Static Analysis Introduction Emerson Murphy-Hill.

Slides:



Advertisements
Similar presentations
Top 10 User Mistakes with Static Analysis Sate IV March 2012.
Advertisements

Finding bugs: Analysis Techniques & Tools Comparison of Program Analysis Techniques CS161 Computer Security Cho, Chia Yuan.
Testing and Quality Assurance
A Metric for Evaluating Static Analysis Tools Katrina Tsipenyuk, Fortify Software Brian Chess, Fortify Software.
Software Construction
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Software Quality Assurance Inspection by Ross Simmerman Software developers follow a method of software quality assurance and try to eliminate bugs prior.
Testing Without Executing the Code Pavlina Koleva Junior QA Engineer WinCore Telerik QA Academy Telerik QA Academy.
Turning Eclipse Against Itself: Finding Errors in Eclipse Sources Benjamin Livshits Stanford University.
Review David Rabinowitz. March 3rd, 2004 Object Oriented Design Course 2 Review What have we done during the course? Which topics we have not discussed?
 QUALITY ASSURANCE:  QA is defined as a procedure or set of procedures intended to ensure that a product or service under development (before work is.
ISSRE 2006 | November 10, 2006 Automated Adaptive Ranking and Filtering of Static Analysis Alerts Sarah Heckman Laurie Williams November 10, 2006.
14-Jun-05White Elephant GmbH1 Ada Bug Finder. 14-Jun-05White Elephant GmbH2 Ada Bug Finder The Ada Bug Finder is a Windows application that searches Ada.
Examining the Code [Reading assignment: Chapter 6, pp ]
Expediting Programmer AWAREness of Anomalous Code Sarah E. Smith Laurie Williams Jun Xu November 11, 2005.
JAVA v.s. C++ Programming Language Comparison By LI LU SAMMY CHU By LI LU SAMMY CHU.
Exceptions and Mistakes CSE788 John Eisenlohr. Big Question How can we improve the quality of concurrent software?
CSCE 548 Secure Software Development Test 1 Review.
1 Debugging and Testing Overview Defensive Programming The goal is to prevent failures Debugging The goal is to find cause of failures and fix it Testing.
CSCE 548 Code Review. CSCE Farkas2 Reading This lecture: – McGraw: Chapter 4 – Recommended: Best Practices for Peer Code Review,
15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.
SE-3910 Real-time Systems Week 8, Class 3 – Announcement(s) – Static Analysis What/Why Tools Examples Coding Standards vs Style Guides How to include SA.
Verification and Validation Overview References: Shach, Object Oriented and Classical Software Engineering Pressman, Software Engineering: a Practitioner’s.
 To explain the importance of software configuration management (CM)  To describe key CM activities namely CM planning, change management, version management.
Version 02U-1 Computer Security: Art and Science1 Penetration Testing by Brad Arkin Scott Stender and Gary McGraw.
Testing and Verifying Atomicity of Composed Concurrent Operations Ohad Shacham Tel Aviv University Nathan Bronson Stanford University Alex Aiken Stanford.
Python – Part 1 Python Programming Language 1. What is Python? High-level language Interpreted – easy to test and use interactively Object-oriented Open-source.
Software Testing. What is Testing? The process consisting of all life cycle activities, both static and dynamic, concerned with planning, preparation.
Security - Why Bother? Your projects in this class are not likely to be used for some critical infrastructure or real-world sensitive data. Why should.
Well-behaved objects Main concepts to be covered Testing Debugging Test automation Writing for maintainability Objects First with Java - A Practical.
Software Testing and Maintenance 1 Code Review  Introduction  How to Conduct Code Review  Practical Tips  Tool Support  Summary.
Integrated Systems Division Service-Oriented Programming Guy Bieber, Lead Architect Motorola ISD C4I 2000 OOPSLA Jini Pattern Language Workshop Guy Bieber,
Static Analysis James Walden Northern Kentucky University.
CSCE 548 Building Secure Software. CSCE Farkas2 Reading This lecture: – McGraw: Chapter 1 – Recommended: CyberInsecurity: The Cost of Monopoly,
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRELERO© What we currently know about software fault prediction: A systematic review of the fault prediction.
Chapter 12: Software Inspection Omar Meqdadi SE 3860 Lecture 12 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.
Code Reviews James Walden Northern Kentucky University.
Inspection and Review The main objective of an Inspection or a Review is to Detect Defects. (Today -there may be some other goals or broader definition.
Design - programming Cmpe 450 Fall Dynamic Analysis Software quality Design carefully from the start Simple and clean Fewer errors Finding errors.
LOGO TESTING Team 8: 1.Nguyễn Hoàng Khánh 2.Dương Quốc Việt 3.Trang Thế Vinh.
Objects First With Java A Practical Introduction Using BlueJ Well-behaved objects 2.1.
Hussein Alhashimi. “If you can’t measure it, you can’t manage it” Tom DeMarco,
TESTING FUNDAMENTALS BY K.KARTHIKEYAN.
Software Development Introduction
The Java Open Review Project Brian Chess Founder/Chief Scientist Fortify Software June 14, 2007.
What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.
| Secure Software Development | Funke, Pfretzschner, Zulfiqar Integration of Static Code Analysis in Continuous Integration Lifecycles Source:
Findbugs Tin Bui-Huy September, Content What is bug? What is bug? What is Findbugs? What is Findbugs? How to use Findbugs? How to use Findbugs?
Static Analysis Tools Emerson Murphy-Hill. A Comparison of Bug Finding Tools for Java Bug pattern detection PMD FindBugs JLint Theorem proving [involves.
Laurea Triennale in Informatica – Corso di Ingegneria del Software I – A.A. 2006/2007 Andrea Polini XVII. Verification and Validation.
Dynamic Bug Detection & Tolerance Kathryn S McKinley The University of Texas at Austin.
Requirements Introduction Emerson Murphy-Hill. Scope of Software Project Failures WHY PROJECTS FAIL % 1. Incomplete Requirements Lack of user involvement12.4.
Presented by Rob Carver
Software Dependability
SOFTWARE TESTING Date: 29-Dec-2016 By: Ram Karthick.
Tools for Code Review Static Analysis Handles unfinished code
CSCE 548 Secure Software Development Risk-Based Security Testing
Theodore Lawson CSCE548 Student Presentation, Topic #2
Why Every Dev. Team Needs Static Analysis
Chapter 8 – Software Testing
Verification and Validation Overview
CSCE 548 Secure Software Development Test 1 Review
Software testing strategies 2
Implementation and Maintenance
Inspection and Review The main objective of an Inspection or a Review is to detect defects. (Not for Giving Alternative Solutions) This activity and procedure.
Test Case Test case Describes an input Description and an expected output Description. Test case ID Section 1: Before execution Section 2: After execution.
Software Verification and Validation
Software Verification and Validation
Software Verification and Validation
Testing, Inspection, Walkthrough
Presentation transcript:

Static Analysis Introduction Emerson Murphy-Hill

Static Analysis Static analysis is the process of evaluating a system or component based on its form, structure, content, or documentation [IEEE] Does not involve the execution of the program Software inspections are a form of static analysis “ even well tested code written by experts contains a surprising number of obvious bugs ” [Hovermeyer/Pugh] “ Java has many language features and APIs which are prone to misuse. ” [Hovermeyer/Pugh] Static analysis tools “ can serve an important role in raising the awareness of developers about subtle correctness issues.... prevent future bugs ” [Hovermeyer/Pugh]

Static Analysis Tools Search through code to detect bug patterns (error prone coding practices that arise from the use of erroneous design patterns, misunderstanding of language semantics, or simple and common mistakes). Increasingly being used to identify security vulnerabilities “ can peer into more of a program ’ s dark corners with less fuss than dynamic analysis ” [Hovemeyer/Pugh, Chess/McGraw]

Problems with static analysis tools False positive: the tool reports bugs the program doesn ’ t contain A static analysis tool will brag about having only 50% false positives. Need to manually review and decide whether to fix or ignore. Some tools allow you to create filters of the types of bugs you don ’ t want to see. False negative: the code contains bugs the tool doesn ’ t report May increase as static analysis tool developers works to reduce false positives May also detect “ harmless bugs ” which need human judgment to sort out

References Chess, Brian and McGraw, G. Static Analysis for Security, IEEE Security & Privacy, Nov/Dec Hovermeyer, David and Pugh, William, Finding Bugs is Easy, OOPSLA 2004 Rutar, N., Almazan, C., and Foster, J., A Comparison of Bug Finding Tools for Java, ISSRE

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.