Is a False Positive really False Positive?

Hong Jun Choi; Hyuk Lee; Jin Young Choi

doi:10.23919/ICACT53585.2022.9728948

Is a False Positive really False Positive?

Hong Jun Choi
, Hyuk Lee
, Jin Young Choi

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

As the number of devices with software increases, software reliability and security has become more critical. To improve reliability and security, developers and test engineers use static analysis tools to find defects early in the development process. However, it takes a lot of time and effort to determine whether alarms from performing static analysis are true or false positive. In this paper, we argue that all integer overflow generated by static analysis tools are weaknesses and should eventually be corrected. To show that our argument is reasonable, we explain static analysis results for binary search program code and CWE:190 example code in terms of reliability and security. It is unnecessary to identify whether the integer overflow generated by static analysis tools is true or false positive.

Original language	English
Title of host publication	24th International Conference on Advanced Communication Technology
Subtitle of host publication	Artificial Intelligence Technologies toward Cybersecurity!!, ICACT 2022 - Proceedings
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	145-149
Number of pages	5
ISBN (Electronic)	9791188428090
DOIs	https://doi.org/10.23919/ICACT53585.2022.9728948
Publication status	Published - 2022
Event	24th International Conference on Advanced Communication Technology, ICACT 2022 - Virtual, Online, Korea, Republic of Duration: 2022 Feb 13 → 2022 Feb 16

Publication series

Name	International Conference on Advanced Communication Technology, ICACT
Volume	2022-February
ISSN (Print)	1738-9445

Conference

Conference	24th International Conference on Advanced Communication Technology, ICACT 2022
Country/Territory	Korea, Republic of
City	Virtual, Online
Period	22/2/13 → 22/2/16

Bibliographical note

Publisher Copyright:
© 2022 Global IT Research Institute-GiRI.

Keywords

False Positive
Integer Overflow
Software Reliability
Software Security
Static Analysis
True Positive

ASJC Scopus subject areas

Electrical and Electronic Engineering

Access to Document

10.23919/ICACT53585.2022.9728948

Cite this

Choi, H. J., Lee, H., & Choi, J. Y. (2022). Is a False Positive really False Positive? In 24th International Conference on Advanced Communication Technology: Artificial Intelligence Technologies toward Cybersecurity!!, ICACT 2022 - Proceedings (pp. 145-149). (International Conference on Advanced Communication Technology, ICACT; Vol. 2022-February). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.23919/ICACT53585.2022.9728948

Is a False Positive really False Positive? / Choi, Hong Jun; Lee, Hyuk; Choi, Jin Young.
24th International Conference on Advanced Communication Technology: Artificial Intelligence Technologies toward Cybersecurity!!, ICACT 2022 - Proceedings. Institute of Electrical and Electronics Engineers Inc., 2022. p. 145-149 (International Conference on Advanced Communication Technology, ICACT; Vol. 2022-February).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Choi, HJ, Lee, H & Choi, JY 2022, Is a False Positive really False Positive? in 24th International Conference on Advanced Communication Technology: Artificial Intelligence Technologies toward Cybersecurity!!, ICACT 2022 - Proceedings. International Conference on Advanced Communication Technology, ICACT, vol. 2022-February, Institute of Electrical and Electronics Engineers Inc., pp. 145-149, 24th International Conference on Advanced Communication Technology, ICACT 2022, Virtual, Online, Korea, Republic of, 22/2/13. https://doi.org/10.23919/ICACT53585.2022.9728948

Choi HJ, Lee H, Choi JY. Is a False Positive really False Positive? In 24th International Conference on Advanced Communication Technology: Artificial Intelligence Technologies toward Cybersecurity!!, ICACT 2022 - Proceedings. Institute of Electrical and Electronics Engineers Inc. 2022. p. 145-149. (International Conference on Advanced Communication Technology, ICACT). doi: 10.23919/ICACT53585.2022.9728948

Choi, Hong Jun ; Lee, Hyuk ; Choi, Jin Young. / Is a False Positive really False Positive?. 24th International Conference on Advanced Communication Technology: Artificial Intelligence Technologies toward Cybersecurity!!, ICACT 2022 - Proceedings. Institute of Electrical and Electronics Engineers Inc., 2022. pp. 145-149 (International Conference on Advanced Communication Technology, ICACT).

@inproceedings{7819a09f4fd049b28f3984821e118323,

title = "Is a False Positive really False Positive?",

abstract = "As the number of devices with software increases, software reliability and security has become more critical. To improve reliability and security, developers and test engineers use static analysis tools to find defects early in the development process. However, it takes a lot of time and effort to determine whether alarms from performing static analysis are true or false positive. In this paper, we argue that all integer overflow generated by static analysis tools are weaknesses and should eventually be corrected. To show that our argument is reasonable, we explain static analysis results for binary search program code and CWE:190 example code in terms of reliability and security. It is unnecessary to identify whether the integer overflow generated by static analysis tools is true or false positive.",

keywords = "False Positive, Integer Overflow, Software Reliability, Software Security, Static Analysis, True Positive",

author = "Choi, \{Hong Jun\} and Hyuk Lee and Choi, \{Jin Young\}",

note = "Publisher Copyright: {\textcopyright} 2022 Global IT Research Institute-GiRI.; 24th International Conference on Advanced Communication Technology, ICACT 2022 ; Conference date: 13-02-2022 Through 16-02-2022",

year = "2022",

doi = "10.23919/ICACT53585.2022.9728948",

language = "English",

series = "International Conference on Advanced Communication Technology, ICACT",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "145--149",

booktitle = "24th International Conference on Advanced Communication Technology",