Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
102 tokens/sec
GPT-4o
59 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
50 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

FuzzSlice: Pruning False Positives in Static Analysis Warnings Through Function-Level Fuzzing (2402.01923v1)

Published 2 Feb 2024 in cs.SE and cs.CR

Abstract: Manual confirmation of static analysis reports is a daunting task. This is due to both the large number of warnings and the high density of false positives among them. Fuzzing techniques have been proposed to verify static analysis warnings. However, a major limitation is that fuzzing the whole project to reach all static analysis warnings is not feasible. This can take several days and exponential machine time to increase code coverage linearly. Therefore, we propose FuzzSlice, a novel framework that automatically prunes possible false positives among static analysis warnings. Unlike prior work that mostly focuses on confirming true positives among static analysis warnings, which requires end-to-end fuzzing, FuzzSlice focuses on ruling out potential false positives, which are the majority in static analysis reports. The key insight that we base our work on is that a warning that does not yield a crash when fuzzed at the function level in a given time budget is a possible false positive. To achieve this, FuzzSlice first aims to generate compilable code slices at the function level and then fuzzes these code slices instead of the entire binary. FuzzSlice is also unlikely to misclassify a true bug as a false positive because the crashing input can be reproduced by a fuzzer at the function level as well. We evaluate FuzzSlice on the Juliet synthetic dataset and real-world complex C projects. Our evaluation shows that the ground truth in the Juliet dataset had 864 false positives which were all detected by FuzzSlice. For the open-source repositories, we were able to get the developers from two of these open-source repositories to independently label these warnings. FuzzSlice automatically identifies 33 out of 53 false positives confirmed by developers in these two repositories. Thus FuzzSlice reduces false positives by 62.26% in the open-source repositories and by 100% in the Juliet dataset.

PDF HTML Abstract
Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Bookmark Chat Bubble Oval Streamline Icon: https://streamlinehq.com Chat (Pro)
Definition Search Book Streamline Icon: https://streamlinehq.com
References (54)
  1. B. Johnson, Y. Song, E. Murphy-Hill, and R. Bowdidge, “Why don’t software developers use static analysis tools to find bugs?” in 2013 35th International Conference on Software Engineering (ICSE).   IEEE, pp. 18–26.
  2. M. Alfadel, D. E. Costa, E. Shihab, and B. Adams, “On the discoverability of npm vulnerabilities in node. js projects,” ACM Transactions on Software Engineering and Methodology, vol. 32, no. 4, pp. 1–27, 2023.
  3. F. Cheirdari and G. Karabatis, “Analyzing False Positive Source Code Vulnerabilities Using Static Analysis Tools,” in 2018 IEEE International Conference on Big Data (Big Data).   IEEE, pp. 10–13.
  4. M. Nadeem, B. J. Williams, and E. B. Allen, “High false positive detection of security vulnerabilities: a case study,” in ACM-SE ’12: Proceedings of the 50th Annual Southeast Regional Conference.   New York, NY, USA: Association for Computing Machinery, Mar. 2012, pp. 359–360.
  5. H. J. Kang, K. L. Aw, and D. Lo, “Detecting false alarms from automatic static analysis tools: how far are we?” in ICSE ’22: Proceedings of the 44th International Conference on Software Engineering.   New York, NY, USA: Association for Computing Machinery, May 2022, pp. 698–709.
  6. J. Park, I. Lim, and S. Ryu, “Battles with False Positives in Static Analysis of JavaScript Web Applications in the Wild,” in 2016 IEEE/ACM 38th International Conference on Software Engineering Companion (ICSE-C).   IEEE, May 2016, pp. 61–70. [Online]. Available: https://ieeexplore.ieee.org/document/7883289
  7. B. Aloraini and M. Nagappan, “Evaluating State-of-the-Art Free and Open Source Static Analysis Tools Against Buffer Errors in Android Apps,” in 2017 IEEE International Conference on Software Maintenance and Evolution (ICSME).   IEEE, Sep. 2017, pp. 295–306.
  8. M. Christakis and C. Bird, “What developers want and need from program analysis: an empirical study,” in ASE ’16: Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering.   New York, NY, USA: Association for Computing Machinery, Aug. 2016, pp. 332–343.
  9. B. Johnson, Y. Song, E. Murphy-Hill, and R. Bowdidge, “Why don’t software developers use static analysis tools to find bugs?” in 2013 35th International Conference on Software Engineering (ICSE).   IEEE, May 2013, pp. 672–681.
  10. M. Böhme, V.-T. Pham, M.-D. Nguyen, and A. Roychoudhury, “Directed Greybox Fuzzing,” in CCS ’17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security.   New York, NY, USA: Association for Computing Machinery, Oct. 2017, pp. 2329–2344.
  11. M. Christakis, P. Müller, and V. Wüstholz, “Guiding dynamic symbolic execution toward unverified program executions,” in ICSE ’16: Proceedings of the 38th International Conference on Software Engineering.   New York, NY, USA: Association for Computing Machinery, May 2016, pp. 144–155.
  12. M. Böhme and B. Falk, “Fuzzing: on the exponential cost of vulnerability discovery,” in ESEC/FSE 2020: Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering.   New York, NY, USA: Association for Computing Machinery, Nov. 2020, pp. 713–724.
  13. T. Wang, T. Wei, G. Gu, and W. Zou, “TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection,” in 2010 IEEE Symposium on Security and Privacy.   IEEE, pp. 16–19.
  14. G. Lee, W. Shim, and B. Lee, “Constraint-guided directed greybox fuzzing,” in 30th USENIX Security Symposium (USENIX Security 21).   USENIX Association, Aug. 2021, pp. 3559–3576. [Online]. Available: https://www.usenix.org/conference/usenixsecurity21/presentation/lee-gwangmu
  15. X. Zhu, S. Liu, X. Li, S. Wen, J. Zhang, C. Seyit, and Y. Xiang, “DeFuzz: Deep Learning Guided Directed Fuzzing,” arXiv, Oct. 2020.
  16. A. Wei, Y. Deng, C. Yang, and L. Zhang, “Free lunch for testing: fuzzing deep-learning libraries from open source,” in ICSE ’22: Proceedings of the 44th International Conference on Software Engineering.   New York, NY, USA: Association for Computing Machinery, May 2022, pp. 995–1007.
  17. J. Jang and H. K. Kim, “FuzzBuilder: automated building greybox fuzzing environment for C/C++ library,” in ACSAC ’19: Proceedings of the 35th Annual Computer Security Applications Conference.   New York, NY, USA: Association for Computing Machinery, Dec. 2019, pp. 627–637.
  18. J. Somorovsky, “Systematic Fuzzing and Testing of TLS Libraries,” in CCS ’16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security.   New York, NY, USA: Association for Computing Machinery, Oct. 2016, pp. 1492–1504.
  19. L. Chen, Q. Cai, Z. Ma, Y. Wang, H. Hu, M. Shen, Y. Liu, S. Guo, H. Duan, K. Jiang, and Z. Xue, “SFuzz: Slice-based Fuzzing for Real-Time Operating Systems,” in CCS ’22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security.   New York, NY, USA: Association for Computing Machinery, Nov. 2022, pp. 485–498.
  20. openssl, “openssl,” Jan. 2023, [Online; accessed 29. Jan. 2023]. [Online]. Available: https://github.com/openssl/openssl
  21. andrew d., “rough-auditing-tool-for-security,” Jan. 2023, [Online; accessed 29. Jan. 2023]. [Online]. Available: https://github.com/andrew-d/rough-auditing-tool-for-security
  22. openssl, “openssl,” Jan. 2023, [Online; accessed 29. Jan. 2023]. [Online]. Available: https://github.com/openssl/openssl/blob/master/test/testutil/driver.c
  23. “american fuzzy lop,” Mar. 2023, [Online; accessed 10. Mar. 2023]. [Online]. Available: https://lcamtuf.coredump.cx/afl
  24. “libFuzzer – a library for coverage-guided fuzz testing. — LLVM 17.0.0git documentation,” Jan. 2023, [Online; accessed 29. Jan. 2023]. [Online]. Available: https://llvm.org/docs/LibFuzzer.html
  25. C. Calcagno and D. Distefano, “Infer: An Automatic Program Verifier for Memory Safety of C Programs,” in NASA Formal Methods.   Berlin, Germany: Springer, 2011, pp. 459–465.
  26. rizsotto, “Bear,” Jan. 2023, [Online; accessed 30. Jan. 2023]. [Online]. Available: https://github.com/rizsotto/Bear
  27. M. L. Collard, M. J. Decker, and J. I. Maletic, “srcML: An Infrastructure for the Exploration, Analysis, and Manipulation of Source Code: A Tool Demonstration,” in 2013 IEEE International Conference on Software Maintenance.   IEEE, pp. 22–28.
  28. R. Stallman, R. Pesch, S. Shebs et al., “Debugging with gdb,” Free Software Foundation, vol. 675, 1988.
  29. K. Serebryany, D. Bruening, A. Potapenko, and D. Vyukov, “Addresssanitizer: A fast address sanity checker,” 2012.
  30. T. Boland and P. E. Black, “Juliet 1.1 C/C++ and Java Test Suite,” Computer, vol. 45, no. 10, pp. 88–90, Oct. 2012.
  31. openssh, “openssh-portable,” Jan. 2023, [Online; accessed 30. Jan. 2023]. [Online]. Available: https://github.com/openssh/openssh-portable
  32. tmux, “tmux,” Jan. 2023, [Online; accessed 30. Jan. 2023]. [Online]. Available: https://github.com/tmux/tmux
  33. M. D. Penta, L. Cerulo, and L. Aversano, “The life and death of statically detected vulnerabilities: An empirical study,” Information and Software Technology, vol. 51, no. 10, pp. 1469–1484, Oct. 2009.
  34. B. Aloraini, M. Nagappan, D. M. German, S. Hayashi, and Y. Higo, “An empirical study of security warnings from static application security testing tools,” Journal of Systems and Software, vol. 158, p. 110427, Dec. 2019.
  35. N. D. Q. Bui, Y. Yu, and L. Jiang, “InferCode: Self-Supervised Learning of Code Representations by Predicting Subtrees,” in 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE).   IEEE, May 2021, pp. 1186–1197.
  36. ——, “Self-Supervised Contrastive Learning for Code Retrieval and Summarization via Semantic-Preserving Transformations,” in SIGIR ’21: Proceedings of the 44th International ACM SIGIR Conference on Research and Development in Information Retrieval.   New York, NY, USA: Association for Computing Machinery, Jul. 2021, pp. 511–521.
  37. K. Lu and H. Hu, “Where Does It Go? Refining Indirect-Call Targets with Multi-Layer Type Analysis,” in CCS ’19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security.   New York, NY, USA: Association for Computing Machinery, Nov. 2019, pp. 1867–1881.
  38. M. Woo, S. K. Cha, S. Gottlieb, and D. Brumley, “Scheduling black-box mutational fuzzing,” in CCS ’13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security.   New York, NY, USA: Association for Computing Machinery, Nov. 2013, pp. 511–522.
  39. “UndefinedBehaviorSanitizer — Clang 17.0.0git documentation,” Jun. 2023, [Online; accessed 27. Jun. 2023]. [Online]. Available: https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html
  40. J. Corina, A. Machiry, C. Salls, Y. Shoshitaishvili, S. Hao, C. Kruegel, and G. Vigna, “DIFUZE: Interface Aware Fuzzing for Kernel Drivers,” in CCS ’17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security.   New York, NY, USA: Association for Computing Machinery, Oct. 2017, pp. 2123–2138.
  41. H. Huang, Y. Guo, Q. Shi, P. Yao, R. Wu, and C. Zhang, “BEACON: Directed Grey-Box Fuzzing with Provable Path Pruning,” in 2022 IEEE Symposium on Security and Privacy (SP).   IEEE, May 2022, pp. 36–50.
  42. V. Wüstholz and M. Christakis, “Targeted Greybox Fuzzing with Static Lookahead Analysis,” arXiv, May 2019.
  43. H. Chen, Y. Xue, Y. Li, B. Chen, X. Xie, X. Wu, and Y. Liu, “Hawkeye: Towards a Desired Directed Grey-box Fuzzer,” in CCS ’18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security.   New York, NY, USA: Association for Computing Machinery, Oct. 2018, pp. 2095–2108.
  44. D. R. Jeong, K. Kim, B. Shivakumar, B. Lee, and I. Shin, “Razzer: Finding Kernel Race Bugs through Fuzzing,” in 2019 IEEE Symposium on Security and Privacy (SP).   IEEE, May 2019, pp. 754–768.
  45. D. Engler and D. Dunbar, “Under-constrained execution: making automatic code destruction easy and scalable,” in Proceedings of the 2007 international symposium on Software Testing and analysis, 2007, pp. 1–4.
  46. A. Kallingal Joshy, X. Chen, B. Steenhoek, and W. Le, “Validating static warnings via testing code fragments,” in ISSTA 2021: Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis.   New York, NY, USA: Association for Computing Machinery, Jul. 2021, pp. 540–552.
  47. J. Yoon, M. Jin, and Y. Jung, “Reducing False Alarms from an Industrial-Strength Static Analyzer by SVM,” in APSEC ’14: Proceedings of the 2014 21st Asia-Pacific Software Engineering Conference - Volume 02.   USA: IEEE Computer Society, Dec. 2014, pp. 3–6.
  48. U. Koc, P. Saadatpanah, J. S. Foster, and A. A. Porter, “Learning a classifier for false positive error reports emitted by static code analysis tools,” in MAPL 2017: Proceedings of the 1st ACM SIGPLAN International Workshop on Machine Learning and Programming Languages.   New York, NY, USA: Association for Computing Machinery, Jun. 2017, pp. 35–42.
  49. Q. Hanam, L. Tan, R. Holmes, and P. Lam, “Finding patterns in static analysis alerts: improving actionable alert ranking,” in MSR 2014: Proceedings of the 11th Working Conference on Mining Software Repositories.   New York, NY, USA: Association for Computing Machinery, May 2014, pp. 152–161.
  50. R. Yedida, H. J. Kang, H. Tu, X. Yang, D. Lo, and T. Menzies, “How to Find Actionable Static Analysis Warnings: A Case Study With FindBugs,” IEEE Trans. Software Eng., vol. 49, no. 4, pp. 2856–2872, Jan. 2023.
  51. D. Babic, S. Bucur, Y. Chen, F. Ivancic, T. King, M. Kusano, C. Lemieux, L. Szekeres, and W. Wang, “FUDGE: Fuzz Driver Generation at Scale,” Google Research, 2019. [Online]. Available: https://research.google/pubs/pub48314
  52. M. Zhang, J. Liu, F. Ma, H. Zhang, and Y. Jiang, “IntelliGen: automatic driver synthesis for fuzz testing,” in ICSE-SEIP ’21: Proceedings of the 43rd International Conference on Software Engineering: Software Engineering in Practice.   IEEE Press, May 2021, pp. 318–327.
  53. K. K. Ispoglou, D. Austin, V. Mohan, and M. Payer, “FuzzGen: automatic fuzzer generation,” in SEC’20: Proceedings of the 29th USENIX Conference on Security Symposium.   USA: USENIX Association, Aug. 2020, pp. 2271–2287.
  54. G. Fraser and A. Arcuri, “EvoSuite: automatic test suite generation for object-oriented software,” in ESEC/FSE ’11: Proceedings of the 19th ACM SIGSOFT symposium and the 13th European conference on Foundations of software engineering.   New York, NY, USA: Association for Computing Machinery, Sep. 2011, pp. 416–419.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (5)
  1. Aniruddhan Murali (2 papers)
  2. Noble Saji Mathews (13 papers)
  3. Mahmoud Alfadel (6 papers)
  4. Meiyappan Nagappan (25 papers)
  5. Meng Xu (52 papers)
Citations (7)
View on Semantic Scholar