Static analysis of source code security: Assessment of tools against SAMATE tests

Abstract

Context

Static analysis tools are used to discover security vulnerabilities in source code. They suffer from false negatives and false positives. A false positive is a reported vulnerability in a program that is not really a security problem. A false negative is a vulnerability in the code which is not detected by the tool.

Objective

The main goal of this article is to provide objective assessment results following a well-defined and repeatable methodology that analyzes the performance detecting security vulnerabilities of static analysis tools. The study compares the performance of nine tools (CBMC, K8-Insight, PC-lint, Prevent, Satabs, SCA, Goanna, Cx-enterprise, Codesonar), most of them commercials tools, having a different design.

Method

We executed the static analysis tools against SAMATE Reference Dataset test suites 45 and 46 for C language. One includes test cases with known vulnerabilities and the other one is designed with specific vulnerabilities fixed. Afterwards, the results are analyzed by using a set of well known metrics.

Results

Only SCA is designed to detect all vulnerabilities considered in SAMATE. None of the tools detect “cross-site scripting” vulnerabilities. The best results for F-measure metric are obtained by Prevent, SCA and K8-Insight. The average precision for analyzed tools is 0.7 and the average recall is 0.527. The differences between all tools are relevant, detecting different kinds of vulnerabilities.

Conclusions

The results provide empirical evidences that support popular propositions not objectively demonstrated until now. The methodology is repeatable and allows ranking strictly the analyzed static analysis tools, in terms of vulnerabilities coverage and effectiveness for detecting the highest number of vulnerabilities having few false positives. Its use can help practitioners to select appropriate tools for a security review process of code. We propose some recommendations for improving the reliability and usefulness of static analysis tools and the process of benchmarking.

Introduction

The world is facing today some of the biggest security challenges because of different kinds of computer risks: from identity theft to spyware, from traditional sniffing of secure information to electronic warfare. Many industries depend more and more on various pieces of software coming from vendors, open source or third parties. The number of systems with more complex interactions is growing as well, comprising operating system and application patches coming from Internet or from collaboration through different distributed sites. The security needs for avionic systems, Black [1], or the most recent Flame virus attack [2] demonstrate that information security is a multifaceted problem with a common factor: the users need security assurance on the software they use.

Software engineers must consider a variety of strategies to build sufficiently dependable software before release. Indeed the tools used for software development and maintenance can supply developers with information for assurance cases. This information must be gathered to get software secure enough for its intended use. Among these tools the automatic static source code security scanners can be used for examining legacy code and, also, as a routine task included in the software development lifecycle. Static analysis of source code is a fault-detection technique [3], which does not require program execution. Automated static security analysis tools of source code are increasingly used today and taken into account in software development strategies, following an easy scheme as seen in Fig. 1. They are designed to detect vulnerabilities: flaws, faults, bugs and other errors in software code that, if left unaddressed, could lead to exploitable security vulnerabilities.

Nevertheless, static source code security analysis tools are far from being standard tools. Their internal design determines which set of vulnerabilities can detect. Commercial tools have a lack of public information about the design and their code is not accessible. The classification used by the tools for found vulnerabilities is different in each of the tools, making difficult the comparison of the results. A real benchmark is necessary to compare their performance, in terms of the number of detected vulnerabilities (true and false positives), their usability and to state, independently, which are the best ones for each environment. Finally, the fact that these tools can be used by any developer, even by the ones without previous information security experience, is doubtful. In accordance with Chess and West [4] and Howard [5], and against the claims of some vendors, it is relevant to know if an information security experienced user is necessary to get the best results of these tools.

These tools have begun to be part of the toolset for many software development teams, although a clear understanding of their strengths and limitations is still needed. This work aims to contribute in clarifying some aspects of this matter.

The first goal of this study is to provide objective assessment results, following a well-defined and repeatable methodology that allows an evaluation of the performance of vulnerabilities detection capacity of static code security analyzers. The methodology uses a selected benchmark with a well-known set of security vulnerabilities. A tool has the best performance against a benchmark if it has the best balance between detecting the highest number of true positives and having few false positives. The benchmark must be “repeatable, portable, scalable, representative, require minimum changes in the target tools and simple to use”, in accordance with Gray [52]. Several benchmarks initiatives have been analyzed and the NIST SAMATE Reference Dataset [6] project meets all these requirements. It compiles a suite of synthetic benchmarks with support for multiplatform and for the C/C++, Java, J2EE and PHP languages, with coverage for most of vulnerabilities categories.

The second goal is to use the methodology for comparing the performance of nine different tools for C/C++ languages (CBMC, K8-Insight, PC-lint, Prevent, Satabs, SCA, Goanna, Cx-enterprise, Codesonar), having a different design. The study searches their effectiveness in terms of the number of detected security vulnerabilities and uses a selected and widely accepted set of metrics. This evaluation allows providing some practical recommendations for the use of these tools and also on how to improve their effectiveness.

The study searches also to characterize how automatic the behavior of the tools is or, in other words, if an experienced user is necessary or not to get the best performance of these tools. Some of these tools, especially the commercial ones, claim not needing security expert people working on the results produced by the tools, and we wanted to clarify this statement.

The rest of the paper is organized as follows: Section 2 makes a tour on previous work about static analysis comparison and existing benchmarks; Section 3 presents a theoretical analysis of the advantages/disadvantages of the current static source code security analysis tools; Section 4 describes the methodology used when working with the NIST SAMATE tests, the evaluation metrics and the static source code security analysis tools selected for our work; Section 5 shows the results for the evaluation of these tools against the SAMATE test suites; Section 6 offers a discussion on the main results of the study and, finally, Section 7 draws some conclusions and recommendations about the work done and outlines possible future work.