Browse > Article
http://dx.doi.org/10.13089/JKIISC.2018.28.3.605

Analysis of Detection Ability Impact of Clang Static Analysis Tool by Source Code Obfuscation Technique  

Jin, Hongjoo (Graduate School for Information Security, Korea University)
Park, Moon Chan (Graduate School for Information Security, Korea University)
Lee, Dong Hoon (Graduate School for Information Security, Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.28, no.3, 2018 , pp. 605-615 More about this Journal
Abstract
Due to the rapid growth of the Internet of Things market, the use of the C/C++ language, which is the most widely used language in embedded systems, is also increasing. To improve the quality of code in the C/C++ language and reduce development costs, it is better to use static analysis, a software verification technique that can be performed in the first half of the software development life cycle. Many programs use static analysis to verify software safety and many static analysis tools are being used and studied. In this paper, we use Clang static analysis tool to check security weakness detection performance of verified test code. In addition, we compared the static analysis results of the test codes applied with the source obfuscation techniques, layout obfuscation, data obfuscation, and control flow obfuscation techniques, and the static analysis results of the original test codes, Analyze the detection ability impact of the Clang static analysis tool.
Keywords
Internet of Things; Software Weakness; Static Analysis; Source Code Obfuscation;
Citations & Related Records
연도 인용수 순위
  • Reference
1 C. Lattner and V. Adve, "LLVM: A compilation framework for lifelong program analysis & transformation," International Symposium on. IEEE, pp. 75-86, Mar. 2004.
2 C. Wang, "A Security Architecture of Survivability Mechanisms," PhD thesis, Univ. of Virginia, School of Eng. and Applied Science, Oct. 2000.
3 Stunnix, http://stunnix.com/prod/cxxo.
4 G. Wroblewski, "General Method of Program Code Obfuscation," PhD thesis, Wroclaw University of Technology, Institute of Engineering Cybernetics, Oct. 2002.
5 Clang, https://clang.llvm.org.
6 SAMATE Software Assurance Reference Dataset, https://samate.nist.gov/SRD/around.php#juliet_documents.
7 SAMATE, https://samate.nist.gov/Main_Page.html.
8 CWE, https://cwe.mitre.org.
9 C. Collberg, C. Thomborson, and D. Low, "A Taxonomy of Obfuscating Transformations." Technical Report 148, Department of Computer Science, University of Auckland, Jul. 1997.
10 V. Okun, R. Gaucher, and P.E. Black, "Static Analysis Tool Exposition(SATE) 2008," NIST Special Publication 500-279, National Institute of Standards and Technology, Jun. 2009.
11 V. Okun, A. Delaitre, and P.E. Black, "The Second Static Analysis Tool Exposition (SATE) 2009," NIST Special Publication 500-287, National Institute of Standards and Technology, Jun. 2010.
12 SATEV, https://samate.nist.gov/SATE5.html.
13 Clang Checker, https://clang-analyzer.llvm.org/available_checks.html.
14 M. Barr, Programming Embedded Systems in C and C++, Sebastopol, California: O'Reilly & Associates, Inc., Jan. 1999.
15 T. Nakashima, M. Oyama, H. Hisada, and N. Ishii, "Analysis of software bugcauses and its prevention," Information and Software Technology, vol. 41, no. 15, pp. 1059-1068, Dec. 1999.   DOI
16 R. Shirey, "Internet Security Glossary," Internet Engineering Task Force, RFC 2828, May. 2000.
17 H. Wang, C. Guo, D. Simon, and A. Zugenmaier, "Shield: Vulnerability-driven network filters for preventing known vulnerability exploits," In Proceedings of ACM SIGCOMM, Portland, OR, Aug. 2004.
18 Clang Static Analyzer, https://clanganalyzer.llvm.org.
19 N. Ayewah, D. Hovemeyer, J. D. Mor genthaler, J. Penix, and W. Pugh, "Using Static Analysis to Find Bugs," IEEE Software., vol. 25, no. 5, pp. 22-29, Sep. 2008.   DOI
20 FindBugs, http://findbugs.sourceforge.net.
21 K. Vorobyov and P. Krishna, "Comparing Model Checking and Static Program Analysis: A Case Study in Error Detection Approaches," in Proc. 5th Int. Workshop Syst. Softw. Verification, pp. 1-7. Mar. 2010.
22 V. Mashayekhi, J.M. Drake, W.T. Tsai, and J. Riedl, "Distributed, Collaborative Software Inspections," IEEE Software, vol. 10, no. 5, pp. 66-75, Sep. 1993.   DOI
23 D. Kroening and M. Tautschnig, "CBMC-C bounded model checker," In International Conference on Tools and Algorithms for Construction and Analysis of Systems, LNCS 8413, pp. 389-391, 2014.
24 C. Cifuentes and B. Scholz, "Parfait - designing a scalable bug checker," In Proceedings of the ACM SIGPLAN Static Analysis Workshop, pp. 4-11, Jun. 2008.
25 IHS Markit, https://www.ihs.com/industry/telecommunications.html.
26 IEEE Spectrum, https://spectrum.ieee.org/static/interactive-the-top-programming-languages-2017.
27 D.E. Bakke, R. Parameswaran, D.M. Blough, A.A. Franz, and T.J. Palmer, "Data obfuscation: Anonymity and desensitization of usable data sets," IEEE Security and Privacy, vol. 2, no. 6, pp. 34-41, Nov. 2004.   DOI
28 V. Okun, A. Delaitre, and P.E. Black, editors, "Report on the Third Static Analysis Tool Exposition (SATE) 2010," NIST Special Publication 500-283, National Institute of Standards and Technology, Oct. 2011.
29 V. Okun, A. Delaitre, and P.E. Black, "Report on the Static Analysis Tool Exposition (SATE) IV," NIST Special Publication 500-297, National Institute of Standards and Technology, Jan. 2013.
30 Starforce, http://www.star-force.com/products/starforce-obfuscator/
31 T.W. Hou, H.Y. Chen and M.H. Tsai, "Three Control Flow Obfuscation methods for Java Software," IEE Proceedings Software, vol. 153, no. 2, pp. 80-86, Apr. 2006.   DOI
32 C. Collberg, C. Thomborson, and D. Low, "Manufacturing cheap, resilient, and stealthy opaque constructs," In Proc. 25th. ACM Symposium on Principles of Programming Languages (POPL 1998), pp. 184-196, Jan. 1998.