Machine-Learning-Guided Selectively Unsound Static Analysis

Kihong Heo; Hakjoo Oh; Kwangkeun Yi

doi:10.1109/ICSE.2017.54

Machine-Learning-Guided Selectively Unsound Static Analysis

Kihong Heo
, Hakjoo Oh
, Kwangkeun Yi^*

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

54 Citations (Scopus)

Abstract

We present a machine-learning-based technique for selectively applying unsoundness in static analysis. Existing bug-finding static analyzers are unsound in order to be precise and scalable in practice. However, they are uniformly unsound and hence at the risk of missing a large amount of real bugs. By being sound, we can improve the detectability of the analyzer but it often suffers from a large number of false alarms. Our approach aims to strike a balance between these two approaches by selectively allowing unsoundness only when it is likely to reduce false alarms, while retaining true alarms. We use an anomaly-detection technique to learn such harmless unsoundness. We implemented our technique in two static analyzers for full C. One is for a taint analysis for detecting format-string vulnerabilities, and the other is for an interval analysis for buffer-overflow detection. The experimental results show that our approach significantly improves the recall of the original unsound analysis without sacrificing the precision.

Original language	English
Title of host publication	Proceedings - 2017 IEEE/ACM 39th International Conference on Software Engineering, ICSE 2017
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	519-529
Number of pages	11
ISBN (Electronic)	9781538638682
DOIs	https://doi.org/10.1109/ICSE.2017.54
Publication status	Published - 2017 Jul 19
Externally published	Yes
Event	39th IEEE/ACM International Conference on Software Engineering, ICSE 2017 - Buenos Aires, Argentina Duration: 2017 May 20 → 2017 May 28

Publication series

Name	Proceedings - 2017 IEEE/ACM 39th International Conference on Software Engineering, ICSE 2017

Conference

Conference	39th IEEE/ACM International Conference on Software Engineering, ICSE 2017
Country/Territory	Argentina
City	Buenos Aires
Period	17/5/20 → 17/5/28

Bibliographical note

Funding Information:
ACKNOWLEDGMENT We thank Jonggwon Kim and Woosuk Lee for their implementation of the taint analysis, and Mina Lee for comments on an early version of the paper. This work was partly supported by Samsung Electronics, Samsung Research Funding Center of Samsung Electronics (No.SRFC-IT1502-07), and Institute for Information & communications TechnologyPromotion(IITP) grant funded by the Korea government (MSIP) (No.B0717-16-0098, Development of homomorphic encryption for DNA analysis and biometry authentication and No.R0190-16-2011, Development of VulnerabilityDiscovery Technologiesfor IoT Software Security). This work was also supported by BK21 Plus for Pioneers in Innovative Computing (Dept. of Computer Science and Engineering, SNU) funded by National Research Foundation of Korea (NRF) (21A20151113068) and Basic Science Research Program through the National Research Foundation of Korea(NRF) funded by the Ministry of Science, ICT & Future Planning (NRF-2016R1C1B2014062).

Publisher Copyright:
© 2017 IEEE.

Keywords

Bug-finding
Machine Learning
Static Analysis

ASJC Scopus subject areas

Safety, Risk, Reliability and Quality
Software

Access to Document

10.1109/ICSE.2017.54

Cite this

Heo, K., Oh, H., & Yi, K. (2017). Machine-Learning-Guided Selectively Unsound Static Analysis. In Proceedings - 2017 IEEE/ACM 39th International Conference on Software Engineering, ICSE 2017 (pp. 519-529). Article 7985690 (Proceedings - 2017 IEEE/ACM 39th International Conference on Software Engineering, ICSE 2017). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/ICSE.2017.54

Machine-Learning-Guided Selectively Unsound Static Analysis. / Heo, Kihong; Oh, Hakjoo; Yi, Kwangkeun.
Proceedings - 2017 IEEE/ACM 39th International Conference on Software Engineering, ICSE 2017. Institute of Electrical and Electronics Engineers Inc., 2017. p. 519-529 7985690 (Proceedings - 2017 IEEE/ACM 39th International Conference on Software Engineering, ICSE 2017).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Heo, K, Oh, H & Yi, K 2017, Machine-Learning-Guided Selectively Unsound Static Analysis. in Proceedings - 2017 IEEE/ACM 39th International Conference on Software Engineering, ICSE 2017., 7985690, Proceedings - 2017 IEEE/ACM 39th International Conference on Software Engineering, ICSE 2017, Institute of Electrical and Electronics Engineers Inc., pp. 519-529, 39th IEEE/ACM International Conference on Software Engineering, ICSE 2017, Buenos Aires, Argentina, 17/5/20. https://doi.org/10.1109/ICSE.2017.54

Heo K, Oh H, Yi K. Machine-Learning-Guided Selectively Unsound Static Analysis. In Proceedings - 2017 IEEE/ACM 39th International Conference on Software Engineering, ICSE 2017. Institute of Electrical and Electronics Engineers Inc. 2017. p. 519-529. 7985690. (Proceedings - 2017 IEEE/ACM 39th International Conference on Software Engineering, ICSE 2017). doi: 10.1109/ICSE.2017.54

@inproceedings{47cc0835867141dbbab09f82d7411469,

title = "Machine-Learning-Guided Selectively Unsound Static Analysis",

abstract = "We present a machine-learning-based technique for selectively applying unsoundness in static analysis. Existing bug-finding static analyzers are unsound in order to be precise and scalable in practice. However, they are uniformly unsound and hence at the risk of missing a large amount of real bugs. By being sound, we can improve the detectability of the analyzer but it often suffers from a large number of false alarms. Our approach aims to strike a balance between these two approaches by selectively allowing unsoundness only when it is likely to reduce false alarms, while retaining true alarms. We use an anomaly-detection technique to learn such harmless unsoundness. We implemented our technique in two static analyzers for full C. One is for a taint analysis for detecting format-string vulnerabilities, and the other is for an interval analysis for buffer-overflow detection. The experimental results show that our approach significantly improves the recall of the original unsound analysis without sacrificing the precision.",

keywords = "Bug-finding, Machine Learning, Static Analysis",

author = "Kihong Heo and Hakjoo Oh and Kwangkeun Yi",

note = "Funding Information: ACKNOWLEDGMENT We thank Jonggwon Kim and Woosuk Lee for their implementation of the taint analysis, and Mina Lee for comments on an early version of the paper. This work was partly supported by Samsung Electronics, Samsung Research Funding Center of Samsung Electronics (No.SRFC-IT1502-07), and Institute for Information \& communications TechnologyPromotion(IITP) grant funded by the Korea government (MSIP) (No.B0717-16-0098, Development of homomorphic encryption for DNA analysis and biometry authentication and No.R0190-16-2011, Development of VulnerabilityDiscovery Technologiesfor IoT Software Security). This work was also supported by BK21 Plus for Pioneers in Innovative Computing (Dept. of Computer Science and Engineering, SNU) funded by National Research Foundation of Korea (NRF) (21A20151113068) and Basic Science Research Program through the National Research Foundation of Korea(NRF) funded by the Ministry of Science, ICT \& Future Planning (NRF-2016R1C1B2014062). Publisher Copyright: {\textcopyright} 2017 IEEE.; 39th IEEE/ACM International Conference on Software Engineering, ICSE 2017 ; Conference date: 20-05-2017 Through 28-05-2017",

year = "2017",

month = jul,

day = "19",

doi = "10.1109/ICSE.2017.54",

language = "English",

series = "Proceedings - 2017 IEEE/ACM 39th International Conference on Software Engineering, ICSE 2017",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "519--529",

booktitle = "Proceedings - 2017 IEEE/ACM 39th International Conference on Software Engineering, ICSE 2017",

}

TY - GEN

T1 - Machine-Learning-Guided Selectively Unsound Static Analysis

AU - Heo, Kihong

AU - Oh, Hakjoo

AU - Yi, Kwangkeun

N1 - Funding Information: ACKNOWLEDGMENT We thank Jonggwon Kim and Woosuk Lee for their implementation of the taint analysis, and Mina Lee for comments on an early version of the paper. This work was partly supported by Samsung Electronics, Samsung Research Funding Center of Samsung Electronics (No.SRFC-IT1502-07), and Institute for Information & communications TechnologyPromotion(IITP) grant funded by the Korea government (MSIP) (No.B0717-16-0098, Development of homomorphic encryption for DNA analysis and biometry authentication and No.R0190-16-2011, Development of VulnerabilityDiscovery Technologiesfor IoT Software Security). This work was also supported by BK21 Plus for Pioneers in Innovative Computing (Dept. of Computer Science and Engineering, SNU) funded by National Research Foundation of Korea (NRF) (21A20151113068) and Basic Science Research Program through the National Research Foundation of Korea(NRF) funded by the Ministry of Science, ICT & Future Planning (NRF-2016R1C1B2014062). Publisher Copyright: © 2017 IEEE.

PY - 2017/7/19

Y1 - 2017/7/19

N2 - We present a machine-learning-based technique for selectively applying unsoundness in static analysis. Existing bug-finding static analyzers are unsound in order to be precise and scalable in practice. However, they are uniformly unsound and hence at the risk of missing a large amount of real bugs. By being sound, we can improve the detectability of the analyzer but it often suffers from a large number of false alarms. Our approach aims to strike a balance between these two approaches by selectively allowing unsoundness only when it is likely to reduce false alarms, while retaining true alarms. We use an anomaly-detection technique to learn such harmless unsoundness. We implemented our technique in two static analyzers for full C. One is for a taint analysis for detecting format-string vulnerabilities, and the other is for an interval analysis for buffer-overflow detection. The experimental results show that our approach significantly improves the recall of the original unsound analysis without sacrificing the precision.

AB - We present a machine-learning-based technique for selectively applying unsoundness in static analysis. Existing bug-finding static analyzers are unsound in order to be precise and scalable in practice. However, they are uniformly unsound and hence at the risk of missing a large amount of real bugs. By being sound, we can improve the detectability of the analyzer but it often suffers from a large number of false alarms. Our approach aims to strike a balance between these two approaches by selectively allowing unsoundness only when it is likely to reduce false alarms, while retaining true alarms. We use an anomaly-detection technique to learn such harmless unsoundness. We implemented our technique in two static analyzers for full C. One is for a taint analysis for detecting format-string vulnerabilities, and the other is for an interval analysis for buffer-overflow detection. The experimental results show that our approach significantly improves the recall of the original unsound analysis without sacrificing the precision.

KW - Bug-finding

KW - Machine Learning

KW - Static Analysis

UR - https://www.scopus.com/pages/publications/85027716023

U2 - 10.1109/ICSE.2017.54

DO - 10.1109/ICSE.2017.54

M3 - Conference contribution

AN - SCOPUS:85027716023

T3 - Proceedings - 2017 IEEE/ACM 39th International Conference on Software Engineering, ICSE 2017

SP - 519

EP - 529

BT - Proceedings - 2017 IEEE/ACM 39th International Conference on Software Engineering, ICSE 2017

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 39th IEEE/ACM International Conference on Software Engineering, ICSE 2017

Y2 - 20 May 2017 through 28 May 2017

ER -

Machine-Learning-Guided Selectively Unsound Static Analysis

Abstract

Publication series

Conference

Bibliographical note

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this