US20140115564A1 - Differential static program analysis - Google Patents

Differential static program analysis Download PDF

Info

Publication number
US20140115564A1
US20140115564A1 US13/656,244 US201213656244A US2014115564A1 US 20140115564 A1 US20140115564 A1 US 20140115564A1 US 201213656244 A US201213656244 A US 201213656244A US 2014115564 A1 US2014115564 A1 US 2014115564A1
Authority
US
United States
Prior art keywords
level
analysis
findings
low
analyses
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US13/656,244
Inventor
Salvatore Angelo Guarnieri
Omer Tripp
Marco Pistoia
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Priority to US13/656,244 priority Critical patent/US20140115564A1/en
Assigned to INTERNATIONAL BUSINESS MACHINES CORPORATION reassignment INTERNATIONAL BUSINESS MACHINES CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: TRIPP, OMER, GUARNIERI, SALVATORE A., PISTOIA, MARCO
Priority to US13/673,419 priority patent/US8935680B2/en
Publication of US20140115564A1 publication Critical patent/US20140115564A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/70Software maintenance or management
    • G06F8/75Structural analysis for program understanding
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3604Software analysis for verifying properties of programs

Definitions

  • the present invention relates to static code analysis and, more particularly, to using multiple analyses with differing levels of precision to make static analysis reports more useful.
  • Static code analysis is a powerful approach for software verification. Static analysis typically features one-sided error: a subject program is safe with regard to the tested property if no violations of the property are discovered by the analysis, which over-approximates the program's set of possible behaviors. However, if the analysis does report violations of the property, then that doesn't necessarily imply that the program is incorrect. These violations may be false reports due to the approximations the analysis applies to put bounds on the state space of the program, which could otherwise be infinite.
  • static analysis tools typically have a high proportion of false reports.
  • static security tools such as IBM Rational AppScan Source Edition and HP Fortify 360—would report about 10,000 vulnerabilities on a program containing 100,000 LOC. This limits the usability of commercial analysis tools: The size of the report, together with the poor quality of many of the findings, makes it difficult to translate the report into an actionable list of remediation tasks.
  • a method for program analysis includes performing a high-level analysis on a program using a processor to generate one or more high-level findings; performing one or more low-level analyses on the program using a processor to generate one or more low-level findings; and mapping the one or more low-level findings to the high-level findings to generate a concise combination report that categorizes each finding according to the highest-level analysis that produces the finding.
  • a method for program analysis includes performing a high-level analysis on a program using a processor to generate one or more high-level findings; performing one or more low-level analyses on the program using a processor to generate one or more low-level findings; mapping the one or more low-level findings to the high-level findings to generate a concise combination report that displays results associated with the analyses such that high-level findings are grouped together and suppressed in information relating to low-level reports; and linking analyses in the combination report to associate a suppressed finding in a first analysis with a full report on the finding in a second analysis.
  • a method for program analysis includes performing a high-level analysis on a program using a processor to generate one or more high-level findings; performing one or more low-level analyses on the program using a processor to generate one or more low-level findings; mapping the one or more low-level findings to the high-level findings to generate a concise combination report that displays results associated with the analyses such that high-level findings are grouped together and suppressed in information relating to low-level reports; and linking analyses in the combination report to associate a suppressed finding in a first analysis with a full report on the finding in a second analysis.
  • Mapping includes generating a set that combines all of the high-level and low-level findings; removing from the set any findings that were generated by an analysis having a higher associated level of precision than an analysis in question; associating the set of remaining findings with the analysis in question; and repeating said generating, removing, and associating for each analysis.
  • a system for program analysis includes a high-level scanning tool configured to perform a high-level analysis on a program using a processor to generate one or more high-level findings; one or more low-level scanning tools, each configured to perform a low-level analysis on the program using a processor to generate a low-level finding; a mapping module configured to map the one or more low-level findings to the high-level findings to generate a concise combination report that categorizes each finding according to the highest-level analysis that produces the finding.
  • a system for program analysis includes a high-level scanning tool configured to perform a high-level analysis on a program using a processor to generate one or more high-level findings; one or more low-level scanning tools, each configured to perform a low-level analysis on the program using a processor to generate a low-level finding; a mapping module configured to map the one or more low-level findings to the high-level findings to generate a concise combination report that displays results associated with the analyses such that high-level findings are grouped together and suppressed in information relating to low-level reports; and a report module configured to link analyses in the combination report to associate a suppressed finding in a first analysis with a full report on the finding in a second analysis.
  • a system for program analysis includes a high-level scanning too configured to perform a high-level analysis on a program using a processor to generate one or more high-level findings; one or more low-level scanning tools, each configured to perform a low-level analysis on the program using a processor to generate a low-level finding; a mapping module configured to map the one or more low-level findings to the high-level findings to generate a concise combination report that displays results associated with the analyses, such that high-level findings are grouped together and suppressed in information relating to low-level reports, to generate a set that combines all of the high-level and low-level findings, to remove from the set any findings that were generated by an analysis having a higher associated level of precision than an analysis in question, to associate the set of remaining findings with the analysis in question, and to repeat said generation, removal, and association for each analysis; and a report module configured to link analyses in the combination report to associate a suppressed finding in a first analysis with a full report on the finding in a second analysis.
  • FIG. 1 is a block/flow diagram of a method for program analysis according to the present principles
  • FIG. 2 is a block/flow diagram of a method for analysis mapping in a combination report according to the present principles
  • FIG. 3 is a block/flow diagram of building a combination report for high- and low-level analyses according to the present principles.
  • FIG. 4 is a diagram of a program analysis system according to the present principles.
  • the present principles provide for a differential static analysis, where using multiple analyses of increasing granularity enables the reporting of fewer findings compared to using more fine-grained analyses. Moreover, each of the reported findings is reported at an intuitive level, making it easier for the analyst to take appropriate remediating action in response to discovered violations. By grouping together similar findings, the job of the human reviewer is made much simpler, as similar violations are listed in such a way as to make identifying root causes easier.
  • Static security analysis typically takes the form of taint analysis, where the analysis is parameterized by a set of security rules, each rule being a triple ⁇ Src,San,Snk>, where Src denotes source statements that read untrusted user inputs, San denotes downgrader statements that endorse untrusted data by validating and/or sanitizing it, and Snk denotes sink statements which perform security-sensitive operations.
  • Src denotes source statements that read untrusted user inputs
  • San denotes downgrader statements that endorse untrusted data by validating and/or sanitizing it
  • Snk denotes sink statements which perform security-sensitive operations.
  • any flow from a source in Src R to a sink in Snk R that doesn't pass through a downgrader from San R comprises a potential vulnerability. This reduces security analysis to a graph reachability problem.
  • an untrusted (e.g., user-provided) value is read by the request.getParameter statement. This represents a “Source” in the static analysis. This value then conditionally flows into a static variable, tempUserName, which conditionally flows into variable userName.
  • the variable userName is an argument to a “Sink” statement, the database update operation DB.write.
  • the flow through the static variable tempUserName is likely to be spurious. The only scenario that would make tempUserName potentially vulnerable is if another thread sets tempUserName to an untrusted value between the execution of the statements at program labels L1 and L2.
  • Block 102 performs multiple static analyses of a given program at differing levels of precision, where differing levels of approximation are used. Generally, a less precise analysis will produce more false-positives.
  • Block 104 creates an ordered hierarchy of analyses, from least to most precise and, for each consecutive pair of analyses, removes all findings from the more precise analysis that are also present in the less precise analysis. Alternatively, block 104 removes from a more precise analysis those violations that exist in any less precise finding.
  • Block 106 then creates a report to the user detailing the findings. By only reporting violations at the lowest level of precision they occur, block 106 provides violation information in a manner that groups similar violations together and makes it easier to both ignore unimportant violations and determine a best course of action for important violations.
  • multiple coarse analyses may be run in conjunction with the data-flow analysis in block 102 .
  • quality analyses can be run, which enforce recommended coding practices.
  • Such a quality analysis on the above example code would flag the fact that vulnerable flows pass through a static variable.
  • Such an analysis would not even perform interprocedural data-flow reachability analysis. Instead, it would flag a “coarse” finding on the very fact that tempUserName is used in a security-sensitive context.
  • the more refined data-flow analysis could soundly suppress all flows involving tempUserName, knowing that these are grouped as a single finding by the more coarse analysis.
  • aspects of the present invention may be embodied as a system, method or computer program product. Accordingly, aspects of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a “circuit,” “module” or “system.” Furthermore, aspects of the present invention may take the form of a computer program product embodied in one or more computer readable medium(s) having computer readable program code embodied thereon.
  • the computer readable medium may be a computer readable signal medium or a computer readable storage medium.
  • a computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing.
  • a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
  • a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof.
  • a computer readable signal medium may be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
  • Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
  • Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C++ or the like and conventional procedural programming languages, such as the “C” programming language or similar programming languages.
  • the program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server.
  • the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
  • LAN local area network
  • WAN wide area network
  • Internet Service Provider an Internet Service Provider
  • These computer program instructions may also be stored in a computer readable medium that can direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions stored in the computer readable medium produce an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.
  • the computer program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
  • each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s).
  • the functions noted in the blocks may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.
  • multiple analyses may be performed at differing levels of precision.
  • analyses may not simply vary along a single precision variable.
  • one scanning tool may focus on rule-based scanning, with precision varying with the number and strictness of the rules, a data-flow-based scanning tool will find an entirely different class of violations, such that the analyses of the two tools may not be directly comparable.
  • this information may nonetheless be used to create mappings between the different tools.
  • findings by, e.g., a rule-based scanner may be used to improve the reporting of findings from a flow-based scanner.
  • Block 202 groups analysis findings recursively.
  • the analyses are ordered, such that n is less precise than n+1.
  • Block 204 begins at the most precise analysis A n and the next less precise analysis A n ⁇ 1 and removes from S, all findings that are covered in A n ⁇ 1 .
  • Block 206 repeats this process for S n ⁇ 1 , removing all findings that are covered in A n ⁇ 2 . In this way, findings are mapped to the least precise analysis that they occur in.
  • the scanning tools have a total order, such that A i ⁇ 1 is less precise than A i for all i. In such an embodiment, if a finding is reported by a more precise analysis, then that finding is mappable to a less precise analysis.
  • the scanning tools form a partially ordered set where, for example, A 1 is less precise than A 3 and A 2 is less precise than A 3 , but there is no strict ordering between A 1 and A 2 . In such an embodiment, one approach is to form the union of A 1 and A 2 and eliminate based on A 3 . If no strict order can be established, an arbitrary order may be selected by any appropriate means.
  • a “high-level” analysis corresponds to a low precision analysis
  • a “low-level” analysis corresponds to a high-precision analysis, such that a high-level analysis will be less precise than a low-level analysis.
  • Block 302 reports each surviving finding at its associated precision level.
  • Block 304 builds links between findings in different analyses. For example, if a given finding f from A i is suppressed due to a finding f′ of A i ⁇ 1 , then block 304 links f′ to f to enable a review of the suppressed finding.
  • Block 306 then provides a navigation mechanism for users to view suppressed findings, such that following a link in a suppressed finding gives greater detail and context for that finding based on the linked level of analysis. This allows a user to more easily determine an appropriate action to take.
  • the system 400 includes a processor 402 and memory 404 and one or more scanning tools 406 .
  • the scanning tools 406 employ the processor 402 and memory 404 to scan a program under test to determine whether the program violates one or more properties.
  • the scanning tools 406 may operate at differing levels of precision or according to different methodologies (e.g., rule-based or data-flow-based).
  • the results of the scanning tools 406 are reviewed by mapping module which establishes mappings between particular violations and a most appropriate precision level, while reporting module 410 turns the mapped results into an intuitive, easy-to-use format for a user.

Abstract

Methods for program analysis include performing a high-level analysis on a program using a processor to generate one or more high-level findings; performing one or more low-level analyses on the program using a processor to generate one or more low-level findings; mapping the one or more low-level findings to the high-level findings to generate a concise combination report that categorizes each finding according to the highest-level analysis that produces the finding.

Description

    BACKGROUND
  • 1. Technical Field
  • The present invention relates to static code analysis and, more particularly, to using multiple analyses with differing levels of precision to make static analysis reports more useful.
  • 2. Description of the Related Art
  • Static code analysis is a powerful approach for software verification. Static analysis typically features one-sided error: a subject program is safe with regard to the tested property if no violations of the property are discovered by the analysis, which over-approximates the program's set of possible behaviors. However, if the analysis does report violations of the property, then that doesn't necessarily imply that the program is incorrect. These violations may be false reports due to the approximations the analysis applies to put bounds on the state space of the program, which could otherwise be infinite.
  • Since the tested properties are mostly hard to verify statically (e.g., security vulnerabilities, concurrency bugs, typestate violations, etc.), static analysis tools typically have a high proportion of false reports. For example, commercial static security tools—such as IBM Rational AppScan Source Edition and HP Fortify 360—would report about 10,000 vulnerabilities on a program containing 100,000 LOC. This limits the usability of commercial analysis tools: The size of the report, together with the poor quality of many of the findings, makes it difficult to translate the report into an actionable list of remediation tasks.
  • SUMMARY
  • A method for program analysis is shown that includes performing a high-level analysis on a program using a processor to generate one or more high-level findings; performing one or more low-level analyses on the program using a processor to generate one or more low-level findings; and mapping the one or more low-level findings to the high-level findings to generate a concise combination report that categorizes each finding according to the highest-level analysis that produces the finding.
  • A method for program analysis is shown that includes performing a high-level analysis on a program using a processor to generate one or more high-level findings; performing one or more low-level analyses on the program using a processor to generate one or more low-level findings; mapping the one or more low-level findings to the high-level findings to generate a concise combination report that displays results associated with the analyses such that high-level findings are grouped together and suppressed in information relating to low-level reports; and linking analyses in the combination report to associate a suppressed finding in a first analysis with a full report on the finding in a second analysis.
  • A method for program analysis is shown that includes performing a high-level analysis on a program using a processor to generate one or more high-level findings; performing one or more low-level analyses on the program using a processor to generate one or more low-level findings; mapping the one or more low-level findings to the high-level findings to generate a concise combination report that displays results associated with the analyses such that high-level findings are grouped together and suppressed in information relating to low-level reports; and linking analyses in the combination report to associate a suppressed finding in a first analysis with a full report on the finding in a second analysis. Mapping includes generating a set that combines all of the high-level and low-level findings; removing from the set any findings that were generated by an analysis having a higher associated level of precision than an analysis in question; associating the set of remaining findings with the analysis in question; and repeating said generating, removing, and associating for each analysis.
  • A system for program analysis is shown that includes a high-level scanning tool configured to perform a high-level analysis on a program using a processor to generate one or more high-level findings; one or more low-level scanning tools, each configured to perform a low-level analysis on the program using a processor to generate a low-level finding; a mapping module configured to map the one or more low-level findings to the high-level findings to generate a concise combination report that categorizes each finding according to the highest-level analysis that produces the finding.
  • A system for program analysis is shown that includes a high-level scanning tool configured to perform a high-level analysis on a program using a processor to generate one or more high-level findings; one or more low-level scanning tools, each configured to perform a low-level analysis on the program using a processor to generate a low-level finding; a mapping module configured to map the one or more low-level findings to the high-level findings to generate a concise combination report that displays results associated with the analyses such that high-level findings are grouped together and suppressed in information relating to low-level reports; and a report module configured to link analyses in the combination report to associate a suppressed finding in a first analysis with a full report on the finding in a second analysis.
  • A system for program analysis is shown that includes a high-level scanning too configured to perform a high-level analysis on a program using a processor to generate one or more high-level findings; one or more low-level scanning tools, each configured to perform a low-level analysis on the program using a processor to generate a low-level finding; a mapping module configured to map the one or more low-level findings to the high-level findings to generate a concise combination report that displays results associated with the analyses, such that high-level findings are grouped together and suppressed in information relating to low-level reports, to generate a set that combines all of the high-level and low-level findings, to remove from the set any findings that were generated by an analysis having a higher associated level of precision than an analysis in question, to associate the set of remaining findings with the analysis in question, and to repeat said generation, removal, and association for each analysis; and a report module configured to link analyses in the combination report to associate a suppressed finding in a first analysis with a full report on the finding in a second analysis.
  • These and other features and advantages will become apparent from the following detailed description of illustrative embodiments thereof, which is to be read in connection with the accompanying drawings.
  • BRIEF DESCRIPTION OF DRAWINGS
  • The disclosure will provide details in the following description of preferred embodiments with reference to the following figures wherein:
  • FIG. 1 is a block/flow diagram of a method for program analysis according to the present principles;
  • FIG. 2 is a block/flow diagram of a method for analysis mapping in a combination report according to the present principles;
  • FIG. 3 is a block/flow diagram of building a combination report for high- and low-level analyses according to the present principles; and
  • FIG. 4 is a diagram of a program analysis system according to the present principles.
  • DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS
  • The present principles provide for a differential static analysis, where using multiple analyses of increasing granularity enables the reporting of fewer findings compared to using more fine-grained analyses. Moreover, each of the reported findings is reported at an intuitive level, making it easier for the analyst to take appropriate remediating action in response to discovered violations. By grouping together similar findings, the job of the human reviewer is made much simpler, as similar violations are listed in such a way as to make identifying root causes easier.
  • Static security analysis typically takes the form of taint analysis, where the analysis is parameterized by a set of security rules, each rule being a triple <Src,San,Snk>, where Src denotes source statements that read untrusted user inputs, San denotes downgrader statements that endorse untrusted data by validating and/or sanitizing it, and Snk denotes sink statements which perform security-sensitive operations. Given a security rule R, any flow from a source in SrcR to a sink in SnkR that doesn't pass through a downgrader from SanR comprises a potential vulnerability. This reduces security analysis to a graph reachability problem.
  • The below example code illustrates one instance where the present principles may improve the usefulness of static analysis.
  • static String tempUserName;
    ...
    String name = request.getParameter(“name”); // Source
    if (tempUserName == null) {
    tempUserName = name; }
    ...
    L1: tempUserName = null;
    ...
    L2: if (tempUserName != null) {
    String userName = tempUserName; ...;
    DB.write(userName); // Sink }
    DB.write(name); // Sink
  • In this example, which is taken from the domain of security analysis, an untrusted (e.g., user-provided) value is read by the request.getParameter statement. This represents a “Source” in the static analysis. This value then conditionally flows into a static variable, tempUserName, which conditionally flows into variable userName. The variable userName is an argument to a “Sink” statement, the database update operation DB.write. There is also a “direct” flow, where the variable “name” is passed directly to DB.write. In this case, the flow through the static variable tempUserName is likely to be spurious. The only scenario that would make tempUserName potentially vulnerable is if another thread sets tempUserName to an untrusted value between the execution of the statements at program labels L1 and L2.
  • Standard security analyses, based on data-flow reachability, would report both flows as being vulnerable. This output is suboptimal, however, because the analysis report becomes cluttered with “weak” issues. These weak issues, which are unlikely to reflect actual vulnerabilities in the program, reduce the quality of the report by making important issues harder to find and, consequently, more difficult to respond to. In the example code above this is not a dramatic concern, because there is only one spurious flow through the static tempUserName variable. In a real-world application, however, there would typically be a great many such flows reported.
  • Referring now to the drawings in which like numerals represent the same or similar elements and initially to FIG. 1, a high-level method for differential static program analysis is shown. Block 102 performs multiple static analyses of a given program at differing levels of precision, where differing levels of approximation are used. Generally, a less precise analysis will produce more false-positives. Block 104 creates an ordered hierarchy of analyses, from least to most precise and, for each consecutive pair of analyses, removes all findings from the more precise analysis that are also present in the less precise analysis. Alternatively, block 104 removes from a more precise analysis those violations that exist in any less precise finding. Block 106 then creates a report to the user detailing the findings. By only reporting violations at the lowest level of precision they occur, block 106 provides violation information in a manner that groups similar violations together and makes it easier to both ignore unimportant violations and determine a best course of action for important violations.
  • According to the present principles then, multiple coarse analyses may be run in conjunction with the data-flow analysis in block 102. For example, quality analyses can be run, which enforce recommended coding practices. Such a quality analysis on the above example code would flag the fact that vulnerable flows pass through a static variable. Such an analysis would not even perform interprocedural data-flow reachability analysis. Instead, it would flag a “coarse” finding on the very fact that tempUserName is used in a security-sensitive context. As a result, the more refined data-flow analysis could soundly suppress all flows involving tempUserName, knowing that these are grouped as a single finding by the more coarse analysis.
  • As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method or computer program product. Accordingly, aspects of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a “circuit,” “module” or “system.” Furthermore, aspects of the present invention may take the form of a computer program product embodied in one or more computer readable medium(s) having computer readable program code embodied thereon.
  • Any combination of one or more computer readable medium(s) may be utilized. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
  • A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
  • Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing. Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C++ or the like and conventional procedural programming languages, such as the “C” programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
  • Aspects of the present invention are described below with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
  • These computer program instructions may also be stored in a computer readable medium that can direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions stored in the computer readable medium produce an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks. The computer program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
  • The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the blocks may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
  • As noted above in block 102, multiple analyses may be performed at differing levels of precision. However, such analyses may not simply vary along a single precision variable. For example, while one scanning tool may focus on rule-based scanning, with precision varying with the number and strictness of the rules, a data-flow-based scanning tool will find an entirely different class of violations, such that the analyses of the two tools may not be directly comparable. However, this information may nonetheless be used to create mappings between the different tools. In this way, findings by, e.g., a rule-based scanner may be used to improve the reporting of findings from a flow-based scanner.
  • Referring now to FIG. 2, a diagram providing greater detail on mapping findings between different scanning tools is shown. Block 202 groups analysis findings recursively. The set of findings Sn mapped to a given analysis n is initialized in block 202 as Sn=∪i=1 . . . nAi, where An is the set of findings resulting from the analysis n. The analyses are ordered, such that n is less precise than n+1. Block 204 begins at the most precise analysis An and the next less precise analysis An−1 and removes from S, all findings that are covered in An−1. Block 206 repeats this process for Sn−1, removing all findings that are covered in An−2. In this way, findings are mapped to the least precise analysis that they occur in.
  • In one embodiment, it is assumed that the scanning tools have a total order, such that Ai−1 is less precise than Ai for all i. In such an embodiment, if a finding is reported by a more precise analysis, then that finding is mappable to a less precise analysis. In another embodiment, the scanning tools form a partially ordered set where, for example, A1 is less precise than A3 and A2 is less precise than A3, but there is no strict ordering between A1 and A2. In such an embodiment, one approach is to form the union of A1 and A2 and eliminate based on A3. If no strict order can be established, an arbitrary order may be selected by any appropriate means. In the case of a partial ordering, where a violation is found at a nominally lower level but absent at a higher level, the violation is left associated with the highest-level analysis at which it occurs. It should be understood that a “high-level” analysis, as used herein, corresponds to a low precision analysis, while a “low-level” analysis corresponds to a high-precision analysis, such that a high-level analysis will be less precise than a low-level analysis.
  • Referring now to FIG. 3, report generation is shown. After mapping is performed, as with FIG. 2 above, block 302 reports each surviving finding at its associated precision level. Block 304 builds links between findings in different analyses. For example, if a given finding f from Ai is suppressed due to a finding f′ of Ai−1, then block 304 links f′ to f to enable a review of the suppressed finding. Block 306 then provides a navigation mechanism for users to view suppressed findings, such that following a link in a suppressed finding gives greater detail and context for that finding based on the linked level of analysis. This allows a user to more easily determine an appropriate action to take.
  • Referring now to FIG. 4, a system 400 for differential static program analysis is shown. The system 400 includes a processor 402 and memory 404 and one or more scanning tools 406. The scanning tools 406 employ the processor 402 and memory 404 to scan a program under test to determine whether the program violates one or more properties. The scanning tools 406 may operate at differing levels of precision or according to different methodologies (e.g., rule-based or data-flow-based). The results of the scanning tools 406 are reviewed by mapping module which establishes mappings between particular violations and a most appropriate precision level, while reporting module 410 turns the mapped results into an intuitive, easy-to-use format for a user.
  • Having described preferred embodiments of a system and method for differential static program analysis (which are intended to be illustrative and not limiting), it is noted that modifications and variations can be made by persons skilled in the art in light of the above teachings. It is therefore to be understood that changes may be made in the particular embodiments disclosed which are within the scope of the invention as outlined by the appended claims. Having thus described aspects of the invention, with the details and particularity required by the patent laws, what is claimed and desired protected by Letters Patent is set forth in the appended claims.

Claims (20)

What is claimed is:
1. A method for program analysis comprising:
performing a high-level analysis on a program using a processor to generate one or more high-level findings;
performing one or more low-level analyses on the program using a processor to generate one or more low-level findings; and
mapping the one or more low-level findings to the high-level findings to generate a concise combination report that categorizes each finding according to the highest-level analysis that produces the finding.
2. The method of claim 1, wherein mapping comprises:
generating a set that combines all of the high-level and low-level findings;
removing from the set any findings that were generated by an analysis having a higher associated level of precision than an analysis in question;
associating the set of remaining findings with the analysis in question; and
repeating said generating, removing, and associating for each analysis.
3. The method of claim 2, further comprising sorting the findings according to an associated level of precision.
4. The method of claim 1, further comprising linking analyses in the combination report to associate a suppressed finding in a first analysis to a full report on the finding in a second analysis.
5. The method of claim 1, wherein the high-level analysis is a rule-based analysis.
6. The method of claim 1, wherein the one or more low-level analyses are data-flow-based analyses.
7. The method of claim 1, wherein the one or more low-level analyses each have a different level of precision.
8. The method of claim 1, wherein the high-level analysis and the low-level analyses have a total order with respect to precision.
9. The method of claim 1, where the high-level analysis and the low-level analyses have a partial order with respect to precision.
10. The method of claim 1, wherein the combination report displays results associated with the analyses, such that high-level findings are grouped together and suppressed in information relating to low-level reports.
11. The method of claim 10, wherein the combination report includes links from suppressed information in low-level reports to the high-level findings.
12. A method for program analysis comprising:
performing a high-level analysis on a program using a processor to generate one or more high-level findings;
performing one or more low-level analyses on the program using a processor to generate one or more low-level findings;
mapping the one or more low-level findings to the high-level findings to generate a concise combination report that displays results associated with the analyses such that high-level findings are grouped together and suppressed in information relating to low-level reports; and
linking analyses in the combination report to associate a suppressed finding in a first analysis with a full report on the finding in a second analysis.
13. The method of claim 12, wherein mapping comprises:
generating a set that combines all of the high-level and low-level findings;
removing from the set any findings that were generated by an analysis having a higher associated level of precision than an analysis in question;
associating the set of remaining findings with the analysis in question; and
repeating said generating, removing, and associating for each analysis.
14. The method of claim 13, further comprising sorting the findings according to an associated level of precision.
15. The method of claim 12, wherein the high-level analysis is a rule-based analysis.
16. The method of claim 12, wherein the one or more low-level analyses are data-flow-based analyses.
17. The method of claim 12, wherein the one or more low-level analyses each have a different level of precision.
18. The method of claim 12, wherein the high-level analysis and the low-level analyses have a total order with respect to precision.
19. The method of claim 12, where the high-level analysis and the low-level analyses have a partial order with respect to precision.
20. A method for program analysis comprising:
performing a high-level analysis on a program using a processor to generate one or more high-level findings;
performing one or more low-level analyses on the program using a processor to generate one or more low-level findings;
mapping the one or more low-level findings to the high-level findings to generate a concise combination report that displays results associated with the analyses such that high-level findings are grouped together and suppressed in information relating to low-level reports, wherein said mapping comprises:
generating a set that combines all of the high-level and low-level findings;
removing from the set any findings that were generated by an analysis having a higher associated level of precision than an analysis in question;
associating the set of remaining findings with the analysis in question; and
repeating said generating, removing, and associating for each analysis; and
linking analyses in the combination report to associate a suppressed finding in a first analysis with a full report on the finding in a second analysis.
US13/656,244 2012-10-19 2012-10-19 Differential static program analysis Abandoned US20140115564A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US13/656,244 US20140115564A1 (en) 2012-10-19 2012-10-19 Differential static program analysis
US13/673,419 US8935680B2 (en) 2012-10-19 2012-11-09 Differential static program analysis

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US13/656,244 US20140115564A1 (en) 2012-10-19 2012-10-19 Differential static program analysis

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US13/673,419 Continuation US8935680B2 (en) 2012-10-19 2012-11-09 Differential static program analysis

Publications (1)

Publication Number Publication Date
US20140115564A1 true US20140115564A1 (en) 2014-04-24

Family

ID=50486573

Family Applications (2)

Application Number Title Priority Date Filing Date
US13/656,244 Abandoned US20140115564A1 (en) 2012-10-19 2012-10-19 Differential static program analysis
US13/673,419 Active 2033-02-14 US8935680B2 (en) 2012-10-19 2012-11-09 Differential static program analysis

Family Applications After (1)

Application Number Title Priority Date Filing Date
US13/673,419 Active 2033-02-14 US8935680B2 (en) 2012-10-19 2012-11-09 Differential static program analysis

Country Status (1)

Country Link
US (2) US20140115564A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016053282A1 (en) * 2014-09-30 2016-04-07 Hewlett Packard Enterprise Development Lp String property labels for static analysis
US10127386B2 (en) * 2016-05-12 2018-11-13 Synopsys, Inc. Systems and methods for adaptive analysis of software
US10241892B2 (en) * 2016-12-02 2019-03-26 International Business Machines Corporation Issuance of static analysis complaints

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11036497B1 (en) 2018-10-24 2021-06-15 Cerner Innovation, Inc. Code assessment for quality control of an object relational mapper and correction of problematic cast functions

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6745384B1 (en) * 1998-05-29 2004-06-01 Microsoft Corporation Anticipatory optimization with composite folding

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU8065698A (en) 1997-06-13 1998-12-30 True Software, Inc. Systems and methods for scanning and modeling dependencies in software applications
US7421681B2 (en) 2003-10-09 2008-09-02 International Business Machines Corporation Method and system for autonomic monitoring of semaphore operation in an application
US8079037B2 (en) 2005-10-11 2011-12-13 Knoa Software, Inc. Generic, multi-instance method and GUI detection system for tracking and monitoring computer applications
US8365147B2 (en) * 2008-02-27 2013-01-29 Accenture Global Services Limited Test script transformation architecture
US8458662B2 (en) * 2008-02-27 2013-06-04 Accenture Global Services Limited Test script transformation analyzer with economic cost engine
US8527955B2 (en) 2009-09-11 2013-09-03 International Business Machines Corporation System and method to classify automated code inspection services defect output for defect analysis
CN102082659B (en) 2009-12-01 2014-07-23 厦门市美亚柏科信息股份有限公司 Vulnerability scanning system oriented to safety assessment and processing method thereof
US8813039B2 (en) 2010-04-14 2014-08-19 International Business Machines Corporation Method and system for software defect reporting

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6745384B1 (en) * 1998-05-29 2004-06-01 Microsoft Corporation Anticipatory optimization with composite folding

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016053282A1 (en) * 2014-09-30 2016-04-07 Hewlett Packard Enterprise Development Lp String property labels for static analysis
US10546132B2 (en) 2014-09-30 2020-01-28 Micro Focus Llc String property labels for static analysis
US10127386B2 (en) * 2016-05-12 2018-11-13 Synopsys, Inc. Systems and methods for adaptive analysis of software
US10133649B2 (en) * 2016-05-12 2018-11-20 Synopsys, Inc. System and methods for model-based analysis of software
US10241892B2 (en) * 2016-12-02 2019-03-26 International Business Machines Corporation Issuance of static analysis complaints

Also Published As

Publication number Publication date
US8935680B2 (en) 2015-01-13
US20140115563A1 (en) 2014-04-24

Similar Documents

Publication Publication Date Title
US10133870B2 (en) Customizing a security report using static analysis
US8397300B2 (en) Detecting security vulnerabilities relating to cryptographically-sensitive information carriers when testing computer software
US9792443B1 (en) Position analysis of source code vulnerabilities
US9021592B2 (en) Source code analysis of inter-related code bases
US20120254839A1 (en) Simulating black box test results using information from white box testing
US11176248B2 (en) Remediation of security vulnerabilities in computer software
US9519789B2 (en) Identifying security vulnerabilities related to inter-process communications
US9158923B2 (en) Mitigating security risks via code movement
US9256409B2 (en) Building reusable function summaries for frequently visited methods to optimize data-flow analysis
CN105164691B (en) A kind of method and system for calculation machine software application
US8935680B2 (en) Differential static program analysis
US20190361788A1 (en) Interactive analysis of a security specification
US8935674B2 (en) Determining correctness conditions for use in static analysis
US8572748B2 (en) Label-based taint analysis
US10956562B2 (en) Developing applications using precise static security analysis
US10827349B2 (en) SEALANT: security for end-users of android via light-weight analysis techniques
US9037916B2 (en) Dynamic concolic execution of an application
US20170199730A1 (en) Application Modification

Legal Events

Date Code Title Description
AS Assignment

Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW Y

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:GUARNIERI, SALVATORE A.;TRIPP, OMER;PISTOIA, MARCO;SIGNING DATES FROM 20121018 TO 20121019;REEL/FRAME:029161/0258

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION