Loading [MathJax]/extensions/MathZoom.js
Delta-Bench: Differential Benchmark for Static Analysis Security Testing Tools | IEEE Conference Publication | IEEE Xplore
Subscribe
ADVANCED SEARCH
Conferences >2017 ACM/IEEE International S...

Delta-Bench: Differential Benchmark for Static Analysis Security Testing Tools

PDF
Ivan Pashchenko; Stanislav Dashevskyi; Fabio Massacci
All Authors

Abstract:

Background: Static analysis security testing (SAST) tools may be evaluated using synthetic micro benchmarks and benchmarks based on real-world software. Aims: The aim of ...Show More

Metadata

Abstract:

Background: Static analysis security testing (SAST) tools may be evaluated using synthetic micro benchmarks and benchmarks based on real-world software. Aims: The aim of this study is to address the limitations of the existing SAST tool benchmarks: lack of vulnerability realism, uncertain ground truth, and large amount of findings not related to analyzed vulnerability. Method: We propose Delta-Bench - a novel approach for the automatic construction of benchmarks for SAST tools based on differencing vulnerable and fixed versions in Free and Open Source (FOSS) repositories. To test our approach, we used 7 state of the art SAST tools against 70 revisions of four major versions of Apache Tomcat spanning 62 distinct Common Vulnerabilities and Exposures (CVE) fixes and vulnerable files totalling over 100K lines of code as the source of ground truth vulnerabilities. Results: Our experiment allows us to draw interesting conclusions (e.g., tools perform differently due to the selected benchmark). Conclusions: Delta-Bench allows SAST tools to be automatically evaluated on the real-world historical vulnerabilities using only the findings that a tool produced for the analysed vulnerability.
Published in: 2017 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)
Date of Conference: 09-10 November 2017
Date Added to IEEE Xplore: 11 December 2017
ISBN Information:
DOI: 10.1109/ESEM.2017.24
Conference Location: Toronto, ON, Canada
References is not available for this document.
Contents

I. Introduction

Designing a benchmark with real-world software is a challenging task [1]. Therefore, existing approaches either insert bugs artificially [2], [3], or use historical bugs from the software repository of a project [4]. Artificial bug injection is often difficult to verify (see [2, p.2]), whilst historical vulnerabilities may represent only a subset of the ground truth.

Select All
1.
"National Security Agency Center for Assured Software (NSA CAS)", Juliet Test Suite v1.2 for Java user guide, 2012.
Google Scholar
2.
J. Dahse and T. Holz, "Static detection of second-order vulnerabilities in web applications", Proc. of USENIX'14, 2014.
Google Scholar
3.
B. Dolan-Gavitt, P. Hulin, E. Kirda, T. Leek, A. Mambretti, W. Robertson, et al., "Lava: Large-scale automated vulnerability addition", Proc. of SSP’16, 2016.
View Article
Google Scholar
4.
R. Just, D. Jalali and M. D. Ernst, "Defects4J: A database of existing faults to enable controlled testing studies for Java programs", Proc. of ISSTA’14, 2014.
CrossRef Google Scholar
5.
M. Johns and M. Jodeit, "Scanstud: a methodology for systematic fine-grained evaluation of static analysis tools", Proc. of ICSTW’11, 2011.
CrossRef Google Scholar
6.
M. Christakis and C. Bird, "What developers want and need from program analysis: An empirical study", Proc. of ASE’16, 2016.
CrossRef Google Scholar
7.
P. Li and B. Cui, "A comparative study on software vulnerability static analysis techniques and tools", Proc. of ICITIS'10, 2010.
Google Scholar
8.
P. Emanuelsson and U. Nilsson, "A comparative study of industrial static analysis tools", ENTCS, vol. 216, pp. 5-21, 2008.
CrossRef Google Scholar
9.
V. Okun, R. Gaucher and P. E. Black, "Static analysis tool exposition (SATE) 2008", NIST SP, vol. 5, no. 00–2, pp. 79, 2009.
CrossRef Google Scholar
10.
P. E. Black and A. Ribeiro, "SATE V Ockham sound analysis criteria", NIST SP Tech. Rep., 2016.
CrossRef Google Scholar
11.
Y. Jia and M. Harman, "An analysis and survey of the development of mutation testing", TSE, vol. 37, no. 5, pp. 649-678, 2011.
View Article
Google Scholar
12.
T. Y. Chen, S. C. Cheung and S. M. Yiu, "Metamorphic testing: a new approach for generating next test cases", HKUST-CS98–01 Hong Kong University of Science and Technology Tech. Rep., 1998.
Google Scholar
13.
B. V. Livshits and M. S. Lam, "Finding security vulnerabilities in Java applications with static analysis", Proc. of USENIX'13, 2005.
Google Scholar
14.
A. Delaitre, V. Okun and E. Fong, "Of massive static analysis data", Proc. of SERE'13, 2013.
CrossRef Google Scholar
15.
L. Rabai, A. Ben, B. Cohen and A. Mili, "Programming language use in us academia and industry", Inf. in Education, vol. 14, no. 2, pp. 143, 2015.
CrossRef Google Scholar
16.
M. Asaduzzamad, R. K. Chanchal, K. A. Schneider and M. Di Penta, "Lhdiff: A language-independent hybrid approach for tracking source code lines", Proc. of ICSME'13, 2013.
Google Scholar
17.
D. Kawrykow and M. P. Robillard, "Non-essential changes in version histories", Proc. of ICSE’11, 2011.
CrossRef Google Scholar
18.
K. Herzig, S. Just and A. Zeller, "The impact of tangled code changes on defect prediction models", Emp. Soft. Eng., vol. 21, no. 2, pp. 303-336, 2016.
CrossRef Google Scholar
19.
V. H. Nguyen, S. Dashevskyi and F. Massacci, "An automatic method for assessing the versions affected by a vulnerability", Emp. Soft. Eng., vol. 21, no. 6, pp. 2268-2297, 2015.
CrossRef Google Scholar
20.
D. Li, L. Li, D. Kim, T. F. Bissyandé, D. Lo and Y. L. Traon, Watch out for this commit! a study of influential software changes, 2016.
Google Scholar
21.
T. Hall, S. Beecham, D. Bowes, D. Gray and S. Counsell, "A systematic literature review on fault prediction performance in software engineering", TSE, vol. 38, no. 6, pp. 1276-1304, 2012.
View Article
Google Scholar
22.
S. Neuhaus, T. Zimmermann, C. Holler and A. Zeller, "Predicting vulnerable software components", Proc. of CCS'07, 2007.
CrossRef Google Scholar
23.
Y. Shin, A. Meneely, L. Williams and J. A. Osborne, "Evaluating complexity code churn and developer activity metrics as indicators of software vulnerabilities", TSE, vol. 37, no. 6, pp. 772-787, 2011.
View Article
Google Scholar
24.
H. Tang, T. Lan, D. Hao and L. Zhang, "Enhancing defect prediction with static defect analysis", Proc. of INTERNETWARE'15, 2015.
CrossRef Google Scholar
25.
R. K. Saha, J. Lawall, S. Khurshid and D. E. Perry, "Are these bugs really normal?", Proc. of MSR’15, 2015.
Google Scholar
Contact IEEE to Subscribe
More Like This
Benchmark Requirements for Assessing Software Security Vulnerability Testing Tools

2018 IEEE 42nd Annual Computer Software and Applications Conference (COMPSAC)

Published: 2018

Testing Software and Hardware Data Security Tools Using the Automata Theory and the Graph Theory

2020 Ural Symposium on Biomedical Engineering, Radioelectronics and Information Technology (USBEREIT)

Published: 2020

Show More

References

References is not available for this document.

IEEE Account

Purchase Details

Profile Information

Need Help?

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity.
© Copyright 2025 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.