Atomicity Violation in Multithreaded Applications and Its Detection in Static Code Analysis Process

This paper is a contribution to the field of research dealing with the parallel computing, which is used in multithreaded applications. The paper discusses the characteristics of atomicity violation in multithreaded applications and develops a new definition of atomicity violation based on previously defined relationships between operations, that can be used to atomicity violation detection. A method of detection of conflicts causing atomicity violation was also developed using the source code model of multithreaded applications that predicts errors in the software.

Download Full-text

Enhanced Bug Prediction in JavaScript Programs with Hybrid Call-Graph Based Invocation Metrics

Technologies ◽

10.3390/technologies9010003 ◽

2020 ◽

Vol 9 (1) ◽

pp. 3

Author(s):

Gábor Antal ◽

Zoltán Tóth ◽

Péter Hegedűs ◽

Rudolf Ferenc

Keyword(s):

Software Maintenance ◽

Positive Impact ◽

Source Code ◽

Code Analysis ◽

Static Source ◽

Static Code Analysis ◽

Function Calls ◽

Hybrid Code ◽

Code Metrics ◽

Scripting Language

Bug prediction aims at finding source code elements in a software system that are likely to contain defects. Being aware of the most error-prone parts of the program, one can efficiently allocate the limited amount of testing and code review resources. Therefore, bug prediction can support software maintenance and evolution to a great extent. In this paper, we propose a function level JavaScript bug prediction model based on static source code metrics with the addition of a hybrid (static and dynamic) code analysis based metric of the number of incoming and outgoing function calls (HNII and HNOI). Our motivation for this is that JavaScript is a highly dynamic scripting language for which static code analysis might be very imprecise; therefore, using a purely static source code features for bug prediction might not be enough. Based on a study where we extracted 824 buggy and 1943 non-buggy functions from the publicly available BugsJS dataset for the ESLint JavaScript project, we can confirm the positive impact of hybrid code metrics on the prediction performance of the ML models. Depending on the ML algorithm, applied hyper-parameters, and target measures we consider, hybrid invocation metrics bring a 2–10% increase in model performances (i.e., precision, recall, F-measure). Interestingly, replacing static NOI and NII metrics with their hybrid counterparts HNOI and HNII in itself improves model performances; however, using them all together yields the best results.

Download Full-text

A Case Study on Testing for Software Security

Advanced Automated Software Testing ◽

10.4018/978-1-4666-0089-8.ch005 ◽

2012 ◽

pp. 89-112

Author(s):

Natarajan Meghanathan ◽

Alexander Roy Geoghegan

Keyword(s):

Software Security ◽

Denial Of Service ◽

Source Code ◽

Code Analysis ◽

Software Vulnerabilities ◽

Static Code Analysis ◽

Software Program ◽

Automated Tools ◽

High Level

The high-level contribution of this book chapter is to illustrate how to conduct static code analysis of a software program and mitigate the vulnerabilities associated with the program. The automated tools used to test for software security are the Source Code Analyzer and Audit Workbench, developed by Fortify, Inc. The first two sections of the chapter are comprised of (i) An introduction to Static Code Analysis and its usefulness in testing for Software Security and (ii) An introduction to the Source Code Analyzer and the Audit Workbench tools and how to use them to conduct static code analysis. The authors then present a detailed case study of static code analysis conducted on a File Reader program (developed in Java) using these automated tools. The specific software vulnerabilities that are discovered, analyzed, and mitigated include: (i) Denial of Service, (ii) System Information Leak, (iii) Unreleased Resource (in the context of Streams), and (iv) Path Manipulation. The authors discuss the potential risk in having each of these vulnerabilities in a software program and provide the solutions (and the Java code) to mitigate these vulnerabilities. The proposed solutions for each of these four vulnerabilities are more generic and could be used to correct such vulnerabilities in software developed in any other programming language.

Download Full-text

Deadlocks Detection in Multithreaded Applications Based on Source Code Analysis

Applied Sciences ◽

10.3390/app10020532 ◽

2020 ◽

Vol 10 (2) ◽

pp. 532 ◽

Cited By ~ 1

Author(s):

Damian Giebas ◽

Rafał Wojszczyk

Keyword(s):

Petri Nets ◽

Source Code ◽

Source Code Analysis ◽

C Language ◽

Code Analysis ◽

Advantages And Disadvantages ◽

Code Model

This paper extends multithreaded application source code model and shows how to using it to detect deadlocks in C language applications. Four known deadlock scenarios from literature can be detected using our model. For every scenario we created theorems and proofs whose fulfillment guarantees the occurrence of deadlocks in multithreaded applications. Paper also contains comparison of multithreaded application source code model and Petri nets and describe advantages and disadvantages both of them.

Download Full-text

Comparative analysis of approaches to source code vulnerability detection based on deep learning methods

Technology audit and production reserves ◽

10.15587/2706-5448.2021.233534 ◽

2021 ◽

Vol 3 (2(59)) ◽

pp. 19-23

Author(s):

Yevhenii Kubiuk ◽

Gennadiy Kyselov

Keyword(s):

Deep Learning ◽

Comparative Analysis ◽

Short Term Memory ◽

Source Code ◽

Vulnerability Detection ◽

Program Dependence Graph ◽

Code Analysis ◽

Advantages And Disadvantages ◽

Analysis Process ◽

Analysis System

The object of research of this work is the methods of deep learning for source code vulnerability detection. One of the most problematic areas is the use of only one approach in the code analysis process: the approach based on the AST (abstract syntax tree) or the approach based on the program dependence graph (PDG). In this paper, a comparative analysis of two approaches for source code vulnerability detection was conducted: approaches based on AST and approaches based on the PDG. In this paper, various topologies of neural networks were analyzed. They are used in approaches based on the AST and PDG. As the result of the comparison, the advantages and disadvantages of each approach were determined, and the results were summarized in the corresponding comparison tables. As a result of the analysis, it was determined that the use of BLSTM (Bidirectional Long Short Term Memory) and BGRU (Bidirectional Gated Linear Unit) gives the best result in terms of problems of source code vulnerability detection. As the analysis showed, the most effective approach for source code vulnerability detection systems is a method that uses an intermediate representation of the code, which allows getting a language-independent tool. Also, in this work, our own algorithm for the source code analysis system is proposed, which is able to perform the following operations: predict the source code vulnerability, classify the source code vulnerability, and generate a corresponding patch for the found vulnerability. A detailed analysis of the proposed system’s unresolved issues is provided, which is planned to investigate in future researches. The proposed system could help speed up the software development process as well as reduce the number of software code vulnerabilities. Software developers, as well as specialists in the field of cybersecurity, can be stakeholders of the proposed system.

Download Full-text

A Comparative Study of Static Code Analysis tools for Vulnerability Detection in C/C++ and JAVA Source Code

Procedia Computer Science ◽

10.1016/j.procs.2020.04.217 ◽

2020 ◽

Vol 171 ◽

pp. 2023-2029 ◽

Cited By ~ 2

Author(s):

Arvinder Kaur ◽

Ruchikaa Nayyar

Keyword(s):

Comparative Study ◽

Source Code ◽

Vulnerability Detection ◽

Code Analysis ◽

Analysis Tools ◽

Static Code Analysis

Download Full-text

An Ontology of Information Security

Techniques and Applications for Advanced Information Privacy and Security ◽

10.4018/978-1-60566-210-7.ch018 ◽

2011 ◽

pp. 278-301 ◽

Cited By ~ 4

Author(s):

Almut Herzog ◽

Nahid Shahmehri ◽

Claudiu Duma

Keyword(s):

Information Security ◽

Source Code ◽

Buffer Overflow ◽

Common Language ◽

Source Code Analysis ◽

Code Analysis ◽

Memory Protection ◽

Asset Classes ◽

The Moment ◽

Definition Of

The authors present a publicly available, OWL-based ontology of information security which models assets, threats, vulnerabilities and countermeasures and their relations. The ontology can be used as a general vocabulary, roadmap and extensible dictionary of the domain of information security. With its help, users can agree on a common language and definition of terms and relationships. In addition to browsing for information, the ontology is also useful for reasoning about relationships between its entities, that is, threats and countermeasures. The ontology helps answer questions like: Which countermeasures detect or prevent the violation of integrity of data? Which assets are protected by SSH? Which countermeasures thwart buffer overflow attacks? At the moment, the ontology comprises 88 threat classes, 79 asset classes, 133 countermeasure classes and 34 relations between those classes. The authors provide means for extending the ontology, and provide examples of the extendibility with the countermeasure classes “memory protection” and “source code analysis”. This chapter describes the content of the ontology as well as its usages, potential for extension, technical implementation and tools for working with it.

Download Full-text