elib
DLR-Header
DLR-Logo -> http://www.dlr.de
DLR Portal Home | Imprint | Privacy Policy | Contact | Deutsch
Fontsize: [-] Text [+]

Evaluation of Open Source Static Analysis Security Testing (SAST) Tools for C

Gentsch, Christoph (2020) Evaluation of Open Source Static Analysis Security Testing (SAST) Tools for C. DLR-Interner Bericht. DLR-IB-DW-JE-2020-16, 37 S.

[img] PDF
524kB

Abstract

The goal of SAST-tools is to help developers coding software in a more secure fashion by pointing early at suspicious constructs, insecure API usage or dangerous run-time errors. There exists a variety of tools which claim more or less to do a "security analysis". The goal of this evaluation is to measure to which extent open source static analysis-tools can find vulnerabilities in C language based code. Therefore we investigate which kind of bugs exist as vulnerabilities in C language based software found in a major linux distribution. Then we evaluate several open source static analysis tools for C on a major benchmark data set which includes the vulnerabilities we identified before. It comes out that there is a great variety in the precision and recall of the tools. We show that pure "linters" miss almost all of the vulnerabilities, however sound tools like Frama-C perform best when it comes down to finding difficult-to-spot numeric errors and buffer overflows.

Item URL in elib:https://elib.dlr.de/133945/
Document Type:Monograph (DLR-Interner Bericht)
Title:Evaluation of Open Source Static Analysis Security Testing (SAST) Tools for C
Authors:
AuthorsInstitution or Email of AuthorsAuthors ORCID iD
Gentsch, ChristophChristoph.Gentsch (at) dlr.deUNSPECIFIED
Date:January 2020
Refereed publication:No
Open Access:Yes
Gold Open Access:No
In SCOPUS:No
In ISI Web of Science:No
Number of Pages:37
Status:Published
Keywords:static code analysis security testing C/C++ benchmark vulnerability CVE CWE Juliet
Institution:DLR DW
Department:ITS
HGF - Research field:Aeronautics, Space and Transport
HGF - Program:Space
HGF - Program Themes:other
DLR - Research area:Raumfahrt
DLR - Program:R - no assignment
DLR - Research theme (Project):R - no assignment
Location: Jena
Institutes and Institutions:Institute of Data Science > IT-Security
Deposited By: Gentsch, Christoph
Deposited On:30 Jan 2020 13:52
Last Modified:30 Jan 2020 13:52

Repository Staff Only: item control page

Browse
Search
Help & Contact
Information
electronic library is running on EPrints 3.3.12
Copyright © 2008-2017 German Aerospace Center (DLR). All rights reserved.