Please note: This PhD defence will be given online.
Bushra Aloraini, PhD candidate
David R. Cheriton School of Computer Science
Supervisor: Professor Mei Nagappan
Software vulnerabilities have been a significant attack surface used in cyberattacks, which have been escalating recently. Software vulnerabilities have caused substantial damage, and thus there are many techniques to guard against them. Nevertheless, detecting and eliminating software vulnerabilities from the source code is the best and most effective solution in terms of protection and cost. Static Analysis Security Testing (SAST) tools spot vulnerabilities and help programmers to remove them. The fundamental problem is that modern software continues to evolve and shift, making detecting vulnerabilities more difficult. Hence, this thesis takes a step toward highlighting the features required to be present in the SAST tools to address software vulnerabilities in modern software. The thesis’s end goal is to introduce SAST methods and tools to detect the dominant type of software vulnerabilities in modern software.
The investigation first focuses on state-of-the-art SAST tools when working with large-scale modern software. The research examines how different state-of-the-art SAST tools react to different types of warnings over time, and measures SAST tools precision of different types of warnings. The study presumption is that the SAST tools’ precision can be obtained from studying real-world projects’ history and SAST tools that generated warnings over time. The empirical analysis in this study then takes a further step to look at the problem from a different angle, starting at the real-world vulnerabilities detected by individuals and published in well-known vulnerabilities databases. Android application vulnerabilities are used as an example of modern software vulnerabilities. This study aims to measure SAST tools’ recall when they work with modern software vulnerabilities and understand how software vulnerabilities manifest in the real world. It was found that buffer errors that belong to the input validation and representation class of vulnerability dominate modern software. Also, it was found that studied state-of-the-art SAST tools failed to identify real-world vulnerabilities.
To address the issue of detecting vulnerabilities in modern software, we introduce two methodologies. The first methodology is a coarse-grain method that targets helping taint static analysis methods to tackle two aspects of the complexity of modern software. One aspect is that one vulnerability can be scattered across different languages in a single application making the analysis harder to achieve. The second aspect is that the number of sources and sinks is high and increasing over time, which can be challenging for taint analysis to cover such a high number of sources and sinks. The proposed methodology was implemented in a tool called Source Sink (SoS) tool that filters out the source and sink pairs that do not have feasible paths. Then, another fine-grain methodology focuses on discovering buffer errors that occur in modern software. The method performs taint analysis to examine the reachability between sources and sinks and looks for “sanitizer” or “validator” that validates the untrusted input. The methodology was implemented in a static analysis security testing tool called Buffer Error Finder (BEFinder) tool to carry out such analysis.
To join this PhD defence virtually on Zoom, please go to
200 University Avenue West
Waterloo, ON N2L 3G1