Taming false alarms from a domain-unaware c analyzer by a bayesian statistical post analysis

Authors:
Yungbum Jung;Jaehwang Kim;Jaeho Shin;Kwangkeun Yi
Affiliations:
Programming Research Laboratory, School of Computer Science and Engineering, Seoul National University;Programming Research Laboratory, School of Computer Science and Engineering, Seoul National University;Programming Research Laboratory, School of Computer Science and Engineering, Seoul National University;Programming Research Laboratory, School of Computer Science and Engineering, Seoul National University
Venue:
SAS'05 Proceedings of the 12th international conference on Static Analysis
Year:
2005

Citing 9
Cited 14

Comparing the Galois Connection and Widening/Narrowing Approaches to Abstract Interpretation

PLILP '92 Proceedings of the 4th International Symposium on Programming Language Implementation and Logic Programming
CSSV: towards a realistic tool for statically detecting all buffer overflows in C

PLDI '03 Proceedings of the ACM SIGPLAN 2003 conference on Programming language design and implementation
A static analyzer for large safety-critical software

PLDI '03 Proceedings of the ACM SIGPLAN 2003 conference on Programming language design and implementation
ARCHER: using symbolic, path-sensitive analysis to detect memory access errors

Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering
Testing static analysis tools using exploitable buffer overflows from open source code

Proceedings of the 12th ACM SIGSOFT twelfth international symposium on Foundations of software engineering
Finding bugs is easy

ACM SIGPLAN Notices
Z-ranking: using statistical analysis to counter the impact of static analysis approximations

SAS'03 Proceedings of the 10th international conference on Static analysis
Trace partitioning in abstract interpretation based static analyzers

ESOP'05 Proceedings of the 14th European conference on Programming Languages and Systems
The ASTREÉ analyzer

ESOP'05 Proceedings of the 14th European conference on Programming Languages and Systems

An empirical study on classification methods for alarms from a bug-finding static C analyzer

Information Processing Letters
Filtering false alarms of buffer overflow analysis using SMT solvers

Information and Software Technology
Large Spurious Cycle in Global Static Analyses and Its Algorithmic Mitigation

APLAS '09 Proceedings of the 7th Asian Symposium on Programming Languages and Systems
An algorithmic mitigation of large spurious interprocedural cycles in static analysis

Software—Practice & Experience
A systematic literature review of actionable alert identification techniques for automated static code analysis

Information and Software Technology
Access analysis-based tight localization of abstract memories

VMCAI'11 Proceedings of the 12th international conference on Verification, model checking, and abstract interpretation
MeCC: memory comparison-based clone detector

Proceedings of the 33rd International Conference on Software Engineering
Static analysis of string manipulations in critical embedded c programs

SAS'06 Proceedings of the 13th international conference on Static Analysis
Access-Based localization with bypassing

APLAS'11 Proceedings of the 9th Asian conference on Programming Languages and Systems
Sound non-statistical clustering of static analysis alarms

VMCAI'12 Proceedings of the 13th international conference on Verification, Model Checking, and Abstract Interpretation
Design and implementation of sparse global analyses for C-like languages

Proceedings of the 33rd ACM SIGPLAN conference on Programming Language Design and Implementation
Inferring definite counterexamples through under-approximation

NFM'12 Proceedings of the 4th international conference on NASA Formal Methods
Adoption of Model-Based Testing and Abstract Interpretation by a Railway Signalling Manufacturer

International Journal of Embedded and Real-Time Communication Systems
Taming compiler fuzzers

Proceedings of the 34th ACM SIGPLAN conference on Programming language design and implementation

Quantified Score

Hi-index	0.00

Visualization

Abstract

We present our experience of combining, in a realistic setting, a static analyzer with a statistical analysis. This combination is in order to reduce the inevitable false alarms from a domain-unaware static analyzer. Our analyzer named Airac(Array Index Range Analyzer for C) collects all the true buffer-overrun points in ANSI C programs. The soundness is maintained, and the analysis' cost-accuracy improvement is achieved by techniques that static analysis community has long accumulated. For still inevitable false alarms (e.g. Airac raised 970 buffer-overrun alarms in commercial C programs of 5.3 million lines and 737 among the 970 alarms were false), which are always apt for particular C programs, we use a statistical post analysis. The statistical analysis, given the analysis results (alarms), sifts out probable false alarms and prioritizes true alarms. It estimates the probability of each alarm being true. The probabilities are used in two ways: 1) only the alarms that have true-alarm probabilities higher than a threshold are reported to the user; 2) the alarms are sorted by the probability before reporting, so that the user can check highly probable errors first. In our experiments with Linux kernel sources, if we set the risk of missing true error is about 3 times greater than false alarming, 74.83% of false alarms could be filtered; only 15.17% of false alarms were mixed up until the user observes 50% of the true alarms.