THE EXPERIENCE OF COMPARISON OF STATIC SECURITY CODE ANALYZERS

Alexey Markov, Andrew Fadin, Vladislav Shvets, Valentin Tsirlov


Аннотация


This work presents a methodological approach to comparison of static security code analyzers. It substantiates the comparison of the static analyzers as to efficiency and functionality indicators, which are stipulated in the international regulatory documents. The test data for assessment of static analyzers efficiency is represented by synthetic sets of open-source software, which contain vulnerabilities. We substantiated certain criteria for quality assessment of the static security code analyzers subject to standards NIST SP 500-268 and SATEC. We carried out experiments that allowed us to assess a number of the Russian proprietary software tools and open-source tools. We came to the conclusion that it is of paramount importance to develop Russian regulatory framework for testing software security (firstly, for controlling undocumented features) and evaluating the quality of static security code analyzers.


Ключевые слова


information security; software security; static analysis; code vulnerabilities, security weaknesses; undocumented features; program testing; security audit

Полный текст:

PDF>PDF (English)

Литература


Ayewah, N., Hovemeyer, D., Morgenthaler, J. D., Penix, J., Pugh, W. 2008. Using Static Analysis to Find Bugs. IEEE Software. 25, 5 (Sep./Oct. 2008), 22-29. DOI: http://dx.doi.org/10.1109/MS.2008.130.

Baier С., Katoen J.-P. Principles of model checking. MIT Press, 2008. 984 p.

Boulanger, J. L. (Ed.). 2011. Static Analysis of Software: The Abstract Interpretation. Wiley-ISTE.

Bronshteyn I.E. Study of Defects in a Program Code in Python, Programming and Computer Software, 2013, V. 39, No 6, pp. 279-284.

Chen, H., Wagner, D. 2002. MOPS: an infrastructure for examining security properties of software. In Proceedings of the 9th ACM conference on Computer and communications security. CCS’02. New York, NY, 235-244.

Chess B., West J. Secure Programming with Static Analysis. Addison-Wesley Professional, 2007, 624 p.

Hovemeyer, D., Spacco, J., Pugh, W. 2006. Evaluating and tuning a static analysis to find null pointer bugs. CM SIGSOFT Software Engineering Notes. 31, 1 (Jan. 2006), 13-19. DOI: http://dx.doi.org/10.1145/1108768.1108798.

Logozzo, F., Fähndrich, M., 2008. On the Relative Completeness of Bytecode Analysis Versus Source Code Analysis. LNCS. 4959, 197-212.

NIST SP 500-268. Source Code Security Analysis Tool Function Specification / P.Black, E.Fong, V.Okun and R.Gaucher, Gaithersburg. MD 20899, SSD ITL NIST. 2011, v.1.1. 14 p.

Seacord, R. C. 2008. The CERT C Secure Coding Standard. Addison-Wesley Professional.

Seoa, S.-H., Guptaa, A., Sallama, A. M., Bertinoa, E., Yimb, K. 2014. Detecting mobile malware threats to homeland security through static analysis. Journal of Network and Computer Applications. 38 (Feb. 2014), 43-53. DOI: http://dx.doi.org/10.1016/j.jnca.2013.05.008.

Stanley, W., Laski, J. 2009. Software Verification and Analysis. Springer.

Static Analysis Technologies Evaluation Criteria v1.0. / Ed. by Sherif Koussa;, Web Application Security Consortium, 2013. URL: http://projects.webappsec.org/w/file/fetch/66107997/SATEC_Manual-02.pdf

Zhu, F., Wei, J. 2014. Static analysis based invariant detection for commodity operating systems. Computers and Security. 43, 49-63. DOI: http://dx.doi.org/10.1016/j.cose.2014.02.008.

Ryan K. McLean. 2012. Comparing Static Security Analysis Tools Using Open Source Software. In 2012 IEEE Sixth International Conference on Software Security and Reliability Companion. (Washington, D. C., USA, 2012) 68–74. DOI: http://dx.doi.org/10.1109/SERE-C.2012.16.

Kulenovic, M., Donko, D. 2014. A survey of static code analysis methods for security vulnerabilities detection. In 2014 37th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO). (Opatija, Croatia) 1381–1386. DOI: http://dx.doi.org/10.1109/MIPRO.2014.6859783.

Xin, L., Wandong, C. 2011. A program vulnerabilities detection frame by static code analysis and model checking. In Communication Software and Networks (ICCSN), 2011 IEEE 3rd International Conference on. (Xi’an, China, 2011) 130–134. DOI: http://dx.doi.org/10.1109/ICCSN.2011.6013559.

Muske, T., Bokil P., 2015. On implementational variations in static analysis tools. In 2015 IEEE 22nd International Conference on Software Analysis, Evolution, and Reengineering (SANER). (Montréal, Québec, Canada) 512–515. DOI: http://dx.doi.org/10.1109/SANER.2015.7081867.

Johnson, B., Song, Y., Murphy-Hill, E., Bowdidge R. 2013. Why Don’t Software Developers Use Static Analysis Tools to Find Bugs? Proc. 2013 Int. Conf. Softw. Eng. (2013), 672–681. DOI: http://dx.doi.org/10.1109/ICSE.2013.6606613.

AlBreiki, H., Mahmoud, Q. 2014. Evaluation of static analysis tools for software security. In Innovations in Information Technology (INNOVATIONS), 2014 10th International Conference on. (Al Ain, UAE) 93–98. DOI: http://dx.doi.org/10.1109/INNOVATIONS.2014.6987569.

Barabanov A., Markov A., Fadin A., Tsirlov V. A Production Model System for Detecting Vulnerabilities in the Software Source Code. In Proceedings of the 8th International Conference on Security of Information and Networks (Sochi, Russian Federation, September 08-10, 2015). SIN ‘15. ACM New York, NY, USA, 2015, pp. 98-99. DOI: http://dx.doi.org/10.1145/2799979.2800019.

Markov A., Luchin D., Rautkin Y., Tsirlov V. Evolution of a Radio Telecommunication Hardware-Software Certification Paradigm in Accordance with Information Security Requirements, In Proceedings of the 11th International Siberian Conference on Control and Communications (Omsk, Russia, May 21-23, 2015). SIBCON-2015. IEEE, 2015, pp. 1-4. DOI: http://dx.doi.org/10.1109/SIBCON.2015.7147139.

Barabanov A., Markov A., Fadin A., Tsirlov V., Shakhalov I. Synthesis of Secure Software Development Controls. In Proceedings of the 8th International Conference on Security of Information and Networks (Sochi, Russian Federation, September 08-10, 2015). SIN ‘15. ACM New York, NY, USA, 2015, pp. 93-97. DOI: http://dx.doi.org/10.1145/2799979.2799998.

Markov A.S., Tsirlov V.L. Opyt vyyavleniya uyazvimostey v zarubezhnykh programmnykh produktakh, Voprosy kiberbezopasnosti [Cybersecurity issues]. 2013, No 1(1), pp.42-48 (in Russ.).


Ссылки

  • На текущий момент ссылки отсутствуют.


(c) 2016 International Journal of Advanced Studies



Контент доступен под лицензией Creative Commons Attribution-NonCommercial-NoDerivs 4.0.

ISSN 2328-1391 (print), ISSN 2227-930X (online)