TY - GEN
T1 - Finding an Optimal Set of Static Analyzers to Detect Software Vulnerabilities
AU - He, Jiaqi
AU - Macqueen, Revan
AU - Bombardieri, Natalie
AU - Ali, Karim
AU - Wright, James R.
AU - Cifuentes, Cristina
N1 - Publisher Copyright:
© 2023 IEEE.
PY - 2023
Y1 - 2023
N2 - Software vulnerabilities are ubiquitous and costly. To detect vulnerabilities earlier during development, organizations deploy a set of static analyzers to locate and eventually fix these vulnerabilities before releasing their software. Due to the prohibitive cost of running all available analyzers, organizations must run only a subset of all possible analyzers on their codebases. Choosing this set deterministically leaves recognizable gaps of vulnerability coverage. To overcome these challenges, we present Randomized Best Response (RBR), a method that computes an optimal randomization over size-bounded sets of available static analyzers. RBR models the relationship between malicious users and organizations as a leader-follower Stackelberg security game. Our solution focuses on software vulnerabilities due to their security implications when exploited by malicious users. Using 8 static analyzers for C/C++ and 8 Common Weakness Enumeration (CWE) vulnerability types, we show that RBR outperforms a set of natural baselines by always picking analyzers that achieve a higher benefit to the defender. Through a case study of a large system at Oracle, we show how RBR may be used in a real-world scenario.
AB - Software vulnerabilities are ubiquitous and costly. To detect vulnerabilities earlier during development, organizations deploy a set of static analyzers to locate and eventually fix these vulnerabilities before releasing their software. Due to the prohibitive cost of running all available analyzers, organizations must run only a subset of all possible analyzers on their codebases. Choosing this set deterministically leaves recognizable gaps of vulnerability coverage. To overcome these challenges, we present Randomized Best Response (RBR), a method that computes an optimal randomization over size-bounded sets of available static analyzers. RBR models the relationship between malicious users and organizations as a leader-follower Stackelberg security game. Our solution focuses on software vulnerabilities due to their security implications when exploited by malicious users. Using 8 static analyzers for C/C++ and 8 Common Weakness Enumeration (CWE) vulnerability types, we show that RBR outperforms a set of natural baselines by always picking analyzers that achieve a higher benefit to the defender. Through a case study of a large system at Oracle, we show how RBR may be used in a real-world scenario.
KW - Program analysis
KW - Software vulneriability
KW - Stackelberg security
UR - http://www.scopus.com/inward/record.url?scp=85181534922&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85181534922&partnerID=8YFLogxK
U2 - 10.1109/ICSME58846.2023.00060
DO - 10.1109/ICSME58846.2023.00060
M3 - Conference contribution
AN - SCOPUS:85181534922
T3 - Proceedings - 2023 IEEE International Conference on Software Maintenance and Evolution, ICSME 2023
SP - 463
EP - 473
BT - Proceedings - 2023 IEEE International Conference on Software Maintenance and Evolution, ICSME 2023
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 39th IEEE International Conference on Software Maintenance and Evolution, ICSME 2023
Y2 - 1 October 2023 through 6 October 2023
ER -