Bachelor Thesis BCLR-2022-34

BibliographyKrawczyk, Lukas: An Approach for Identifiying False Positive Warnings in SAST Tooling.
University of Stuttgart, Faculty of Computer Science, Electrical Engineering, and Information Technology, Bachelor Thesis No. 34 (2022).
61 pages, english.

In this paper, we present an approach to reduce the number of false positive results in static analysis of cryptographic libraries. To achieve this, we use an existing path-sensitive algorithm to eliminate RCE vulnerabilities and adapt it to recognize a group of vulnerabilities found in cryptographic libraries. We implement a prototype of our approach in Java using the Soot API for control flow graph and call graph generation. The prototype is then evaluated from two perspectives: accuracy and performance. We use a cryptographic benchmark to evaluate accuracy and a set of randomly chosen executable Java programs to evaluate performance. We summarize our results in a concluding chapter.

Department(s)University of Stuttgart, Institute of Software Technology, Empirical Software Engineering
Superviser(s)Wagner, Prof. Stefan; Franco da Silva, Dr. Ana Christina; Haug, Markus; Graziotin, Dr. Daniel
Entry dateOctober 25, 2022
   Publ. Computer Science