Title :
Test-Driving Static Analysis Tools in Search of C Code Vulnerabilities
Author :
Chatzieleftheriou, George ; Katsaros, Panagiotis
Author_Institution :
Dept. of Inf., Aristotle Univ. of Thessaloniki, Thessaloniki, Greece
Abstract :
Recently, a number of tools for automated code scanning came in the limelight. Due to the significant costs associated with incorporating such a tool in the software lifecycle, it is important to know what defects are detected and how accurate and efficient the analysis is. We focus specifically on popular static analysis tools for C code defects. Existing benchmarks include the actual defects in open source programs, but they lack systematic coverage of possible code defects and the coding complexities in which they arise. We introduce a test suite implementing the discussed requirements for frequent defects selected from public catalogues. Four open source and two commercial tools are compared in terms of their effectiveness and efficiency of their detection capability. A wide range of C constructs is taken into account and appropriate metrics are computed, which show how the tools balance inherent analysis tradeoffs and efficiency. The results are useful for identifying the appropriate tool, in terms of cost-effectiveness, while the proposed methodology and test suite may be reused.
Keywords :
computational complexity; program compilers; program diagnostics; program testing; public domain software; C code vulnerabilities; automated code scanning; coding complexities; open source programs; software lifecycle; static analysis tool test driving; test suite; Benchmark testing; Context; Memory management; Sensitivity; Software; System recovery; benchmark tests; software security; static analysis;
Conference_Titel :
Computer Software and Applications Conference Workshops (COMPSACW), 2011 IEEE 35th Annual
Conference_Location :
Munich
Print_ISBN :
978-1-4577-0980-7
Electronic_ISBN :
978-0-7695-4459-5
DOI :
10.1109/COMPSACW.2011.26
