Multiple Program Analysis Techniques Enable Precise Check for SEI CERT C Coding Standard

2019 26th Asia-Pacific Software Engineering Conference (APSEC) Pub Date : 2019-12-01 DOI:10.1109/APSEC48747.2019.00019

Thu-Trang Nguyen, Toshiaki Aoki, Takashi Tomita, Iori Yamada

{"title":"Multiple Program Analysis Techniques Enable Precise Check for SEI CERT C Coding Standard","authors":"Thu-Trang Nguyen, Toshiaki Aoki, Takashi Tomita, Iori Yamada","doi":"10.1109/APSEC48747.2019.00019","DOIUrl":null,"url":null,"abstract":"Static analysis tools have demonstrated their ability to find non-compliant code of coding standards. However, for industrial-sized systems, static analysis tools frequently report a large number of warnings, which contain both true positives and false positives. In this research, to enable precise check for SEI CERT C Coding Standard, we combine static analysis with three different techniques. Firstly, a static analysis tool is used to detect non-compliant code, which are positions that may violate a SEI CERT C rule or recommendation. Each detected position is called a warning. Secondly, deductive verification, model checking, and pattern matching are used to verify whether each warning is a true positive or a false positive. Our experiments with two automotive applications show that this approach can help to improve the accuracy to check for SEI CERT C Coding Standard. We verify nearly 60% warnings of Rosecheckers, a static analysis tool. In these verified warnings, 97% of them are automatically detected to be true positives or false positives by our approach.","PeriodicalId":325642,"journal":{"name":"2019 26th Asia-Pacific Software Engineering Conference (APSEC)","volume":"98 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 26th Asia-Pacific Software Engineering Conference (APSEC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/APSEC48747.2019.00019","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 4

Abstract

Static analysis tools have demonstrated their ability to find non-compliant code of coding standards. However, for industrial-sized systems, static analysis tools frequently report a large number of warnings, which contain both true positives and false positives. In this research, to enable precise check for SEI CERT C Coding Standard, we combine static analysis with three different techniques. Firstly, a static analysis tool is used to detect non-compliant code, which are positions that may violate a SEI CERT C rule or recommendation. Each detected position is called a warning. Secondly, deductive verification, model checking, and pattern matching are used to verify whether each warning is a true positive or a false positive. Our experiments with two automotive applications show that this approach can help to improve the accuracy to check for SEI CERT C Coding Standard. We verify nearly 60% warnings of Rosecheckers, a static analysis tool. In these verified warnings, 97% of them are automatically detected to be true positives or false positives by our approach.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

多种程序分析技术使精确检查SEI CERT C编码标准

静态分析工具已经证明了它们发现不符合编码标准的代码的能力。然而，对于工业规模的系统，静态分析工具经常报告大量的警告，其中包括真阳性和假阳性。在本研究中，为了能够精确检查SEI CERT C编码标准，我们将静态分析与三种不同的技术相结合。首先，使用静态分析工具来检测不兼容的代码，这些代码可能违反SEI CERT C规则或建议。每个检测到的位置都被称为一个警告。其次，使用演绎验证、模型检查和模式匹配来验证每个警告是真阳性还是假阳性。我们对两个汽车应用程序的实验表明，该方法有助于提高检测SEI CERT C编码标准的准确性。我们验证了近60%的静态分析工具Rosecheckers的警告。在这些经过验证的警告中，97%的警告被我们的方法自动检测为真阳性或假阳性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

2019 26th Asia-Pacific Software Engineering Conference (APSEC)

自引率

0.00%

发文量