摘要
静态分析是检测软件代码缺陷和提升软件代码质量的有效方式.由于静态分析不实际运行代码,不能获取足够的运行时信息,因此分析结果的准确性有待提高.相比而言,符号执行技术能够模拟执行程序并收集大量的数据流信息,提升数据流分析的准确程度,弥补静态分析的不足.为了提高静态分析工具分析程序缺陷的准确性,本文设计并实现了一个代码缺陷检测工具ABAZER-SE,它基于GCC抽象语法树,综合采用符号执行与静态分析技术以检测源代码中的缺陷.使用Toyota ITC静态分析基准对该工具进行了评估,实验结果表明,本文方法及工具可以提高静态分析结果的准确性.
Static analysis is an effective way of detecting defects and improving the quality of software codes.However,without running the programs,it can not collect runtime information,so the accuracy of its analysis result is low,i.e.there are false positives.Symbolic execution method can collect data flow information through simulating the execution of the target program,thereby increasing the accuracy of static analysis.In order to improve the accuracy of static analysis results,this paper designed and developed a defect detection tool ABAZER-SE,which was built on the GCC abstract syntax tree and combined symbolic execution and static analysis techniques.The tool was applied on the Toyota ITC benchmark and the experimental results show that it can improve the accuracy of static defect analysis.
作者
王眉林
张旖旎
李明月
邵帅
刘湿润
WANG Mei-lin;ZHANG Yi-ni;LI Ming-yue;Shao Shuai;LIU Shi-run(China Information Technology Security Evaluation Center, Beijing 100085, China;School of Computer Science,Beijing University of Posts and Telecommunications, Beijing 100876, China)
出处
《北京理工大学学报》
EI
CAS
CSCD
北大核心
2020年第4期382-385,395,共5页
Transactions of Beijing Institute of Technology
基金
国家重点研发计划网络空间安全重点专项(2016YFB0800900)
国家自然科学基金面上项目(61672534)。
关键词
静态分析
符号执行
缺陷检测
不可达路径
static analysis
symbolic execution
defects detection
infeasible path