An Evaluation of Static Source Code Analyzers for Automated Vulnerability Detection

N. Hanebutte and P. Oman (USA)


Software Security, Static Source Code Analysis, Software Vulnerability


Data from the Software Engineering Institute’s CERT initiative shows exponential growth in computer intrusions and vulnerabilities over the last ten years. Although the origins of software vulnerabilities are varied, approximately 50 percent of documented security compromises can be attributed to buffer overrun and format string attacks. Several software tools have been developed to automatically scan source code in order to detect and mitigate code vulnerabilities that may have security implications. In this paper we compare and contrast six static code analyzers to determine how effective the tools are in identifying and diagnosing known vulnerabilities across 43 historical versions of a widely used public domain file transfer program. • A program may be designed to fulfill a specific task, but if that task is performed with a different (e.g., malicious) goal it could turn into an intrusion • An operation performed by the software might contain a loophole that could be exploited by the person executing the code • A precondition for a function to work properly might be overlooked or ignored by the developer • The code does not properly implement the software design specification, which includes security safeguards circumvented by the improper development Certain programming languages feature functions that can be included into the source code from standard libraries. If these functions are coded with a specific syntax they might allow an attacker to change the executable code at runtime. This will lead to program behavior outside the operational profile. These attacks are known by the names "buffer overrun" and "format string attacks” and are two of the most exploited weaknesses in software systems and applications. Code that uses these potentially vulnerable library functions may act operationally correct while presented with valid user input yet fail under out-of-design-scope actions. Studies of the CMU CERT computer intrusion incidents data show that buffer overruns account for roughly half of all computer intrusions reported to CERT during the 1990’s [1,2]. There is no evidence that this significant vulnerability has diminished in recent years. In this paper we test several software vulnerability analyzers that are advertised to detect instances of buffer overrun and format string problems. Although our study focused on C code analyzers, the results have relevance for any programming language in which buffer overrun and format string vulnerabilities can be exploited. In our tests, source code files from multiple versions of wu-ftpd were examined with four different static code vulnerability analyzers and the results were compared against lint and gcc –Wall, two commonly used source code analyzers. Results showed that the static source code vulnerability analyzers provide a different set of diagnostics than lint and gcc –Wall and that the vulnerability scanners are effective tools for identifying and diagnosing instances of security related weaknesses. Our tests prove that it is possible to find several types of software vulnerabilities via static source code analysis.

Important Links:

Go Back