Auflistung nach Schlagwort "static analysis"
1 - 5 von 5
Treffer pro Seite
Sortieroptionen
- KonferenzbeitragCiFi: Versatile Analysis of Class and Field Immutability(Software Engineering 2022, 2022) Roth, Tobias; Helm, Dominik; Reif, Michael; Mezini, MiraThis paper was accepted in 2021 at the 36th IEEE/ACM International Conference on Automated Software Engineering and proposes a model for immutability analysis. Reasoning about immutability is important for preventing bugs, e.g., in multi-threaded software. Static analysis to infer immutability properties has mostly focused on individual objects and references. Reasoning about fields and entire classes, while significantly simpler, has gained less attention. A consistently used terminology is missing, which makes it difficult to implement analyses that rely on immutability information. We propose a model for class and field immutability that unifies terminology for immutability flavors considered by previous work and covers new levels of immutability to handle lazy initialization and immutability dependent on generic type parameters. Using the OPAL static analysis framework, we implement CiFi, a set of modular, collaborating analyses for different flavors of immutability, inferring the properties defined in our model. We propose a benchmark of representative test cases for class and field immutability. We use the benchmark to showcase CiFi's precision and recall in comparison to state of the art and use CiFi to study the prevalence of immutability in real-world libraries, showcasing the practical quality and relevance of our model.
- KonferenzbeitragExplainable Static Analysis(Software Engineering und Software Management 2018, 2018) Bodden, Eric; Nguyen Quang Do, LisaStatic code analysis is an important tool that aids in the early detection of programming mistakes, including functional aws, performance bottlenecks and security vulnerabilities. Past research in static analysis has mainly focused on the precise and e cient detection of programming mistakes, allowing new analyses to return more accurate results in a shorter time. However, end-user experience in industry has shown high abandonment rates for static analysis tools. Previous work has shown that current analysis tools are ill-adapted to meet the needs of their users, taking a long time to yield results and causing warnings to be frequently misinterpreted. This can quickly make the overall bene t of static analyses deteriorate. In this work, we argue for the need of developing a line of research on aiding users of static analysis tools, e.g., code developers, to better understand the findings reported by those tools. We outline how we plan to address this problem space by a novel line of research that ultimately seeks to change static analysis tools from being tools for static analysis experts to tools that can be mastered by general code developers. To achieve this goal, we plan to develop novel techniques for formulating, inspecting and debugging static analyses and the rule sets they validate programs against.
- ZeitschriftenartikelImproving Real-World Applicability of Static Taint Analysis(Softwaretechnik-Trends Band 42, Heft 2, 2022) Luo, LinghuiSecurity breaches happen on a daily basis and are a serious threat to our society. Security incidents do not only cost a significant amount of money and company reputation, but can also be a threat to national security. Static taint analysis is a program analysis technique that can be used to prevent a wide range of security vulnerabilities and detect malicious software. This dissertation focuses on improving the real-world applicability of static taint analysis. It addresses three existing problems that hinder the real-world adoption of static taint analysis.
- KonferenzbeitragIntroducing FUM: A Framework for API Usage Constraint and Misuse Classification(Software Engineering 2023, 2023) Schlichtig, Michael; Sassalla, Steffen; Narasimhan, Krishna; Bodden, EricApplication Programming Interfaces (APIs) are the primary mechanism developers use to obtain access to third-party algorithms and services. Unfortunately, APIs can be misused, which can have catastrophic consequences, especially if the APIs provide security-critical functionalities like cryptography. Understanding what API misuses are, and how they are caused, is important to prevent them, e.g., with API misuse detectors. However, definitions for API misuses and related terms in literature vary. This paper presents a systematic literature review to clarify these terms and introduces FUM, a novel Framework for API Usage constraint and Misuse classification. The literature review revealed that API misuses are violations of API usage constraints. To address this, we provide unified definitions and use them to derive FUM. To assess the extent to which FUM aids in determining and guiding the improvement of an API misuses detector’s capabilities, we performed a case study on the state-of the-art misuse detection tool CogniCrypt. The study showed that FUM can be used to properly assess CogniCrypt’s capabilities, identify weaknesses and assist in deriving mitigations and improvements.
- KonferenzbeitragStatic architecture evaluation of open source reuse candidates(NODe 2006 – GSEM 2006, 2006) Knodel, Jens; Muthig, Dirk; Naab, MatthiasOpen source software systems provide a variety of field-tested components offering software development organizations the potential to reuse and adapt such components for their own purposes. The main challenge before achieving the reuse benefits is to acquire a thorough understanding of open source software systems (i.e., the reuse candidates) in order to reason about alternative solutions, to learn about the points where to adapt the system and eventually to decide whether or not to invest into reuse. Manually analyzing even small systems is a time-consuming, complex and costly task. In this paper we present a case study where we analyzed the Apache Tomcat web server supported by a software architecture visualization and evaluation tool and demonstrate how the tool facilitated our comprehension tasks to learn about the architectural means and concepts.