License: Creative Commons Attribution 4.0 International license (CC BY 4.0)
When quoting this document, please refer to the following
DOI: 10.4230/OASIcs.SLATE.2023.12
URN: urn:nbn:de:0030-drops-185261
URL: http://dagstuhl.sunsite.rwth-aachen.de/volltexte/2023/18526/
Go to the corresponding OASIcs Volume Portal

Pereira, Marco ; Simões, Alberto ; Henriques, Pedro Rangel

Type Annotation for SAST

pdf-format:
OASIcs-SLATE-2023-12.pdf (0.6 MB)

Abstract

Static Application Security Testing (SAST) is a type of software security testing that analyzes the source code of an application to identify security vulnerabilities and coding errors. It helps detect security vulnerabilities in software code before deployment reducing the risk of exploitation by attackers.
The work presented in this document describes the work performed to upgrade Checkmarx’s SAST tool allowing the execution of vulnerability detection taking into account expression types. For this to be possible, every expression in the Document Object Model needs to have a specific type assigned accordingly to the kind of operation and to the different operand types.
At the current stage, this project is already supporting the expression type annotation for three programming languages: C, C++ and C#. This support has been done through the addition of a new Resolver Rule to the Resolver stage, allowing for the generalization of languages. We also compare the complexity of writing vulnerability detection queries with or without access to type information.

BibTeX - Entry

@InProceedings{pereira_et_al:OASIcs.SLATE.2023.12,
  author =	{Pereira, Marco and Sim\~{o}es, Alberto and Henriques, Pedro Rangel},
  title =	{{Type Annotation for SAST}},
  booktitle =	{12th Symposium on Languages, Applications and Technologies (SLATE 2023)},
  pages =	{12:1--12:13},
  series =	{Open Access Series in Informatics (OASIcs)},
  ISBN =	{978-3-95977-291-4},
  ISSN =	{2190-6807},
  year =	{2023},
  volume =	{113},
  editor =	{Sim\~{o}es, Alberto and Ber\'{o}n, Mario Marcelo and Portela, Filipe},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/opus/volltexte/2023/18526},
  URN =		{urn:nbn:de:0030-drops-185261},
  doi =		{10.4230/OASIcs.SLATE.2023.12},
  annote =	{Keywords: Static Application Security Testing, Type Annotation, C, C++, C#}
}

Keywords: Static Application Security Testing, Type Annotation, C, C++, C#
Collection: 12th Symposium on Languages, Applications and Technologies (SLATE 2023)
Issue Date: 2023
Date of publication: 15.08.2023

DROPS-Home | Fulltext Search | Imprint | Privacy Published by LZI