Machine-Learning-Guided Selectively Unsound Static Analysis

Kihong Heo, Hakjoo Oh, Kwangkeun Yi

Research output: Chapter in Book/Report/Conference proceedingConference contribution

48 Citations (Scopus)


We present a machine-learning-based technique for selectively applying unsoundness in static analysis. Existing bug-finding static analyzers are unsound in order to be precise and scalable in practice. However, they are uniformly unsound and hence at the risk of missing a large amount of real bugs. By being sound, we can improve the detectability of the analyzer but it often suffers from a large number of false alarms. Our approach aims to strike a balance between these two approaches by selectively allowing unsoundness only when it is likely to reduce false alarms, while retaining true alarms. We use an anomaly-detection technique to learn such harmless unsoundness. We implemented our technique in two static analyzers for full C. One is for a taint analysis for detecting format-string vulnerabilities, and the other is for an interval analysis for buffer-overflow detection. The experimental results show that our approach significantly improves the recall of the original unsound analysis without sacrificing the precision.

Original languageEnglish
Title of host publicationProceedings - 2017 IEEE/ACM 39th International Conference on Software Engineering, ICSE 2017
PublisherInstitute of Electrical and Electronics Engineers Inc.
Number of pages11
ISBN (Electronic)9781538638682
Publication statusPublished - 2017 Jul 19
Externally publishedYes
Event39th IEEE/ACM International Conference on Software Engineering, ICSE 2017 - Buenos Aires, Argentina
Duration: 2017 May 202017 May 28

Publication series

NameProceedings - 2017 IEEE/ACM 39th International Conference on Software Engineering, ICSE 2017


Conference39th IEEE/ACM International Conference on Software Engineering, ICSE 2017
CityBuenos Aires

Bibliographical note

Funding Information:
ACKNOWLEDGMENT We thank Jonggwon Kim and Woosuk Lee for their implementation of the taint analysis, and Mina Lee for comments on an early version of the paper. This work was partly supported by Samsung Electronics, Samsung Research Funding Center of Samsung Electronics (No.SRFC-IT1502-07), and Institute for Information & communications TechnologyPromotion(IITP) grant funded by the Korea government (MSIP) (No.B0717-16-0098, Development of homomorphic encryption for DNA analysis and biometry authentication and No.R0190-16-2011, Development of VulnerabilityDiscovery Technologiesfor IoT Software Security). This work was also supported by BK21 Plus for Pioneers in Innovative Computing (Dept. of Computer Science and Engineering, SNU) funded by National Research Foundation of Korea (NRF) (21A20151113068) and Basic Science Research Program through the National Research Foundation of Korea(NRF) funded by the Ministry of Science, ICT & Future Planning (NRF-2016R1C1B2014062).

Publisher Copyright:
© 2017 IEEE.


  • Bug-finding
  • Machine Learning
  • Static Analysis

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Software


Dive into the research topics of 'Machine-Learning-Guided Selectively Unsound Static Analysis'. Together they form a unique fingerprint.

Cite this