ISA: a source code static vulnerability detection system based on data fusion

Authors:
Deguang Kong;Quan Zheng;Chao Chen;Jianmei Shuai;Ming Zhu
Affiliations:
University of Science & Technology of China;University of Science & Technology of China;University of Science & Technology of China;University of Science & Technology of China;University of Science & Technology of China
Venue:
Proceedings of the 2nd international conference on Scalable information systems
Year:
2007

Citing 10
Cited 1

LCLint: a tool for using specifications to check code

SIGSOFT '94 Proceedings of the 2nd ACM SIGSOFT symposium on Foundations of software engineering
Xml: Content and Data

Xml: Content and Data
MOPS: an infrastructure for examining security properties of software

Proceedings of the 9th ACM conference on Computer and communications security
ITS4: A static vulnerability scanner for C and C++ code

ACSAC '00 Proceedings of the 16th Annual Computer Security Applications Conference
Static analysis and computer security: new techniques for software assurance

Static analysis and computer security: new techniques for software assurance
Correlation exploitation in error ranking

Proceedings of the 12th ACM SIGSOFT twelfth international symposium on Foundations of software engineering
Static Analysis for Security

IEEE Security and Privacy
The CodeSurfer Software Understanding Platform

IWPC '05 Proceedings of the 13th International Workshop on Program Comprehension
Software Security

IEEE Security and Privacy
Z-ranking: using statistical analysis to counter the impact of static analysis approximations

SAS'03 Proceedings of the 10th international conference on Static analysis

A systematic literature review of actionable alert identification techniques for automated static code analysis

Information and Software Technology

Quantified Score

Hi-index	0.00

Visualization

Abstract

Static analysis is a kind of effective method to detect the vulnerabilities in the software. Without running the programs, static analysis tools can be used to automatically discover unknown bugs. To cope with the problem of high false positives and false negatives in source code static analysis methods, this paper presents a source code static analysis technology for vulnerability detection based on data fusion. By parsing and making data fusion on the outcome of different static analysis methods, this technology lets different results validate each other, which greatly decreases the false positives and false negatives. Brief explanations are given to support this method. A prototype system of scalable source code analysis system (ISA for short) is designed and implemented which also can automatically search for the best result based on feedback of the user interaction. The whole system is scalable and platform-independent. It is proved by experiment that this method has a better performance with lower false positives and false negatives and higher efficiency compared with one single method.