This invention relates generally to analysis of software programs, and, more specifically, relates to static analysis of software programs.
Static analysis for security is an area enjoying broad adoption. The prospect of scanning the code of a Web application (for instance) to detect security vulnerabilities is very appealing. This is true first because the analysis is conservative (which means that there are no false-negative findings, at least in theory), and second because the scanning process is very efficient (compared to a dynamic analysis). That is, the scanning process can operate on partial, uncompiling, or undeployable code. The greatest disadvantage of static analysis for security is the cost the analysis has to pay for being conservative: There is typically a large number of false reports.
There are multiple techniques to improve the precision of static-analysis techniques, but these techniques normally come at the cost of making the technique more expensive, and thus less scalable. In particular, when it comes to static analysis for security, the ability to automatically infer which parts of the code act as information-flow downgraders, thereby sanitizing or validating user input, is crucial for the report to be precise. Otherwise, even if the application takes actions to secure its code against attacks, the analysis—failing to acknowledge these measures—flags spurious vulnerabilities.