Of Massive Static Analysis Data

The Software Assurance Metrics and Tool Evaluation (SAMATE) project at the National Institute of Standards and Technology (NIST) has organized four Static Analysis Tool Expositions (SATE). SATE is designed to advance research in static analysis tools that find security-relevant defects in source code. Briefly, participating tool makers run their tools on a set of programs. Researchers led by NIST analyze the tool outputs. The results and experiences are reported at a workshop. These expositions have accumulated large amounts of data. This collection allowed for the development and validation of practical metrics in regard to static analysis tool effectiveness and independence. In this paper, we discuss the role of the data in determining which metrics can be derived. Specifically, we detail the three characteristics test data should exhibit and explain why the data we use express each combination of two out of these three properties.

[1]  EmanuelssonPär,et al.  A Comparative Study of Industrial Static Analysis Tools , 2008 .

[2]  Laurie A. Williams,et al.  On the value of static analysis for fault detection in software , 2006, IEEE Transactions on Software Engineering.

[3]  Marcel Worring,et al.  NIST Special Publication , 2005 .

[4]  Jeffrey S. Foster,et al.  A comparison of bug finding tools for Java , 2004, 15th International Symposium on Software Reliability Engineering.

[5]  Martin Johns,et al.  Scanstud: A Methodology for Systematic, Fine-Grained Evaluation of Static Analysis Tools , 2011, 2011 IEEE Fourth International Conference on Software Testing, Verification and Validation Workshops.

[6]  Vadim Okun,et al.  Static Analysis Tool Exposition (SATE) 2008 , 2009 .

[7]  N. Johnson The MITRE corporation , 1961, ACM National Meeting.

[8]  Paul E. Black,et al.  Static Analyzers: Seat Belts for Your Code , 2012, IEEE Security & Privacy.

[9]  Richard P. Lippmann,et al.  Using a Diagnostic Corpus of C Programs to Evaluate Buffer Overflow Detection by Static Analysis Tools , 2005 .

[10]  Aurelien Delaitre,et al.  Report on the Static Analysis Tool Exposition (SATE) IV , 2013 .

[11]  Jacob West,et al.  Secure Programming with Static Analysis , 2007 .

[12]  Aurelien Delaitre,et al.  Report on the third static analysis tool exposition (SATE 2010) , 2011 .

[13]  Aurelien Delaitre,et al.  The Second Static Analysis Tool Exposition (SATE) 2009 , 2010 .

[14]  Dawson R. Engler,et al.  A few billion lines of code later , 2010, Commun. ACM.

[15]  Richard Lippmann,et al.  Testing static analysis tools using exploitable buffer overflows from open source code , 2004, SIGSOFT '04/FSE-12.

[16]  F. Michaud,et al.  Practical Verification & Safeguard Tools for C/C++ , 2007 .

[17]  Ulf Nilsson,et al.  A Comparative Study of Industrial Static Analysis Tools , 2008, SSV.

[18]  George G. Meade,et al.  Cas Static Analysis Tool Study - Methodology , 2013 .