On the Use of Open-Source C/C++ Static Analysis Tools in Large Projects

Abstract Many security vulnerabilities can be detected by static analysis. This paper is a case study and a performance comparison of four open-source static analysis tools and plugins (PMD, SpotBugs, Find Security Bugs, and SonarQube) on Java source code. Experiments have been conducted on the widely used Juliet Test Suite with respect to six selected weaknesses from the official Top 25 list of Common Weakness Enumeration. In this study, analysis metrics have been calculated for helping Java developers decide which tools can be used when checking their programs for security vulnerabilities. It turned out that particular weaknesses are best detected with particular tools.

Download Full-text

Evaluating State-of-the-Art Free and Open Source Static Analysis Tools Against Buffer Errors in Android Apps

2017 IEEE International Conference on Software Maintenance and Evolution (ICSME) ◽

10.1109/icsme.2017.77 ◽

2017 ◽

Cited By ~ 1

Author(s):

Bushra Aloraini ◽

Meiyappan Nagappan

Keyword(s):

Open Source ◽

Static Analysis ◽

State Of The Art ◽

Android Apps ◽

Analysis Tools

Download Full-text

A Comparison of Open-Source Static Analysis Tools for Vulnerability Detection in C/C++ Code

2017 19th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC) ◽

10.1109/synasc.2017.00035 ◽

2017 ◽

Cited By ~ 4

Author(s):

Andrei Arusoaie ◽

Stefan Ciobaca ◽

Vlad Craciun ◽

Dragos Gavrilut ◽

Dorel Lucanu

Keyword(s):

Open Source ◽

Static Analysis ◽

Vulnerability Detection ◽

Analysis Tools

Download Full-text

Testing static analysis tools using exploitable buffer overflows from open source code

Proceedings of the 12th ACM SIGSOFT twelfth international symposium on Foundations of software engineering - SIGSOFT '04/FSE-12 ◽

10.1145/1029894.1029911 ◽

2004 ◽

Cited By ~ 60

Author(s):

Misha Zitser ◽

Richard Lippmann ◽

Tim Leek

Keyword(s):

Open Source ◽

Static Analysis ◽

Source Code ◽

Open Source Code ◽

Buffer Overflows ◽

Analysis Tools

Download Full-text

Hypervisor-assisted dynamic malware analysis

Cybersecurity ◽

10.1186/s42400-021-00083-9 ◽

2021 ◽

Vol 4 (1) ◽

Author(s):

Roee S. Leon ◽

Michael Kiperberg ◽

Anat Anatey Leon Zabag ◽

Nezer Jacob Zaidenberg

Keyword(s):

Dynamic Analysis ◽

Static Analysis ◽

Cyber Security ◽

Malware Analysis ◽

Analysis Tools ◽

Significant Performance

AbstractMalware analysis is a task of utmost importance in cyber-security. Two approaches exist for malware analysis: static and dynamic. Modern malware uses an abundance of techniques to evade both dynamic and static analysis tools. Current dynamic analysis solutions either make modifications to the running malware or use a higher privilege component that does the actual analysis. The former can be easily detected by sophisticated malware while the latter often induces a significant performance overhead. We propose a method that performs malware analysis within the context of the OS itself. Furthermore, the analysis component is camouflaged by a hypervisor, which makes it completely transparent to the running OS and its applications. The evaluation of the system’s efficiency suggests that the induced performance overhead is negligible.

Download Full-text