发布求助
文献互助 智能选刊 最新文献

2022 IEEE 22nd International Working Conference on Source Code Analysis and Manipulation (SCAM)最新文献

筛选
英文 中文
Classification and Ranking of Delta Static Analysis Alarms Delta静态分析告警的分类和排序
2022 IEEE 22nd International Working Conference on Source Code Analysis and Manipulation (SCAM) Pub Date : 2022-10-01 DOI: 10.1109/SCAM55253.2022.00029
Tukaram Muske, Alexander Serebrenik
{"title":"Classification and Ranking of Delta Static Analysis Alarms","authors":"Tukaram Muske, Alexander Serebrenik","doi":"10.1109/SCAM55253.2022.00029","DOIUrl":"https://doi.org/10.1109/SCAM55253.2022.00029","url":null,"abstract":"Static analysis tools help to detect common pro-gramming errors but generate a large number of false positives. Moreover, when applied to evolving software systems, around 95 % of alarms generated on a version are repeated, i.e., they have also been generated on the previous version. Version-aware static analysis techniques (VSATs) have been proposed to suppress the repeated alarms that are not impacted by the code changes between the two versions. The alarms reported by VSATs after the suppression, called delta alarms, still constitute 63% of the tool-generated alarms. We observe that delta alarms can be further postprocessed using their corresponding code changes: the code changes due to which VSATs identify them as delta alarms. However, none of the existing VSATs or alarms postprocessing techniques postprocesses delta alarms using the corresponding code changes. Based on this observation, we use the code changes to classify delta alarms into six classes that have different priorities assigned to them. The assignment of priorities is based on the type of code changes and their likelihood of actually impacting the delta alarms. The ranking of alarms, obtained by prioritizing the classes, can help suppress alarms that are ranked lower, when resources to inspect all the tool-generated alarms are limited. We performed an empirical evaluation using 9789 alarms generated on 59 versions of seven open source C applications. The evaluation results indicate that the proposed classification and ranking of delta alarms help to identify, on average, 53 % of delta alarms as more likely to be false positives than the others.","PeriodicalId":138287,"journal":{"name":"2022 IEEE 22nd International Working Conference on Source Code Analysis and Manipulation (SCAM)","volume":"9 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124658801","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
An End-to-End Framework for Repairing Potentially Vulnerable Source Code 修复潜在漏洞源代码的端到端框架
2022 IEEE 22nd International Working Conference on Source Code Analysis and Manipulation (SCAM) Pub Date : 2022-10-01 DOI: 10.1109/SCAM55253.2022.00034
J. Jász, Péter Hegedűs, Á. Milánkovich, R. Ferenc
{"title":"An End-to-End Framework for Repairing Potentially Vulnerable Source Code","authors":"J. Jász, Péter Hegedűs, Á. Milánkovich, R. Ferenc","doi":"10.1109/SCAM55253.2022.00034","DOIUrl":"https://doi.org/10.1109/SCAM55253.2022.00034","url":null,"abstract":"Nowadays, program development is getting easier and easier as the various IDE tools provide advice on what to write in the program. But it is not enough to implement a solution to a problem; it is also important that the non-functional properties, like the quality or security of the code, are appropriate in all aspects. One of the most widely used techniques to ensure quality is testing. If the tests fail, one can fix the code immediately. However, security issues are unexpected cases when implementing the program, which is why we do not write tests for them in advance. In many cases, security-relevant bugs can not only cause financial loss but also put human lives at risk, so detecting and fixing them is an important step for the reliability and quality of the program. The tool presented in this paper aims to generate automatic code repairs to potential vulnerabilities in the program. By integrating the recommended fixes, one can easily harden the security of their program early in the development process. A case study on six open-source Java subject systems showed that we were able to generate viable repair patches for 57 out of the 81 detected security issues (70%). For certain types (e.g., revealing private references of mutable objects), our tool reached close to perfect performance.","PeriodicalId":138287,"journal":{"name":"2022 IEEE 22nd International Working Conference on Source Code Analysis and Manipulation (SCAM)","volume":"67 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125323805","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
First Steps towards a Methodology for Unified Graph's Discrepancy Analysis 统一图差异分析方法的初步研究
2022 IEEE 22nd International Working Conference on Source Code Analysis and Manipulation (SCAM) Pub Date : 2022-10-01 DOI: 10.1109/SCAM55253.2022.00035
Gergõ Balogh, István Baráth
{"title":"First Steps towards a Methodology for Unified Graph's Discrepancy Analysis","authors":"Gergõ Balogh, István Baráth","doi":"10.1109/SCAM55253.2022.00035","DOIUrl":"https://doi.org/10.1109/SCAM55253.2022.00035","url":null,"abstract":"Researchers and IT professionals frequently use dataset comparison during software analysis. Additionally, they commonly make judgments based on discrepancies between two representations of the same item's set. To locate the error-prone areas of the system, developers may evaluate the densely linked regions of method call graphs in the context of their position in the package hierarchy tree. A universal technique for graphs, which can be utilized to unify the underlying process of discrepancy analysis, might help with these types of analyses. In this paper, we present a methodology for unified graph's discrepancy analysis, named Unigda. Its foundation is the previously established domain-specific discrepancy identification approach for cluster comparison. But to capture the similarity structures between the vertices of arbitrary graphs, we use several kinds of characteristic functions. 11Project no. TKP2021-NVA-09 has been implemented with the support provided by the Ministry of Innovation and Technology of Hungary from the National Research, Development and Innovation Fund, financed under the TKP2021-NVA funding scheme.","PeriodicalId":138287,"journal":{"name":"2022 IEEE 22nd International Working Conference on Source Code Analysis and Manipulation (SCAM)","volume":"96 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127840698","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
N-Lane Bridge Performance Antipattern Analysis Using System-Level Execution Tracing 使用系统级执行跟踪的n车道桥性能反模式分析
2022 IEEE 22nd International Working Conference on Source Code Analysis and Manipulation (SCAM) Pub Date : 2022-10-01 DOI: 10.1109/SCAM55253.2022.00015
Riley VanDonge, Naser Ezzati-Jivan
{"title":"N-Lane Bridge Performance Antipattern Analysis Using System-Level Execution Tracing","authors":"Riley VanDonge, Naser Ezzati-Jivan","doi":"10.1109/SCAM55253.2022.00015","DOIUrl":"https://doi.org/10.1109/SCAM55253.2022.00015","url":null,"abstract":"Performance problems caused by the improper use of multi-threading can be incredibly difficult to diagnose. There are countless resources that could introduce latency into an application when multiple cooperating threads interact improperly. As a matter of program comprehension, it is crucial to know which resources are being misused by the program causing that program to run slower. The concept of performance antipatterns has been introduced in order to classify common performance problems and bundle them with a solution. The One Lane Bridge (OLB) antipattern in particular deals with latency due to the incorrect use of multi-threading. However, existing methods to detect the OLB antipattern do not consider latency caused by active resources and use imprecise metrics. In this paper, we present a new category of OLB, the N-Lane Bridge antipattern, to cover situations of latency caused by the overuse of active resources. Moreover, a novel system-level execution tracing approach is presented to detect both categories of OLB antipatterns. As a proof-of-concept, we applied our approach to the popular Firefox web browser application and we were able to identify several OLB antipatterns, enabling us to diagnose and understand a critical performance issue.","PeriodicalId":138287,"journal":{"name":"2022 IEEE 22nd International Working Conference on Source Code Analysis and Manipulation (SCAM)","volume":"50 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124713625","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Summary-Based Compositional Analysis for Soft Contract Verification 基于摘要的软合同验证成分分析
2022 IEEE 22nd International Working Conference on Source Code Analysis and Manipulation (SCAM) Pub Date : 2022-10-01 DOI: 10.1109/SCAM55253.2022.00028
Bram Vandenbogaerde, Quentin Stiévenart, Coen De Roover
{"title":"Summary-Based Compositional Analysis for Soft Contract Verification","authors":"Bram Vandenbogaerde, Quentin Stiévenart, Coen De Roover","doi":"10.1109/SCAM55253.2022.00028","DOIUrl":"https://doi.org/10.1109/SCAM55253.2022.00028","url":null,"abstract":"Design-by-contract is a development best practice that requires the interactions between software components to be governed by precise specifications, called contracts. Contracts often take the form of pre- and post-conditions on function definitions, and are usually translated to (frequently redundant) run-time checks. So-called soft contract verifiers have been proposed to reduce the run-time overhead introduced by such contract checks by verifying parts of the contracts ahead of time, while leaving those that cannot be verified as residual run-time checks. In the state of the art, static analyses based on the Abstracting Abstract Machines (AAM) approach to abstract interpretation have been proposed for implementing such soft verifiers. However, these approaches result in whole-program analyses which are difficult to scale. In this paper, we propose a scalable summary-based compositional analysis for soft contract verification, which summarises both the correct behaviour and erroneous behaviour of all functions in the program using symbolic path conditions. Information from these summaries propagates backwards through the call graph, reducing the amount of redundant analysis states and improving the overall performance of the analysis. This backwards flow enables path constraints associated with erroneous program states to flow to call sites where they can be refuted, whereas in the state of the art they can only be refuted using the information available at the original location of the error. To demonstrate our improvements in both precision and performance compared to the state-of-the-art, we implemented our analysis in a framework called MAF (short for Modular Analysis Framework) — a framework for the analysis of higher-order dynamic programming languages. We conducted an empirical study and found an average performance improvement of 21%, and an average precision improvement of 38.15%.","PeriodicalId":138287,"journal":{"name":"2022 IEEE 22nd International Working Conference on Source Code Analysis and Manipulation (SCAM)","volume":"98 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"117217290","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 2
The Devil is in the Details: Unwrapping the Cryptojacking Malware Ecosystem on Android 细节决定成败:破解Android上的加密劫持恶意软件生态系统
2022 IEEE 22nd International Working Conference on Source Code Analysis and Manipulation (SCAM) Pub Date : 2022-10-01 DOI: 10.1109/SCAM55253.2022.00023
Boladji Vinny Adjibi, F. Mbodji, Tegawendé F. Bissyandé, Kevin Allix, Jacques Klein
{"title":"The Devil is in the Details: Unwrapping the Cryptojacking Malware Ecosystem on Android","authors":"Boladji Vinny Adjibi, F. Mbodji, Tegawendé F. Bissyandé, Kevin Allix, Jacques Klein","doi":"10.1109/SCAM55253.2022.00023","DOIUrl":"https://doi.org/10.1109/SCAM55253.2022.00023","url":null,"abstract":"This paper investigates the various technical and non-technical tools and techniques that software developers use to build and disseminate crypto mining apps on Android devices. Our study of 346 potential Android mining apps, collected between April 2019 and May 2022, has revealed the presence of more than ten mining apps on the Google Play Store, with at least half of those still available at the time of writing this (June 2022). We observed that many of those mining apps do not conceal their usage of the device's resource for mining which is considered a violation of the store's policies for developers. We estimate that more than ten thousand users have run mining apps downloaded directly from the Google Play Store, which puts the supposedly “stringent” vetting process into question. Furthermore, we prove that covert mining apps tend to be embedded into supposedly free versions of premium apps or pose as utility apps that provide valuable features to users. Finally, we empirically demonstrate that cryptojacking apps' resource consumption and malicious behavior could be insignificant. We presume that typical users, even though they might be running a mobile antivirus solution, could execute a mining app for an extended period without being alerted. We expect our results to inform the various actors involved in the security of Android devices against the lingering threat of cryptojacking and help them better assess the problem.","PeriodicalId":138287,"journal":{"name":"2022 IEEE 22nd International Working Conference on Source Code Analysis and Manipulation (SCAM)","volume":"52 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122600068","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Pruning Boolean Expressions to Shorten Dynamic Slices 修剪布尔表达式以缩短动态切片
2022 IEEE 22nd International Working Conference on Source Code Analysis and Manipulation (SCAM) Pub Date : 2022-10-01 DOI: 10.1109/SCAM55253.2022.00006
Thomas Hirsch, Birgit Hofer
{"title":"Pruning Boolean Expressions to Shorten Dynamic Slices","authors":"Thomas Hirsch, Birgit Hofer","doi":"10.1109/SCAM55253.2022.00006","DOIUrl":"https://doi.org/10.1109/SCAM55253.2022.00006","url":null,"abstract":"This paper presents a novel extension to dynamic slicing that we call pruned slicing. The proposed slicing approach produces smaller slices than traditional dynamic slicing. This is achieved by reasoning over Boolean expressions. We have implemented a prototype in Python and empirically evaluated its performance on three different benchmarks: TCAS, QuixBugs and the Refactory dataset. We show that pruned slicing reduces the size of dynamic slices on average by 10.96 percent for TCAS. For QuixBugs and the Refactory dataset, the slice size remains the same, but the number of Boolean expressions within the slice is reduced. Further, the empirical evaluation shows that pruned dynamic slicing comes with a low computational overhead compared to dynamic slicing. Pruned slicing can also be used in combination with relevant slicing.","PeriodicalId":138287,"journal":{"name":"2022 IEEE 22nd International Working Conference on Source Code Analysis and Manipulation (SCAM)","volume":"10 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123726468","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Building LLVM and GCC, with Amake 用Amake构建LLVM和GCC
2022 IEEE 22nd International Working Conference on Source Code Analysis and Manipulation (SCAM) Pub Date : 2022-10-01 DOI: 10.1109/SCAM55253.2022.00025
J. Buffenbarger
{"title":"Building LLVM and GCC, with Amake","authors":"J. Buffenbarger","doi":"10.1109/SCAM55253.2022.00025","DOIUrl":"https://doi.org/10.1109/SCAM55253.2022.00025","url":null,"abstract":"This paper describes the author's exploratory experience of porting the build systems of two large software distributions, the LLVM and GCC programming-language translation systems, to the Amake build tool. Amake is an enhanced derivative of GNU Make. Amake adds automatic language-independent dependency analysis and site-wide heterogeneous target caching. Amake also supports GNU Make's parallel-build capabilities. This experience included (mostly) expected changes to these build systems, but somewhat surprising changes to the design and implementation of Amake. A description of the former is hoped to encourage the migration of other build systems to Amake; the latter is Amake's latest set of improvements.","PeriodicalId":138287,"journal":{"name":"2022 IEEE 22nd International Working Conference on Source Code Analysis and Manipulation (SCAM)","volume":"9 3 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132594259","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Benchmark Fuzzing for Android Taint Analyses Android污点分析的基准模糊测试
2022 IEEE 22nd International Working Conference on Source Code Analysis and Manipulation (SCAM) Pub Date : 2022-10-01 DOI: 10.1109/SCAM55253.2022.00007
Stefan Schott, Felix Pauck
{"title":"Benchmark Fuzzing for Android Taint Analyses","authors":"Stefan Schott, Felix Pauck","doi":"10.1109/SCAM55253.2022.00007","DOIUrl":"https://doi.org/10.1109/SCAM55253.2022.00007","url":null,"abstract":"Benchmarking is the most often used technique to empirically evaluate software. To do so, benchmarks are often manually created when they are needed. Mainly two kinds of benchmarks are frequently employed: micro and real-world benchmarks. While micro benchmarks are most of the time handcrafted from scratch, real-world benchmarks are typically created by collecting available software from repositories or markets. Both types have their deficits. On the one hand, a handcrafted micro benchmark can only be of limited complexity, but the creator knows its ground-truth which is needed for precise evaluations. On the other hand, in case of a complex real-world benchmark, a ground-truth is unavailable in most cases. To bring together the best of both worlds we propose the concept of benchmark fuzzing, a three step procedure that allows for an automatic generation, execution and evaluation of benchmarks of configurable size and versatility. We implemented benchmark fuzzing in our novel Android taint analysis benchmark generation tool GenBenchDroid. Our evaluation performed on GenBenchDroidshows the benefits of benchmark fuzzing. We show that over-adaptation of benchmarks can broadly be decreased, scalability issues of analysis tools can be detected and combinations of analysis challenges that negatively impact analysis' accuracy can be identified. In addition, benchmark fuzzing allows to regenerate up-to-date versions of state-of-the-art micro and real-world benchmarks. Furthermore, our evaluation shows that the cost of benchmark fuzzing can be estimated and appears to be reasonable in regards of the advantages.","PeriodicalId":138287,"journal":{"name":"2022 IEEE 22nd International Working Conference on Source Code Analysis and Manipulation (SCAM)","volume":"10 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129016907","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 1
On the Usage of Programming Languages in the iOS Ecosystem 论iOS生态系统中编程语言的使用
2022 IEEE 22nd International Working Conference on Source Code Analysis and Manipulation (SCAM) Pub Date : 2022-10-01 DOI: 10.1109/SCAM55253.2022.00026
Daniel Domínguez-Álvarez, Alessandra Gorla, Juan Caballero
{"title":"On the Usage of Programming Languages in the iOS Ecosystem","authors":"Daniel Domínguez-Álvarez, Alessandra Gorla, Juan Caballero","doi":"10.1109/SCAM55253.2022.00026","DOIUrl":"https://doi.org/10.1109/SCAM55253.2022.00026","url":null,"abstract":"This paper studies how developers use different programming languages in the iOS ecosystem by examining 161,883 releases of 25,231 third-party libraries spanning 11 years available through CocoaPods, a popular iOS dependency manager. Our empirical study shows that since its release, Swift has been widely adopted, but most libraries, even recent ones, still use Objective-C as their primary programming language. Looking at a small set of 38 open-source iOS apps, instead, we observe that apps are instead predominantly written in Swift by now. We also observe significant C usage across both libraries and apps. Our results suggest that analysis tools for iOS apps should not only support Swift, but also Objective-C and C code.","PeriodicalId":138287,"journal":{"name":"2022 IEEE 22nd International Working Conference on Source Code Analysis and Manipulation (SCAM)","volume":"35 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131793154","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 2
首页 上一页 下一页 尾页
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
请完成安全验证×
相关产品
×
本文献相关产品
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:604180095
Book学术官方微信