Differential static program analysis

a static program and analysis method technology, applied in the field of static code analysis, can solve the problems of limiting the usability of commercial analysis tools, false reports, and high false reports of static analysis tools

Inactive Publication Date: 2014-04-24
IBM CORP
View PDF1 Cites 5 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

These violations may be false reports due to the approximations the analysis applies to put bounds on the state space of the program, which could otherwise be infinite.
Since the tested properties are mostly hard to verify statically (e.g., security vulnerabilities, concurrency bugs, typestate violations, etc.), static analysis tools typically have a high proportion of false reports.
This limits the usability of commercial analysis tools: The size of the report, together with the poor quality of many of the findings, makes it difficult to translate the report into an actionable list of remediation tasks.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Differential static program analysis
  • Differential static program analysis
  • Differential static program analysis

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0018]The present principles provide for a differential static analysis, where using multiple analyses of increasing granularity enables the reporting of fewer findings compared to using more fine-grained analyses. Moreover, each of the reported findings is reported at an intuitive level, making it easier for the analyst to take appropriate remediating action in response to discovered violations. By grouping together similar findings, the job of the human reviewer is made much simpler, as similar violations are listed in such a way as to make identifying root causes easier.

[0019]Static security analysis typically takes the form of taint analysis, where the analysis is parameterized by a set of security rules, each rule being a triple , where Src denotes source statements that read untrusted user inputs, San denotes downgrader statements that endorse untrusted data by validating and / or sanitizing it, and Snk denotes sink statements which perform security-sensitive operations. Given a...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

Methods for program analysis include performing a high-level analysis on a program using a processor to generate one or more high-level findings; performing one or more low-level analyses on the program using a processor to generate one or more low-level findings; mapping the one or more low-level findings to the high-level findings to generate a concise combination report that categorizes each finding according to the highest-level analysis that produces the finding.

Description

BACKGROUND[0001]1. Technical Field[0002]The present invention relates to static code analysis and, more particularly, to using multiple analyses with differing levels of precision to make static analysis reports more useful.[0003]2. Description of the Related Art[0004]Static code analysis is a powerful approach for software verification. Static analysis typically features one-sided error: a subject program is safe with regard to the tested property if no violations of the property are discovered by the analysis, which over-approximates the program's set of possible behaviors. However, if the analysis does report violations of the property, then that doesn't necessarily imply that the program is incorrect. These violations may be false reports due to the approximations the analysis applies to put bounds on the state space of the program, which could otherwise be infinite.[0005]Since the tested properties are mostly hard to verify statically (e.g., security vulnerabilities, concurrenc...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(United States)
IPC IPC(8): G06F9/44
CPCG06F8/75G06F11/3604
Inventor GUARNIERI, SALVATORE ANGELOTRIPP, OMERPISTOIA, MARCO
Owner IBM CORP
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap