Fuzz testing has enjoyed great success at discovering security critical bugs in real software. Recently, researchers have devoted significant effort to devising new fuzzing techniques, strategies, and algorithms. Such ideas are primarily evaluated experimentally so an important question is: What experimental setup is needed produce trustworthy results? We surveyed the recent research literature assessed evaluations carried out by 32 papers. found problems every evaluation we considered. then...

We present a novel approach to proving the absence of timing channels. The idea is partition program's execution traces in such way that each component checked for attack resilience by time complexity analysis and per-component implies whole program. construct splitting program at secret-independent branches. This ensures any pair with same public input has containing both traces. Crucially, checks can be normal safety properties expressed terms single execution. Our thus contrast prior...

JavaScript is widely used in Web applications because of its flexibility and dynamic features. However, the latter pose challenges to static analyses aimed at finding security vulnerabilities, (e.g., taint analysis).

Despite their ability to detect critical bugs in software, developers consider high false positive rates be a key barrier using static analysis tools practice. To improve the usability of these tools, researchers have recently begun apply machine learning techniques classify and filter reports. Although initial results been promising, long-term potential best practices for this line research are unclear due lack detailed, large-scale empirical evaluation. partially address knowledge gap, we...

We present a novel approach to proving the absence of timing channels. The idea is partition program's execution traces in such way that each component checked for attack resilience by time complexity analysis and per-component implies whole program. construct splitting program at secret-independent branches. This ensures any pair with same public input has containing both traces. Crucially, checks can be normal safety properties expressed terms single execution. Our thus contrast prior...

Context sensitivity is a technique to improve program analysis precision by distinguishing between function calls. A specific context-sensitive usually designed accommodate the programming paradigm of particular language. JavaScript features both object-oriented and functional paradigms. Our empirical study suggests that there no single always produces precise results for applications. This observation motivated us design an adaptive analysis, selecting from multiple choices each function....

Abstract Many critical codebases are written in C, and most of them use preprocessor directives to encode variability, effectively encoding software product lines. These directives, however, challenge any static code analysis. SPLlift, a previously presented approach for analyzing lines, is limited Java programs that rather simple feature analysis problems with finite ideally small domain. Other approaches allow the real-world C lines special-purpose analyses, preventing reuse existing...

Many critical software systems developed in C utilize compile-time configurability. The many possible configurations of this make bug detection through static analysis difficult. While variability-aware analyses have been developed, there remains a gap between those and state-of-the-art tools. In order to collect data on how such tools may perform develop real-world benchmarks, we present way leverage configuration sampling, off-the-shelf "variability-oblivious" detectors, automatic feature...

While many real-world programs are shipped with configurations to enable/disable functionalities, fuzzers have mostly been applied test single of these programs. In this work, we first conduct an empirical study understand how program affect fuzzing performance. We find that limiting a campaign configuration can result in failing cover significant amount code. also observe different contribute differing amounts code coverage, challenging the idea each one be efficiently fuzzed individually....

Despite the popularity of JavaScript for client-side web applications, there is a lack effective software tools supporting development and testing. The dynamic characteristics pose engineering challenges such as program understanding security. One important feature that its objects support flexible mechanisms property changes at runtime prototype-based inheritance, making it difficult to reason about object behavior. We have performed an empirical study on real applications understand...

Static analysis is challenged by the dynamic language constructs of JavaScript which often lead to unacceptable performance and/or precision results. We describe an approach that focuses on improving practicality and accuracy points-to call graph construction for programs. The first identifies program are sources imprecision (i.e., root causes) through monitoring static process. then examine suggest specific context-sensitive analyses apply. Our technique able find causes comprise less than...

The most popular static taint analysis tools for Android allow users to change the underlying algorithms through configuration options. However, large spaces make it difficult developers and alike understand full capabilities of these tools, studies to-date have only focused on individual configurations. In this work, we present first study that evaluates configurations in focusing two FlowDroid DroidSafe. First, perform a manual code investigation better how are implemented both tools. We...

The deep learning (DL) compiler serves as a vital infrastructure component to enable the deployment of neural networks on diverse hardware platforms such mobile devices and Raspberry Pi. DL compiler's primary function is translate DNN programs written in high-level frameworks PyTorch TensorFlow into portable executables. These executables can then be flexibly executed by deployed host programs. However, existing compilers rely tracing mechanism, which involves feeding runtime input network...

Testing and debugging the implementation of static analysis is a challenging task, often involving significant manual effort from domain experts in tedious unprincipled process. In this work, we propose an approach that greatly improves automation process for analyzers with configuration options. At core our novel adaptation theoretical partial order relations exist between these options to reason about correctness actual results running analyzer different configurations. This allows...

The complexity of configurable systems has grown immensely, and it is only getting more complex. Such are a challenge for software testing maintenance, because bugs other defects can do appear in any configuration. One common requirement many development tasks to identify the configurations that lead given defect or some program behavior. We distill this down question: location source file, what valid include location? key obstacle scalability. When there thousands configuration options,...

Many program verification tools can be customized via run-time configuration options that trade off performance, precision, and soundness. However, in practice, users often run under their default configurations, because understanding these tradeoffs requires significant expertise. In this paper, we ask how well a single, work general, propose SATune, novel tool for automatically configuring given target programs. To answer our question, gathered dataset runs four well-known against range of...

Variability-aware analysis is critical for ensuring the quality of configurable C software. An important step toward development variability-aware at scale to transform real-world software that uses both and preprocessor into pure code, by replacing preprocessor's compile-time variability with C's runtime-variability. In this work, we design implement a desugaring tool, SugarC, transforms away usage. SugarC augments formal grammar specification translation rules, performs simultaneous type...

Business rules are an important part of the requirements software systems that meant to support organization. These describe operations, definitions, and constraints apply Within system, business often translated into on values required or allowed for data, called data constraints. subject frequent changes, which in turn require changes corresponding software. The ability efficiently precisely identify where implemented source code is essential performing such necessary changes.