ISA: a source code static vulnerability detection system based on data fusion

Static analysis is a kind of effective method to detect the vulnerabilities in the software. Without running the programs, static analysis tools can be used to automatically discover unknown bugs. To cope with the problem of high false positives and false negatives in source code static analysis methods, this paper presents a source code static analysis technology for vulnerability detection based on data fusion. By parsing and making data fusion on the outcome of different static analysis methods, this technology lets different results validate each other, which greatly decreases the false positives and false negatives. Brief explanations are given to support this method. A prototype system of scalable source code analysis system (ISA for short) is designed and implemented which also can automatically search for the best result based on feedback of the user interaction. The whole system is scalable and platform-independent. It is proved by experiment that this method has a better performance with lower false positives and false negatives and higher efficiency compared with one single method.

[1]  David Wagner,et al.  Static analysis and computer security: new techniques for software assurance , 2000 .

[2]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[3]  Dawson R. Engler,et al.  Z-Ranking: Using Statistical Analysis to Counter the Impact of Static Analysis Approximations , 2003, SAS.

[4]  Junfeng Yang,et al.  Correlation exploitation in error ranking , 2004, SIGSOFT '04/FSE-12.

[5]  Gary McGraw,et al.  Static Analysis for Security , 2004, IEEE Secur. Priv..

[6]  Gary McGraw,et al.  ITS4: a static vulnerability scanner for C and C++ code , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[7]  Yang Meng Tan,et al.  LCLint: a tool for using specifications to check code , 1994, SIGSOFT '94.

[8]  Jan Vitek,et al.  FAULTMINER: DISCOVERING UNKNOWN SOFTWARE DEFECTS USING STATIC ANALYSIS AND DATA MINING , 2006 .

[9]  Rudolf Kruse,et al.  Data Fusion and Perception , 2001, International Centre for Mechanical Sciences.

[10]  Zhi Zhou,et al.  Common Vulnerability Markup Language , 2003, ACNS.

[11]  Gary Mcgraw Software security , 2004, IEEE Security & Privacy Magazine.

[12]  Jiulong Shan,et al.  Automated Vulnerability Management through Web Services , 2003, GCC.

[13]  Paul Anderson,et al.  The CodeSurfer software understanding platform , 2005, 13th International Workshop on Program Comprehension (IWPC'05).

[14]  Adriano Valenzano,et al.  Comparing Lexical Analysis Tools for Buffer Overflow Detection in Network Software , 2006, 2006 1st International Conference on Communication Systems Software & Middleware.

[15]  David A. Wagner,et al.  MOPS: an infrastructure for examining security properties of software , 2002, CCS '02.