Towards a Technique to Detect Weaknesses in C Programs

Towards a Technique to Detect Weaknesses in C Programs

연구 분야: Analysis

학회: SBES '21: Proceedings of the XXXV Brazilian Symposium on Software Engineering

Several critical systems, such as Linux, are implemented using the C language, and a security flaw in these systems may impact a vast number of users. Despite the effort to providing security support, these systems still have weaknesses, leading to vulnerable code. In fact, the number of reported vulnerabilities has increased in the last years, where more than 18 thousand vulnerabilities were reported to the National Vulnerability Database (NVD) in 2020. Static analysis tools, such as Flawfinder and Cppcheck, may help in this problem, reporting some kinds of weaknesses. However, they present a high rate of false alarms, an issue reported in a program when no problem actually exists. We present a technique that combines static analysis with software testing to detect weaknesses introduced in the code during earlier development stages of C programs. The technique is implemented in a framework named WTT. To verify our technique’s relevance, we evaluated 103 warnings of 6 different projects, and we detected 22 weaknesses of three different kinds: Buffer Overflow, Format String, and Integer Overflow. Results show evidence that our technique may help developers anticipate weakness detection in C programs, reducing vulnerability occurrence in operational versions.