Precise Static Analysis Alarm Classification for Evolving Software

MPhil Thesis Defence


Title: "Precise Static Analysis Alarm Classification for Evolving Software"

By

Miss Kexin MA


Abstract

Static analyzers are commonly adopted to detect security vulnerabilities in 
modern software development. Upon a software update, users only need to focus 
on the differential parts of the static analysis alarms, namely delta 
alarms, from the analysis of the new versions and discarding the old ones. The 
classification of delta alarms are often done by automatic tools, while the 
results are far from perfect. In this case, a user would pay extra efforts and 
can hardly identify the classification errors. According to our empirical 
studies, 44.65% of the studied delta alarms are not correctly 
classified, yielding a necessity to improve the classification of delta alarms.

However, it is non-trivial to achieve a more precise 
classification. First, identifying similar alarms requires the respect to code 
changes related to the alarms during software evolvement. Second, ensuring an 
alarm can only exist either in the new or old version of the software requires 
us to obtain a witness of such an alarm. To tackle these challenges, we propose 
a staged solution, SAI, that computes alarm similarity using token features and 
reasons a witness from the alarm with program dependencies. The experiment 
results show that SAI outperforms delta alarm classifiers in three 
industrial-strength static analyzers and improves their precision by 21.19%, 
54.49%, and 43.60%, respectively.


Date:  			Wednesday, 28 September 2022

Time:			3:00pm - 5:00pm

Venue:			Room 5501
 			lifts 25/26

Committee Members:	Dr. Charles Zhang (Supervisor)
 			Prof. Shing-Chi Cheung (Chairperson)
 			Dr. Shuai Wang


**** ALL are Welcome ****