Evaluation of Static Analyzers for Weakness in C/C++ Programs using Juliet and STONESOUP Test Suites (Juliet과 STONESOUP 테스트 모음을 사용한 C/C++ 프로그램의 보안약점 탐지를 위한 정적 분석기 평가)

Hyunji Seo (서현지); Younggwan Park (박영관); Kim Taehwan (김태환); Han, Kyung sook (한경숙); Changwoo Pyo (표창우)

doi:10.9708/jksci.2017.22.03.017

Evaluation of Static Analyzers for Weakness in C/C++ Programs using Juliet and STONESOUP Test Suites

Journal of The Korea Society of Computer and Information
Abbr : JKSCI
2017, 22(3), pp.17-25
DOI : 10.9708/jksci.2017.22.03.017
Publisher : The Korean Society Of Computer And Information
Research Area : Engineering > Computer Science
Received : March 13, 2017
Accepted : March 23, 2017
Published : March 31, 2017

Hyunji Seo ¹, Younggwan Park ¹, Kim Taehwan ¹, Han, Kyung sook ², Changwoo Pyo ¹

¹홍익대학교
²한국산업기술대학교

Accredited

ABSTRACT

In this paper, we compared four analyzers Clang, CppCheck, Compass, and a commercial one from a domestic startup using the NIST’s Juliet test suit and STONESOUP that is introduced recently. Tools showed detection efficacy in the order of Clang, CppCheck, the domestic one, and Compass under Juliet tests; and Clang, the domestic one, Compass, and CppCheck under STONESOUP tests. We expect it would be desirable to utilize symbolic execution for vulnerability analysis in the future. On the other hand, the results of tool evaluation also testifies that Juliet and STONESOUP as a benchmark for static analysis tools can reveal differences among tools. Finally, each analyzer has different CWEs that it can detect all given test programs. This result can be used for selection of proper tools with respect to specific CWEs.

KEYWORDS

Static Analyzer, Software Weakness, C/C++ Program, JULIET Test Suite, STONESOUP

Citation status

* References for papers published after 2023 are currently being built.

[journal] 주정민 / 2015 / A Study of Research Trend about Internet of Things / 정보화정책 / 한국정보화진흥원 22(3) : 3~15

[web] CWE / Common Weakness Enumeration / http://cwe.mitre.org

[web] CVE / Common Vulnerabilities and Exposures / http://cve.mitre.org

[journal] C. Cadar / 2013 / Symbolic execution for software testing: three decades later / Communications of the ACM 56(2) : 82~90

[confproc] P. Cousot / 1977 / Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints / Proceedings of the 4th ACM SIGACTSIGPLAN symposium on Principles of programming languages / ACM : 238~252

[confproc] S. Hendrik / 2016 / Static analysis of Sequential Function Charts using abstract interpretation / Emerging Technologies and Factory Automation (ETFA) 2016 IEEE 21st International Conference : 1~4

[web] / Clang / http://Clang-analyzer.llvm.org

[web] / CppCheck / http://CppCheck.sourceforge.net

[web] / Compass User Manual / http://rosecompiler.org/Compass.pdf

[web] / NIST / http://samate.nist.gov/SRD/testsuite.php

[other] IARPA / STONESOUP(Securely Taking On New Executable Software of Uncertain Provenance)

[other] SAMATE / Juliet Test Suite v1.2 for C/C++ User Guide / National Security Agency

[web] / IARPA / http://www.iarpa.gov

[web] / MINESTRONE / http://nsl.cs.columbia.edu/projects/m-inestrone

[web] / PEASOUP / http://www.grammatech.com/software-hardening/research

[web] / VIBRANCE / http://stonesoup.kestrel.edu

[report] NIST / Report on the Static Analysis Tool Exposition (SATE) IV

[web] / LDRA Testbed / http://www.ldra.com/en/testbedtbvision

[web] / INFER / http://fbinfer.com

[web] / Parasoft C++ test / http://www.parasoft.com/product/static-analysis-cc

[web] / Red Lizard Software Goanna / http://redlizards.com

[confproc] C. Lattner / 2004 / LLVM: A compilation framework for lifelong program analysis & transformation / Proceedings of the international symposium on Code generation and optimization: feedback-directed and runtime optimization / IEEE Computer Society : 75~

[book] B. C. Lopes / 2014 / Getting started with LLVM core libraries / Packt Publishing Ltd : 73~104

[book] K. Cooper / 2011 / Engineering a compil- er / Elsevier : 231~232

[web] / ROSE compiler infrastructure / http://rosecompiler.org

KJCKorea
Journal Central

Journal of The Korea Society of Computer and Information 2023 KCI Impact Factor : 0.65

Evaluation of Static Analyzers for Weakness in C/C++ Programs using Juliet and STONESOUP Test Suites

ABSTRACT

KEYWORDS

Citation status

* References for papers published after 2023 are currently being built.

Journal of The Korea Society of Computer and Information 2023 KCI Impact Factor : 0.65

Evaluation of Static Analyzers for Weakness in C/C++ Programs using Juliet and STONESOUP Test Suites

ABSTRACT

KEYWORDS

Statistics

Tools

Issue List

Citation status

KCI Citation Counts (1)

REFERENCES (25) * References for papers published after 2023 are currently being built.

Search PDF

Citation

* References for papers published after 2023 are currently being built.