Using static analysis for finding security vulnerabilities and critical errors in source code

Arutyun Avetisyan; Andrey Belevantsev; Alexey Borodin; Vladimir Nesov

Труды Института системного программирования РАН (Oct 2018)

Using static analysis for finding security vulnerabilities and critical errors in source code

Arutyun Avetisyan,
Andrey Belevantsev,
Alexey Borodin,
Vladimir Nesov

Affiliations

Arutyun Avetisyan: ИСП РАН
Andrey Belevantsev: ИСП РАН
Alexey Borodin: ИСП РАН
Vladimir Nesov: ИСП РАН

Journal volume & issue: Vol. 21, no. 0

Abstract

Read online

Static analysis is a popular way of finding given patterns in source or binary code (e.g., coding style errors, violations of project guidelines of using specific libraries or language features, critical errors, security vulnerabilities, malicious code). In this paper we review the static analysis tool developed in ISP RAS for finding critical errors and security vulnerabilities in C/C++ source code. The tool uses interprocedural unsound dataflow analysis and allows performing fully automatic analysis resulting in 40-80% true positive rate which is on par with the best commercial tools in this area.

Published in Труды Института системного программирования РАН

ISSN: 2079-8156 (Print); 2220-6426 (Online)
Publisher: Ivannikov Institute for System Programming of the Russian Academy of Sciences
Country of publisher: Russian Federation
LCC subjects: Science: Mathematics: Instruments and machines: Electronic computers. Computer science
Website: https://ispranproceedings.elpub.ru/jour/index

About the journal

Abstract

Keywords