DLR-Logo -> http://www.dlr.de
DLR Portal Home | Imprint | Privacy Policy | Contact | Deutsch
Fontsize: [-] Text [+]

Evaluation of Open Source Static Analysis Security Testing (SAST) Tools for C

Gentsch, Christoph (2020) Evaluation of Open Source Static Analysis Security Testing (SAST) Tools for C. DLR-Interner Bericht. DLR-IB-DW-JE-2020-16. DLR DW. 37 S.

[img] PDF


The goal of SAST-tools is to help developers coding software in a more secure fashion by pointing early at suspicious constructs, insecure API usage or dangerous run-time errors. There exists a variety of tools which claim more or less to do a "security analysis". The goal of this evaluation is to measure to which extent open source static analysis-tools can find vulnerabilities in C language based code. Therefore we investigate which kind of bugs exist as vulnerabilities in C language based software found in a major linux distribution. Then we evaluate several open source static analysis tools for C on a major benchmark data set which includes the vulnerabilities we identified before. It comes out that there is a great variety in the precision and recall of the tools. We show that pure "linters" miss almost all of the vulnerabilities, however sound tools like Frama-C perform best when it comes down to finding difficult-to-spot numeric errors and buffer overflows.

Item URL in elib:https://elib.dlr.de/133945/
Document Type:Monograph (DLR-Interner Bericht)
Title:Evaluation of Open Source Static Analysis Security Testing (SAST) Tools for C
AuthorsInstitution or Email of AuthorsAuthor's ORCID iDORCID Put Code
Date:January 2020
Refereed publication:No
Open Access:Yes
Number of Pages:37
Keywords:static code analysis security testing C/C++ benchmark vulnerability CVE CWE Juliet
Institution:DLR DW
HGF - Research field:Aeronautics, Space and Transport
HGF - Program:Space
HGF - Program Themes:other
DLR - Research area:Raumfahrt
DLR - Program:R - no assignment
DLR - Research theme (Project):R - no assignment
Location: Jena
Institutes and Institutions:Institute of Data Science > IT-Security
Institute of Data Science > Secure Digital Systems
Deposited By: Gentsch, Christoph
Deposited On:30 Jan 2020 13:52
Last Modified:02 Jul 2020 14:36

Repository Staff Only: item control page

Help & Contact
electronic library is running on EPrints 3.3.12
Website and database design: Copyright © German Aerospace Center (DLR). All rights reserved.