Scalable Static Analysis to Detect Security Vulnerabilities: Challenges and Solutions

Submitted by grigby1 on Fri, 02/22/2019 - 4:11pm

Title	Scalable Static Analysis to Detect Security Vulnerabilities: Challenges and Solutions
Publication Type	Conference Paper
Year of Publication	2018
Authors	Gauthier, F., Keynes, N., Allen, N., Corney, D., Krishnan, P.
Conference Name	2018 IEEE Cybersecurity Development (SecDev)
Date Published	Oct. 2018
Publisher	IEEE
ISBN Number	978-1-5386-7662-2
Keywords	applications code, C/C++ systems code, composability, Conferences, Databases, Human Behavior, Java, Java EE, low false positives, Metrics, PL/SQL server stack, program diagnostics, pubcrawl, relational database security, relational databases, Resiliency, scalable static analysis, security, security of data, security vulnerabilities, SQL, static analysis, Static Analysis Tool, static code analysis, Tools, Trademarks
Abstract	Parfait [1] is a static analysis tool originally developed to find implementation defects in C/C++ systems code. Parfait's focus is on proving both high precision (low false positives) as well as scaling to systems with millions of lines of code (typically requiring 10 minutes of analysis time per million lines). Parfait has since been extended to detect security vulnerabilities in applications code, supporting the Java EE and PL/SQL server stack. In this abstract we describe some of the challenges we encountered in this process including some of the differences seen between the applications code being analysed, our solutions that enable us to analyse a variety of applications, and a summary of the challenges that remain.
URL	https://ieeexplore.ieee.org/document/8543402
DOI	10.1109/SecDev.2018.00030
Citation Key	gauthier_scalable_2018

Groups:

Science of Security VO