Integrating Static and Dynamic Analysis for Detecting Vulnerabilities

A secure software demands effective techniques for vulnerability detection during its development cycle. The practice of detecting security flaws before the deployment phase eliminates the risks that vulnerabilities may impose for the company. Static analysis and dynamic analysis techniques offer two complimentary approaches for checking vulnerabilities. Static analysis involves the scanning of source code or binary eliminating the need of executing it. This approach is fast and has no run time overhead. However, static analysis are quite imprecise and generate huge false positives and false negatives. On the other hand, dynamic analysis involves the running of the software. The problem of false positives and negatives is less in case of dynamic analysis because they analyze by running the test cases. But this approach requires large number of test cases to ensure a certain confidence level in detecting security bugs. This paper describes a methodology which integrates the two approaches in a complimentary manner. It adopts the strengths of the two and eliminates their weaknesses. We are currently dealing with buffer overflow vulnerability with pointer aliasing. However the idea can be extended to other vulnerabilities also for e.g memory related errors, race conditions(time of check to time to use vulnerability), dangling pointer vulnerability, integer errors etc