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[16]  Yiming Yang,et al.  A Comparative Study on Feature Selection in Text Categorization , 1997, ICML.

[17]  Dimitris Gritzalis,et al.  On Business Logic Vulnerabilities Hunting: The APP_LogGIC Framework , 2013, NSS.

[18]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[19]  Xiangyu Zhang,et al.  Pruning dynamic slices with confidence , 2006, PLDI '06.

[20]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[21]  William P. Birmingham,et al.  Improving category specific Web search by learning query modifications , 2001, Proceedings 2001 Symposium on Applications and the Internet.

[22]  Robert A. Martin,et al.  Common weakness enumeration (CWE) status update , 2008, ALET.

[23]  Letha H. Etzkorn,et al.  Automatically Identifying Reusable OO Legacy Code , 1997, Computer.

[24]  Alastair F. Donaldson,et al.  Software Model Checking , 2014, Computing Handbook, 3rd ed..

[25]  Jesús Alcalá-Fdez,et al.  jFuzzyLogic: a robust and flexible Fuzzy-Logic inference system language implementation , 2012, 2012 IEEE International Conference on Fuzzy Systems.

[26]  Etienne E. Kerre,et al.  Defuzzification: criteria and classification , 1999, Fuzzy Sets Syst..

[27]  Christopher Krügel,et al.  Toward Automated Detection of Logic Vulnerabilities in Web Applications , 2010, USENIX Security Symposium.

[28]  Alan Bensky,et al.  Introduction to information theory and coding , 2019, Short-range Wireless Communication.

[29]  Gerald Albaum,et al.  The Likert Scale Revisited , 1997 .

[30]  Dimitris Gritzalis,et al.  Hunting Application-Level Logical Errors , 2012, ESSoS.

[31]  Elliotte Rusty Harold Java I/O , 1999 .

[32]  Paul E. Black,et al.  Juliet 1.1 C/C++ and Java Test Suite , 2012, Computer.

[33]  Dimitris Gritzalis,et al.  Combining Invariant Violation with Execution Path Classification for Detecting Multiple Types of Logical Errors and Race Conditions , 2016, SECRYPT.

[34]  David A. Fisher,et al.  C4 Software Technology Reference Guide - A Prototype. , 1997 .

[35]  Corina S. Pasareanu,et al.  Verification of Java Programs Using Symbolic Execution and Invariant Generation , 2004, SPIN.