Abstract: Techniques for generating a warning filter to filter the warnings output from a static program analysis tool are provided. In one example, a computer-implemented method comprises determining feature vector data for a set of warnings, wherein the set of warnings is generated in response to static analysis of a computer program, and wherein the feature vector data comprises a feature vector indicative of an attribute of a warning of the set of warnings. The computer-implemented method also comprises determining a warning filter that identifies a first subset of the set of warnings as representing true positives based on the feature vector data and classified warning data, and wherein the classified warning data represents a second subset of the set of warnings that have been classified to indicate whether respective members of the second subset are indicative of true positives.

Abstract: User-guided machine learning (ML) significantly reduces false alarms generated by an automated analysis tool performing static security analysis. User interactivity involves initial review and annotation of findings (“witnesses”) in a report generated by the analysis tool. Those annotated findings are then used by the system to generate a “hypothesis” about how to further classify the static analysis findings in the report. The hypothesis is implemented as a machine learning classifier. To generate the classifier, a set of features are abstracted from a typical witness, and the system compares feature sets against one another to determine a set of weights for the classifier. The initial hypothesis is then validated against a second set of user-annotated findings, and the classifier is adjusted as necessary based on how close it fits the new data. Once the approach converges on a final classifier, it is used to filter remaining findings in the report.

Abstract: A method includes reading by a computing system a rule file including one or more rules having specified paths to methods, each method corresponding to one of a sink, source, or sanitizer. The method includes matching by the computing system the methods to corresponding ones of sinks, sources, or sanitizers determined through a static analysis of an application. The static analysis determines at least flows from sources of information to sinks that use the information. The method includes performing by the computing system, using the sinks, sources, and sanitizers found by the matching, a taint analysis to determine at least tainted flows from sources to sinks, wherein the tainted flows are flows passing information to sinks without the information being endorsed by a sanitizer. Apparatus and program products are also disclosed.

Abstract: Techniques for generating a warning filter to filter the warnings output from a static program analysis tool are provided. In one example, a computer-implemented method comprises determining feature vector data for a set of warnings, wherein the set of warnings is generated in response to static analysis of a computer program, and wherein the feature vector data comprises a feature vector indicative of an attribute of a warning of the set of warnings. The computer-implemented method also comprises determining a warning filter that identifies a first subset of the set of warnings as representing true positives based on the feature vector data and classified warning data, and wherein the classified warning data represents a second subset of the set of warnings that have been classified to indicate whether respective members of the second subset are indicative of true positives.

Abstract: A method includes a computing system reading a rule file that includes one or more rules having specified paths to methods, such that each method corresponds to one of a sink, source, or sanitizer. The method includes the computing system matching the methods to corresponding ones of sinks, sources, or sanitizers determined through a static analysis of an application. The static analysis determines at least flows from sources of information to sinks that use the information. The method includes the computing system, using the sinks, sources, and sanitizers found by the matching, performing a taint analysis to determine at least tainted flows from sources to sinks, the tainted flows being flows that pass information to sinks without the information being endorsed by a sanitizer. Apparatus and program products are also shown.

Abstract: User-guided machine learning (ML) significantly reduces false alarms generated by an automated analysis tool performing static security analysis. User interactivity involves initial review and annotation of findings (“witnesses”) in a report generated by the analysis tool. Those annotated findings are then used by the system to generate a “hypothesis” about how to further classify the static analysis findings in the report. The hypothesis is implemented as a machine learning classifier. To generate the classifier, a set of features are abstracted from a typical witness, and the system compares feature sets against one another to determine a set of weights for the classifier. The initial hypothesis is then validated against a second set of user-annotated findings, and the classifier is adjusted as necessary based on how close it fits the new data. Once the approach converges on a final classifier, it is used to filter remaining findings in the report.

Abstract: A disclosed method includes accessing one or more seeding specifications and a program including computer-readable code and applying the one or more seeding specifications to the program to identify for analysis seeds including strings for corresponding identified string variables. The method includes tracking flows emanating from the identified seeds. The tracking includes computing an integral offset into a tracked string variable for any statements causing such a computation. The tracking also includes providing a string representation based on the computed integral offset, wherein the provided string representation comprises a value of the integral offset and an indication of the corresponding tracked string variable. The tracking further includes modeling string manipulations of the tracked string variables using the string representations. Apparatus and program products are also disclosed.

Abstract: A disclosed method includes accessing one or more seeding specifications and a program including computer-readable code and applying the one or more seeding specifications to the program to identify for analysis seeds including strings for corresponding identified string variables. The method includes tracking flows emanating from the identified seeds. The tracking includes computing an integral offset into a tracked string variable for any statements causing such a computation. The tracking also includes providing a string representation based on the computed integral offset, wherein the provided string representation comprises a value of the integral offset and an indication of the corresponding tracked string variable. The tracking further includes modeling string manipulations of the tracked string variables using the string representations. Apparatus and program products are also disclosed.

Abstract: A method includes reading by a computing system a rule file including one or more rules having specified paths to methods, each method corresponding to one of a sink, source, or sanitizer. The method includes matching by the computing system the methods to corresponding ones of sinks, sources, or sanitizers determined through a static analysis of an application. The static analysis determines at least flows from sources of information to sinks that use the information. The method includes performing by the computing system, using the sinks, sources, and sanitizers found by the matching, a taint analysis to determine at least tainted flows from sources to sinks, wherein the tainted flows are flows passing information to sinks without the information being endorsed by a sanitizer. Apparatus and program products are also disclosed.

Abstract: A method includes reading by a computing system a rule file including one or more rules having specified paths to methods, each method corresponding to one of a sink, source, or sanitizer. The method includes matching by the computing system the methods to corresponding ones of sinks, sources, or sanitizers determined through a static analysis of an application. The static analysis determines at least flows from sources of information to sinks that use the information. The method includes performing by the computing system, using the sinks, sources, and sanitizers found by the matching, a taint analysis to determine at least tainted flows from sources to sinks, wherein the tainted flows are flows passing information to sinks without the information being endorsed by a sanitizer. Apparatus and program products are also disclosed.

Abstract: Methods for program analysis include performing a high-level analysis on a program using a processor to generate one or more high-level findings; performing one or more low-level analyses on the program using a processor to generate one or more low-level findings; mapping the one or more low-level findings to the high-level findings to generate a concise combination report that categorizes each finding according to the highest-level analysis that produces the finding.