Static Analysis at GitHub

The Semantic Code team at GitHub builds and operates a suite of technologies that power symbolic code navigation on github.com. We learned that scale is about adoption, user behavior, incremental improvement, and utility. Static analysis in particular is difficult to scale with respect to human behavior; we often think of complex analysis tools working to find potentially problematic patterns in code and then trying to convince the humans to fix them. Our approach took a different tack: use basic analysis techniques to quickly put information that augments our ability to understand programs in front of everyone reading code on GitHub with zero configuration required and almost immediate availability after code changes.

Download Full-text

Hypervisor-assisted dynamic malware analysis

Cybersecurity ◽

10.1186/s42400-021-00083-9 ◽

2021 ◽

Vol 4 (1) ◽

Author(s):

Roee S. Leon ◽

Michael Kiperberg ◽

Anat Anatey Leon Zabag ◽

Nezer Jacob Zaidenberg

Keyword(s):

Dynamic Analysis ◽

Static Analysis ◽

Cyber Security ◽

Malware Analysis ◽

Analysis Tools ◽

Significant Performance

AbstractMalware analysis is a task of utmost importance in cyber-security. Two approaches exist for malware analysis: static and dynamic. Modern malware uses an abundance of techniques to evade both dynamic and static analysis tools. Current dynamic analysis solutions either make modifications to the running malware or use a higher privilege component that does the actual analysis. The former can be easily detected by sophisticated malware while the latter often induces a significant performance overhead. We propose a method that performs malware analysis within the context of the OS itself. Furthermore, the analysis component is camouflaged by a hypervisor, which makes it completely transparent to the running OS and its applications. The evaluation of the system’s efficiency suggests that the induced performance overhead is negligible.

Download Full-text

Security Notifications in Static Analysis Tools: Developers’ Attitudes, Comprehension, and Ability to Act on Them

Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems ◽

10.1145/3411764.3445616 ◽

2021 ◽

Author(s):

Mohammad Tahaei ◽

Kami Vaniea ◽

Konstantin (Kosta) Beznosov ◽

Maria K Wolters

Keyword(s):

Static Analysis ◽

Analysis Tools ◽

Ability To Act

Download Full-text

Static analysis tools for security checking in code at Motorola

ACM SIGAda Ada Letters ◽

10.1145/1387830.1387833 ◽

2008 ◽

Vol XXVIII (1) ◽

pp. 76-82 ◽

Cited By ~ 4

Author(s):

R Krishnan ◽

Margaret Nadworny ◽

Nishil Bharill

Keyword(s):

Static Analysis ◽

Analysis Tools

Download Full-text

Using static analysis tools to assist student project evaluation

Proceedings of the 2nd ACM SIGSOFT International Workshop on Education through Advanced Software Engineering and Artificial Intelligence ◽

10.1145/3412453.3423195 ◽

2020 ◽

Author(s):

Arthur-Jozsef Molnar ◽

Simona Motogna ◽

Cristina Vlad

Keyword(s):

Static Analysis ◽

Project Evaluation ◽

Analysis Tools

Download Full-text

A Survey of Parametric Static Analysis

ACM Computing Surveys ◽

10.1145/3464457 ◽

2021 ◽

Vol 54 (7) ◽

pp. 1-37

Author(s):

Jihyeok Park ◽

Hongki Lee ◽

Sukyoung Ryu

Keyword(s):

Recent Work ◽

Static Analysis ◽

Abstract Interpretation ◽

Black Box ◽

Parameter Selection ◽

Survey Analysis ◽

Future Directions ◽

Analysis Techniques ◽

Analysis Quality

Understanding program behaviors is important to verify program properties or to optimize programs. Static analysis is a widely used technique to approximate program behaviors via abstract interpretation. To evaluate the quality of static analysis, researchers have used three metrics: performance, precision, and soundness. The static analysis quality depends on the analysis techniques used, but the best combination of such techniques may be different for different programs. To find the best combination of analysis techniques for specific programs, recent work has proposed parametric static analysis . It considers static analysis as black-box parameterized by analysis parameters , which are techniques that may be configured without analysis details. We formally define the parametric static analysis, and we survey analysis parameters and their parameter selection in the literature. We also discuss open challenges and future directions of the parametric static analysis.

Download Full-text

Why don't software developers use static analysis tools to find bugs?

2013 35th International Conference on Software Engineering (ICSE) ◽

10.1109/icse.2013.6606613 ◽

2013 ◽

Cited By ~ 154

Author(s):

Brittany Johnson ◽

Yoonki Song ◽

Emerson Murphy-Hill ◽

Robert Bowdidge

Keyword(s):

Static Analysis ◽

Software Developers ◽

Analysis Tools

Download Full-text

An empirical study on combining diverse static analysis tools for web security vulnerabilities based on development scenarios

Computing ◽

10.1007/s00607-018-0664-z ◽

2018 ◽

Vol 101 (2) ◽

pp. 161-185 ◽

Cited By ~ 4

Author(s):

Paulo Nunes ◽

Ibéria Medeiros ◽

José Fonseca ◽

Nuno Neves ◽

Miguel Correia ◽

...

Keyword(s):

Empirical Study ◽

Static Analysis ◽

Web Security ◽

Security Vulnerabilities ◽

Development Scenarios ◽

Analysis Tools

Download Full-text

Influence Model of User Behavior Characteristics on Information Dissemination

International Journal of Computers Communications & Control ◽

10.15837/ijccc.2016.2.2441 ◽

2016 ◽

Vol 11 (2) ◽

pp. 209 ◽

Cited By ~ 1

Author(s):

Shao Chun Han ◽

Yun Liu ◽

Hui Ling Chen ◽

Zhen Jiang Zhang

Keyword(s):

Human Behavior ◽

Information Diffusion ◽

Statistical Physics ◽

Information Dissemination ◽

User Behavior ◽

Activity Patterns ◽

Propagation Model ◽

Propagation Time ◽

Behavior Characteristics ◽

The Impact

Quantitative analysis on human behavior, especially mining and modeling temporal and spatial regularities, is a common focus of statistical physics and complexity sciences. The in-depth understanding of human behavior helps in explaining many complex socioeconomic phenomena, and in finding applications in public opinion monitoring, disease control, transportation system design, calling center services, information recommendation. In this paper,we study the impact of human activity patterns on information diffusion. Using SIR propagation model and empirical data, conduct quantitative research on the impact of user behavior on information dissemination. It is found that when the exponent is small, user behavioral characteristics have features of many new dissemination nodes, fast information dissemination, but information continued propagation time is short, with limited influence; when the exponent is big, there are fewer new dissemination nodes, but will expand the scope of information dissemination and extend information dissemination duration; it is also found that for group behaviors, the power-law characteristic a greater impact on the speed of information dissemination than individual behaviors. This study provides a reference to better understand influence of social networking user behavior characteristics on information dissemination and kinetic effect.

Download Full-text

Detecting Uninitialized Variables in C++ with the Clang Static Analyzer

Acta Cybernetica ◽

10.14232/actacyb.282900 ◽

2020 ◽

Author(s):

Kristóf Umann ◽

Zoltán Porkoláb

Keyword(s):

Software Engineering ◽

Open Source ◽

Programming Languages ◽

Static Analysis ◽

Common Source ◽

Initial Value ◽

Analysis Techniques ◽

Specific Variable ◽

Prototype Tool ◽

Run Time

Uninitialized variables have been a source of errors since the beginning of software engineering. Some programming languages (e.g. Java and Python) will automatically zero-initialize such variables, but others, like C and C++, leave their state undefined. While laying aside initialization in C and C++ might be a performance advantage if an initial value can't be supplied, working with such variables is an undefined behavior, and is a common source of instabilities and crashes. To avoid such errors, whenever meaningful initialization is possible, it should be used. Tools for detecting these errors run time have existed for decades, but those require the problematic code to be executed. Since in many cases the number of possible execution paths are combinatoric, static analysis techniques emerged as an alternative. In this paper, we overview the technique for detecting uninitialized C++ variables using the Clang Static Analyzer, and describe various heuristics to guess whether a specific variable was left in an undefined state intentionally. We implemented a prototype tool based on our idea and successfully tested it on large open source projects.

Download Full-text

Evaluation of SQL Injection Vulnerability Detection Tools

International Journal of Engineering and Advanced Technology - Regular Issue ◽

10.35940/ijeat.a2648.109119 ◽

2019 ◽

Vol 9 (1) ◽

pp. 1747-1751

Keyword(s):

Static Analysis ◽

Web Applications ◽

Source Code ◽

False Negative ◽

Vulnerability Detection ◽

Sql Injection ◽

User Input ◽

Root Cause ◽

Analysis Tools ◽

Free Open Source

SQL injection vulnerabilities have been predominant on database-driven web applications since almost one decade. Exploiting such vulnerabilities enables attackers to gain unauthorized access to the back-end databases by altering the original SQL statements through manipulating user input. Testing web applications for identifying SQL injection vulnerabilities before deployment is essential to get rid of them. However, checking such vulnerabilities by hand is very tedious, difficult, and time-consuming. Web vulnerability static analysis tools are software tools for automatically identifying the root cause of SQL injection vulnerabilities in web applications source code. In this paper, we test and evaluate three free/open source static analysis tools using eight web applications with numerous known vulnerabilities, primarily for false negative rates. The evaluation results were compared and analysed, and they indicate a need to improve the tools.

Download Full-text