Collection of Static Analysis Assets
• Collection
Publisher
Software Engineering Institute
Topic or Tag
Abstract
Static analysis (SA) tools analyze source code for security defects and alert users to issues that require repair. While invaluable, SA tools tend to produce a large number of alerts (many of which are false positives), making it difficult to identify valid alerts and, in turn, to address critical security defects. SEI researchers are actively publishing research and building prototype tools to improve static analysis alerts.
Collection Items
Redemption Tool Demo: View Difference Between Original Code and Repaired Code (Manual Review)
• Video
By Lori Flynn, David Svoboda, Rebecca Beliak
This video shows a manual review of the code repairs done by Redemption in a terminal.
Watch
Redemption Tool Demo Video: Separate Environments for Code Compilation and Code Repair
• Video
By Lori Flynn, David Svoboda, Rebecca Beliak
This video shows the manual review of the code repairs done by Redemption in a terminal.
Watch
Redemption: A Prototype for Automated Repair of Static Analysis Alerts
• Blog Post
By David Svoboda
Heuristic static analysis (SA) tools are a critical component of software development. These tools use pattern matching and other heuristic techniques to analyze a program’s source code and alert users …
Read
Automated Repair of Static Analysis Alerts
• Podcast
By David Svoboda
David Svoboda discusses Redemption, a new open source tool that automatically repairs common errors in C/C++ code generated from static analysis alerts.
Listen
Release of SCAIFE System Version 2.0.0 Provides Support for Continuous-Integration (CI) Systems
• Blog Post
By Lori Flynn
The Source Code Analysis Integrated Framework Environment (SCAIFE) system is a research prototype for a modular architecture. The architecture is designed to enable a wide variety of tools, systems, and …
Read
SCAIFE and ACR: Static Analysis Classification and Automated Code Repair
• Presentation
By Lori Flynn, William Klieber
Flynn and Klieber describe their research and concept for a combined system for static analysis classification and automated code repair.
Learn More
Rapid Adjudication of Static Analysis Alerts During Continuous Integration
• Video
By Lori Flynn, Robert Nord, Hasan Yasar
Progress in research toward the rapid adjudication of static analysis alerts during continuous integration.
Watch
Advancing Cyber Operator Tradecraft Through Automated Static Binary Analysis
• Video
By Cory Cohen, Edward J. Schwartz, Jeff Gennari
This presentation discusses three SEI research and development projects that help malware and vulnerability analysts.
Watch
SCAIFE: An Alert Auditing Classification Prototype
• Video
By Ebonie McNeil
In this SEI Cyber Minute, Ebonie McNeil explains how the Source Code Analysis Integrated Framework Environment or (SCAIFE) prototype is intended to be used by developers and analysts who manually …
Watch
SCAIFE-API YAML Specification
• Software
By GitHub
The YAML file specifies the SCAIFE-API definition in a format developers can use to view, modify, and automatically generate code from.
Download
SCAIFE API Definition Beta Version 0.0.2 for Developers
• White Paper
By Lori Flynn, Ebonie McNeil
This paper provides the SCAIFE API definition for beta version 0.0.2. SCAIFE is an architecture that supports static analysis alert classification and prioritization.
Read
Integration of Automated Static Analysis Alert Classification and Prioritization with Auditing Tools: Special Focus on SCALe
• Technical Report
By Lori Flynn, Ebonie McNeil, David Svoboda, Derek Leung, Zachary Kurtz, Jiyeon Lee (Carnegie Mellon University)
This report summarizes progress and plans for developing a system to perform automated classification and advanced prioritization of static analysis alerts.
Read
How to Use Static Analysis to Enforce SEI CERT Coding Standards for IoT Applications
• Blog Post
By David Svoboda
The Jeep hack, methods to hack ATMs, and even hacks to a casino's fish tank provide stark evidence of the risks associated with the Internet of Things (IoT). High-end automobiles …
Read
Practical Precise Taint-flow Static Analysis for Android App Sets
• White Paper
By William Klieber, Lori Flynn, William Snavely, Michael Zheng
This paper describes how to detect taint flow in Android app sets with a static analysis method that is fast and uses little disk and memory space.
Read
SCALe: Evaluating Source Code for Adherence to Secure Coding Standards
• Fact Sheet
By Software Engineering Institute
SCALe conformance testing provides organizations with an evaluation of their source code for its adherence to secure coding standards.
Learn More
A Fighting Chance: Arming the Analyst in the Age of Big Data
• Blog Post
By Douglas Schmidt (Vanderbilt University)
The 2017 SEI Year in Review highlights the work of the institute undertaken from October 1, 2016, to September 30, 2017. This blog post, which was published in the 2017 …
Read
Rosecheckers
• Software
By SourceForge
Rosecheckers is a tool that performs static analysis on C/C++ source files to enforce the rules in the CERT C Coding Standard.
Download
Verifying Evolving Software
• Blog Post
By Arie Gurfinkel
When we verify a software program, we increase our confidence in its trustworthiness. We can be confident that the program will behave as it should and meet the requirements it …
Read
Precise Static Analysis of Taint Flow for Android Application Sets
• White Paper
By Amar S. Bhosale (No Affiliation)
This thesis describes a static taint analysis for Android that combines the FlowDroid and Epicc analyses to track inter- and intra-component data flow.
Read
Regression Verification for Real-time Embedded Software Systems
• Blog Post
By Arie Gurfinkel
The DoD relies heavily on mission- and safety-critical real-time embedded software systems (RTESs), which play a crucial role in controlling systems ranging from airplanes and cars to infusion pumps and …
Read