Visible to the public Scalable Static Analysis to Detect Security Vulnerabilities: Challenges and Solutions

TitleScalable Static Analysis to Detect Security Vulnerabilities: Challenges and Solutions
Publication TypeConference Paper
Year of Publication2018
AuthorsGauthier, F., Keynes, N., Allen, N., Corney, D., Krishnan, P.
Conference Name2018 IEEE Cybersecurity Development (SecDev)
ISBN Number978-1-5386-7662-2
Keywordsapplications code, C/C++ systems code, composability, Conferences, Databases, Human Behavior, Java, Java EE, low false positives, Metrics, PL/SQL server stack, program diagnostics, pubcrawl, relational database security, relational databases, Resiliency, scalable static analysis, security, security of data, security vulnerabilities, SQL, static analysis, Static Analysis Tool, static code analysis, Tools, Trademarks

Parfait [1] is a static analysis tool originally developed to find implementation defects in C/C++ systems code. Parfait's focus is on proving both high precision (low false positives) as well as scaling to systems with millions of lines of code (typically requiring 10 minutes of analysis time per million lines). Parfait has since been extended to detect security vulnerabilities in applications code, supporting the Java EE and PL/SQL server stack. In this abstract we describe some of the challenges we encountered in this process including some of the differences seen between the applications code being analysed, our solutions that enable us to analyse a variety of applications, and a summary of the challenges that remain.

Citation Keygauthier_scalable_2018