Exposing Vulnerable Paths: Enhance Static Analysis with Lightweight Symbolic Execution

Abstract

Static analysis tools, although widely adopted in industry, suffer from a high false positive rate. This paper aims to refine the results of static analysis tools, by automatically searching for a vulnerable path from given defect report. To realize this goal, we develop SATRACER, a novel tool which integrates symbolic execution techniques with static analysis. SATRACER selectively skips those program parts which can be consistently updated by static analysis, thus drastically improving performance. We have applied SATRACER to a set of 21 real-world applications. Evaluation results show that SATRACER can successfully remove 71.4% false alarms reported by a commercial static analysis tool in 10 hours, and confirmed 29 real use-after-free bugs and 895 real null-pointer-dereference bugs.