Abstract
Development of dependency analysis methods in order to improve static code analysis precision is considered in this paper. Reasons for precision loss when detecting defects in program source code using abstract interpretation methods are explained. Need for program object dependency extraction and interpretation is justified by numerous real-world examples. Dependency classification is presented. Necessity for aggregate analysis of values and dependencies is considered. Dependency extraction from assignment statements is described. Dependency interpretation based on logic inference using logic and arithmetic rules is proposed. The methods proposed are implemented in defect detection tool Digitek Aegis, significant increase of precision is shown.
Similar content being viewed by others
References
Zhivich, M. and Cunningham, R., The Real Cost of Software Errors. IEEE Security and Privacy, IEEE Comput. Soc., 2009, vol. 7, no. 2, pp. 87–90.
Nielson, F., Nielson, N., and Hankin, C., Principles of Program Analysis, Springer-Verlag, 2005.
Cousot, P., Abstract Interpretation, ACM Comput. Surveys, 1996, vol. 28,no. 2, pp. 324–328.
Jones, N. and Nielson, F., Abstract Interpretation: A Semantic-Based Tool for Program Analysis. Handbook of Logic in Computer Science, vol. 4: Semantic Modeling, Oxford: Oxford University Press, 1995.
Nesov, V.S. and Malikov, O.R., Using the Linear Dependencies for Vulnerability Detection in Program Source Code, Trudy Inst. Sist. Progr. Ross. Akad. Nauk, 2006, no. 9, pp. 51–57.
Cousot, P. and Hallwachs, N., Automatic Discovery of Linear Restraints Among Variables of a Program, Proc. 5th ACM SIGACT-SIGPLAN Symp. on Principles of Programming Languages (POPL-78), New York, 1978, pp. 84–96.
Code Analysis for C/C++. Overview. http://msdn.microsoft.com/en-us/library/d3bbz7tz.aspx
Frama-C Software Analyzers. http://frama-c.com
Splint Home Page. http://www.splint.org
Fortify Software. http://www.fortify.com
Itsykson, V.M., Moiseev, M.Yu., Tsesko, V.A., and Karpenko, A.V., Research on Tools for Automation of Defects Detection in Program Source Code, Sci. J. St. Petersburg State Polytechnical Univ. Informat. Telecommun., 2008, no. 5(65), pp. 119–127.
Schwartzbach, M., Lecture Notes on Static Analysis, Aarhus, 2000.
Aegis — A Defect Detection System. http://www.digiteklabs.ru/en/aegis/platform/
Itsykson, V.M., Moiseev, M.Yu., Tsesko, V.A., Zakharov, A.V., and Akhin, M.Kh., Interval Analysis Algorithms for Source Code Defect Detection, Inf. Control Syst., 2009, no. 2(39), pp. 34–41.
Itsykson, V.M., Moiseev, M.Yu., Akhin, M.Kh., Zakharov, A.V., and Tsesko, V.A., Points-to Analysis Algorithms for Source Code Defect Detection, in Sb. st. “Sistemnoe programmirovanie,” (Coll. Papers ’system Programming’), Terekhov, A.N. and Bulychev, D.Yu., Eds., St. Petersburg: St. Petersburg Univ., 2009, no. 4, pp. 5–30.
Bush, W., Pincus, J., and Sielaff, D., A Static Analyzer for Finding Dynamic Programming Errors, Softw. Pract. Exper., 2000, vol. 30, pp. 795–802.
Wang, A., Fei, H., Gu, M., and Song, X., Verifying Java Programs by Theorem Prover HOL, Proc. 30th Ann. Int. Computer Software and Applications Conf., Washington, 2006.
HOL 4 Kananaskis. http://hol.sourceforge.net
WHY — A Software Verification Platform. http://why.lri.fr
Steensgaard, B., Points-To Analysis in Almost Linear Time, Proc. the 23rd ACM SIGPLAN-SIGACT Symp. on Principles of Programming Languages, New York, 1996.
Avots, D., Dalton, M., Livshits, V., and Lam, M., Improving Software Security with a C Pointer Analysis, Proc. 27th Int. Conf. on Software Engineering, New York, 2005, pp. 139–142.
Z3. http://research.microsoft.com/en-us/um/Redmond/projects/z3
SMT-LIB. http://www.smtlib.org
Author information
Authors and Affiliations
Corresponding author
Additional information
Original Russian Text © M.I. Glukhikh, V.M. Itsykson, V.A. Tsesko, 2011, published in Modelirovanie i Analiz Informatsionnykh Sistem, 2011, No. 4, pp. 68–79.
The article was translated by the author.
About this article
Cite this article
Glukhikh, M.I., Itsykson, V.M. & Tsesko, V.A. Using dependencies to improve precision of code analysis. Aut. Control Comp. Sci. 46, 338–344 (2012). https://doi.org/10.3103/S0146411612070097
Received:
Published:
Issue Date:
DOI: https://doi.org/10.3103/S0146411612070097