icon-carat-right menu search cmu-wordmark

Static Analysis-Targeted Automated Repair to Secure Code and Reduce Effort

Conference Paper
In this presentation, Lori Flynn and David Svoboda discuss the automated program repair (Redemption) project, The presentation was given at the NDIA System and Mission Engineering Conference on 29 October 2024.
Publisher

Software Engineering Institute

Abstract

Static analysis tools scan code, producing many defect alerts, requiring expert effort to validate. We developed an extensible tool that automatically repairs associated code for three types of alerts. With common tools, users can review/accept any repairs. We demo and describe how our tool secures code and saves effort.

Static analysis (SA) is a standard testing method used to analyze source code for defects. SA tools tend to produce many alerts, of which many are false positives. The cost of experts manually assessing alerts represents a significant barrier to adoption of this key technology for reducing security defects. As a result, most organizations reduce the scope of types of code flaws they look for. This presentation talks about our FY23-24 project researching using SA alerts to target automated program repair (APR) technology to fix defects. In this presentation, we discuss our design choices, development methods, and experimental test results. We show how the tool can be used during test & evaluation and during development, whether using CI tools or more manual processes. Then, we invite discussion about ways the current tool could be extended that would be helpful to them. By design, our automated code repairs do not break the code, regardless of whether the alert is true or false. Code repairs that eliminate false positive alerts are useful: (1) expert effort is reserved for adjudicating remaining alerts; and (2) the code can become easier to understand by humans, for code development and security analysis. We focused on C/C++ because we did not find any OSS APR tool documentation that explicitly states a fix for “CERT C secure coding rule violations” and also because of Clang’s new JSON API. The Clang C/C++ compiler is open-source, cost-free, and widely used. Recently, Clang incorporated the ability to export the abstract syntax tree (AST) it creates as a JSON file, which is helpful for mapping SA alerts to the AST nodes and for specifying code repairs. Based on those factors, we decided to use Clang for repairing C and C++ code.