Finding an Optimal Set of Static Analyzers to Detect Software Vulnerabilities

Jiaqi He, Revan Macqueen, Natalie Bombardieri, Karim Ali, James R. Wright, Cristina Cifuentes

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Software vulnerabilities are ubiquitous and costly. To detect vulnerabilities earlier during development, organizations deploy a set of static analyzers to locate and eventually fix these vulnerabilities before releasing their software. Due to the prohibitive cost of running all available analyzers, organizations must run only a subset of all possible analyzers on their codebases. Choosing this set deterministically leaves recognizable gaps of vulnerability coverage. To overcome these challenges, we present Randomized Best Response (RBR), a method that computes an optimal randomization over size-bounded sets of available static analyzers. RBR models the relationship between malicious users and organizations as a leader-follower Stackelberg security game. Our solution focuses on software vulnerabilities due to their security implications when exploited by malicious users. Using 8 static analyzers for C/C++ and 8 Common Weakness Enumeration (CWE) vulnerability types, we show that RBR outperforms a set of natural baselines by always picking analyzers that achieve a higher benefit to the defender. Through a case study of a large system at Oracle, we show how RBR may be used in a real-world scenario.

Original languageEnglish (US)
Title of host publicationProceedings - 2023 IEEE International Conference on Software Maintenance and Evolution, ICSME 2023
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages463-473
Number of pages11
ISBN (Electronic)9798350327830
DOIs
StatePublished - 2023
Event39th IEEE International Conference on Software Maintenance and Evolution, ICSME 2023 - Bogota, Colombia
Duration: Oct 1 2023Oct 6 2023

Publication series

NameProceedings - 2023 IEEE International Conference on Software Maintenance and Evolution, ICSME 2023

Conference

Conference39th IEEE International Conference on Software Maintenance and Evolution, ICSME 2023
Country/TerritoryColombia
CityBogota
Period10/1/2310/6/23

Keywords

  • Program analysis
  • Software vulneriability
  • Stackelberg security

ASJC Scopus subject areas

  • Software
  • Safety, Risk, Reliability and Quality

Fingerprint

Dive into the research topics of 'Finding an Optimal Set of Static Analyzers to Detect Software Vulnerabilities'. Together they form a unique fingerprint.

Cite this