Static Analysis Tools Emerson Murphy-Hill. A Comparison of Bug Finding Tools for Java Bug pattern detection PMD FindBugs JLint Theorem proving [involves.

Slides:

Advertisements

Similar presentations

Static Analysis for Security

Advertisements

Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.

A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.

Designed-in Security Some Major Challenges Security Group Department of Computer Science University of California, Santa Barbara Trustworthy.

Code Reviews James Walden Northern Kentucky University.

Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.

A Metric for Evaluating Static Analysis Tools Katrina Tsipenyuk, Fortify Software Brian Chess, Fortify Software.

Static Code Analysis to Find Bugs Wright.edu CS7140 Spring 2013 (Slides collected from many sources)

Cole Cecil. Peer Code Review 2 Why do a peer code review? Find defects earlier Find different kinds of defects Share knowledge among peers Maintainability.

Static Analysis of the VoteHere VHTi Reference Implementation Using Flawfinder and RATS Markus Dale December 2005.

Evaluating and Tuning a Static Analysis to Find Null Pointer Bugs David Hovemeyer, Jaime Spacco, and William Pugh Presented by Nathaniel Ayewah CMSC838P.

MULTIVIE W Slide 1 (of 21) Removing Duplication from java.io: a Case Study using Traits Emerson R. Murphy-Hill, Philip J. Quitslund, Andrew P. Black Maseeh.

An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft.

Memories of Bug Fixes Sunghun Kim, Kai Pan, and E. James Whitehead Jr., University of California, Santa Cruz Presented By Gleneesha Johnson CMSC 838P,

RubyPolish: Static Bug Detection in Ruby Programs John Locke Alex Mont.

Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?

SOFTWARE SECURITY TESTING IS IMPORTANT, DIFFERENT AND DIFFICULT Review by Rayna Burgess 4/21/2011.

Dynamically Discovering Likely Program Invariants to Support Program Evolution Michael D. Ernst, Jake Cockrell, William G. Griswold, David Notkin Presented.

JML TOOLS REVIEW & EVALUATION Chris Grosshans Mark Lewis-Prazen.

Software Security Testing by Gary McGraw, Bruce Potter presented by Edward Bonver 11/07/2005.

ISSRE 2006 | November 10, 2006 Automated Adaptive Ranking and Filtering of Static Analysis Alerts Sarah Heckman Laurie Williams November 10, 2006.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

CSE 6329 Project Team 1 Aliasgar Kagalwala Aditya Mone Derek White Dengfeng (Thomas) Xia.

Introduction to Software Testing (Paul deGrandis) [Reading assignment: Chapter 15, pp and notes by Paul deGrandis]

XFindBugs: eXtended FindBugs for AspectJ Haihao Shen, Sai Zhang, Jianjun Zhao, Jianhong Fang, Shiyuan Yao Software Theory and Practice Group (STAP) Shanghai.

(1) Automated Quality Assurance Philip Johnson Collaborative Software Development Laboratory Information and Computer Sciences University of Hawaii Honolulu.

Ruthwika Bowenpalle,  Finding bugs :motivations.  Techniques for finding bugs.  general problem of finding bugs in software, and the strengths.

Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.

CSCE 548 Secure Software Development Test 1 Review.

CSCE 548 Code Review. CSCE Farkas2 Reading This lecture: – McGraw: Chapter 4 – Recommended: Best Practices for Peer Code Review,

EMI INFSO-RI Metrics review Claudio (SA1), Lars, Duarte, Eamonn and Maria (SA2)

SE-3910 Real-time Systems Week 8, Class 3 – Announcement(s) – Static Analysis What/Why Tools Examples Coding Standards vs Style Guides How to include SA.

Extended Static Checking for Java  ESC/Java finds common errors in Java programs: null dereferences, array index bounds errors, type cast errors, race.

Houdini, an annotation assistant for ESC/Java K. Rustan M. Leino Compaq SRC Joint work with Cormac Flanagan K. Rustan M. Leino Compaq SRC Joint work with.

Predicting Accurate and Actionable Static Analysis Warnings: An Experimental Approach J. Ruthruff et al., University of Nebraska-Lincoln, NE U.S.A, Google.

David Evans These slides: Introduction to Static Analysis.

Static Analysis James Walden Northern Kentucky University.

CSCE 548 Building Secure Software. CSCE Farkas2 Reading This lecture: – McGraw: Chapter 1 – Recommended: CyberInsecurity: The Cost of Monopoly,

Code Reviews James Walden Northern Kentucky University.

(A Somewhat Self-Indulgent) Splint Retrospective David Evans University of Virginia 25 October 2010.

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 1 Verification & Testing UEKönighofer, Khalimov, Rabensteiner2015.

Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata.

Android Permissions Demystified

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

The Java Open Review Project Brian Chess Founder/Chief Scientist Fortify Software June 14, 2007.

The Potential of Sampling for Dynamic Analysis Joseph L. GreathouseTodd Austin Advanced Computer Architecture Laboratory University of Michigan PLAS, San.

Combining Static and Dynamic Reasoning for Bug Detection Yannis Smaragdakis and Christoph Csallner Elnatan Reisner – April 17, 2008.

Secure Programming with Static Analysis Brian Chess, Ph.D.

Tracking Bad Apples: Reporting the Origin of Null & Undefined Value Errors Michael D. Bond UT Austin Nicholas Nethercote National ICT Australia Stephen.

Static Analysis Introduction Emerson Murphy-Hill.

Wireless LAN Concepts. Wireless LAN Standards.

Findbugs Tin Bui-Huy September, Content What is bug? What is bug? What is Findbugs? What is Findbugs? How to use Findbugs? How to use Findbugs?

Multiplication Timed Tests.

Chapter 2 Introduction to Static Analysis. Chapter Outline Capabilities and Limitations of Static Analysis  Type checking  Style checking  Program.

Jeremy Nimmer, page 1 Automatic Generation of Program Specifications Jeremy Nimmer MIT Lab for Computer Science Joint work with.

Verificare şi Validarea Sistemelor Soft Tem ă Laborator 1 Tools for JML jmlc & jmlrac Dat ă primire laborator: Lab 1 Dat ă predare laborator: Lab 2.

Dynamic Bug Detection & Tolerance Kathryn S McKinley The University of Texas at Austin.

Extended Static Checking for Java

More Security and Programming Language Work on SmartPhones

CSCE 548 Secure Software Development Test 1 Review

Pradeo Security Systems

Lightweight Verification of Array Indexing

Hoare-style program verification

How to stop Fortran programming problems at the source

Language-based Security

A Metric for Evaluating Static Analysis Tools

CS5103 Software Engineering

White Box testing & Inspections

RAC Support for JML on Eclipse Platform

Presentation transcript:

Static Analysis Tools Emerson Murphy-Hill

A Comparison of Bug Finding Tools for Java Bug pattern detection PMD FindBugs JLint Theorem proving [involves annotation] ESC/Java 2 Model checking [involves annotation] Bandera Result: little overlap in the warning generated by the tools & no correlation between the warning count and the tool  always be a need for multiple separate tools

[Rutar et al.]

FindBugs 400+ bug pattern detectors Single-threaded correctness issue Thread/synchronization correctness issue Performance issue Security and vulnerability to malicious untrusted code [Hovermeyer/Pugh]

References Chess, Brian and McGraw, G. Static Analysis for Security, IEEE Security & Privacy, Nov/Dec Hovermeyer, David and Pugh, William, Finding Bugs is Easy, OOPSLA 2004 Rutar, N., Almazan, C., and Foster, J., A Comparison of Bug Finding Tools for Java, ISSRE