An empirical study on the effectiveness of static C code analyzers for vulnerability detection

Stephan Lipp, Sebastian Banescu, Alexander Pretschner

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

36 Scopus citations

Abstract

Static code analysis is often used to scan source code for security vulnerabilities. Given the wide range of existing solutions implementing different analysis techniques, it is very challenging to perform an objective comparison between static analysis tools to determine which ones are most effective at detecting vulnerabilities. Existing studies are thereby limited in that (1) they use synthetic datasets, whose vulnerabilities do not reflect the complexity of security bugs that can be found in practice and/or (2) they do not provide differentiated analyses w.r.t. the types of vulnerabilities output by the static analyzers. Hence, their conclusions about an analyzer's capability to detect vulnerabilities may not generalize to real-world programs. In this paper, we propose a methodology for automatically evaluating the effectiveness of static code analyzers based on CVE reports. We evaluate five free and open-source and one commercial static C code analyzer(s) against 27 software projects containing a total of 1.15 million lines of code and 192 vulnerabilities (ground truth). While static C analyzers have been shown to perform well in benchmarks with synthetic bugs, our results indicate that state-of-the-art tools miss in-between 47% and 80% of the vulnerabilities in a benchmark set of real-world programs. Moreover, our study finds that this false negative rate can be reduced to 30% to 69% when combining the results of static analyzers, at the cost of 15 percentage points more functions flagged. Many vulnerabilities hence remain undetected, especially those beyond the classical memory-related security bugs.

Original languageEnglish
Title of host publicationISSTA 2022 - Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis
EditorsSukyoung Ryu, Yannis Smaragdakis
PublisherAssociation for Computing Machinery, Inc
Pages544-555
Number of pages12
ISBN (Electronic)9781450393799
DOIs
StatePublished - 18 Jul 2022
Event31st ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2022 - Virtual, Online, Korea, Republic of
Duration: 18 Jul 202222 Jul 2022

Publication series

NameISSTA 2022 - Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis

Conference

Conference31st ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2022
Country/TerritoryKorea, Republic of
CityVirtual, Online
Period18/07/2222/07/22

Keywords

  • empirical study
  • static code analysis
  • vulnerability detection

Fingerprint

Dive into the research topics of 'An empirical study on the effectiveness of static C code analyzers for vulnerability detection'. Together they form a unique fingerprint.

Cite this