Paper on static analysis wins a distinguished paper award

Department of Computing's Dr Ben Livshits, one of the primary investigators for the award winning paper, discusses his research on static analysis.

Two large-scale cybersecurity attacks known as ransomware – Petya and WannaCry – have affected innumerable people and institutions across the world in as many months. However, what is not often acknowledged is that at the root of many of these attacks are software vulnerabilities caused by programming bugs. Given the size and complexity of today’s software, bugs and vulnerabilities may seem unavoidable, but computer science researchers have been working for years to improve overall software quality. 

Specifically, static analysis is widely recognized as one of the ways to ensure software robustness as well as to get rid of security vulnerabilities and privacy leaks. Unfortunately, static analysis tools are not used as broadly and consistently as they could be, due to a number of usability challenges and the lack of developer training. A recent paper entitled Just-in-time Static Analysis that will appear at the International Symposium on Software Testing and Analysis in mid-July addresses this problem by  making interactions between the developer and the static analysis as effective as possible. This work was performed by a group of academic researchers from universities in Germany, Canada, and the US, and represents a significant leap for making static analysis an integral part of software development practice.

Dr Ben Livshits

Dr Ben Livshits from Imperial College London’s Department of Computing, and one of the primary investigators on this research project said, “In this paper we proposed the concept of Just-In-Time (JIT) static analysis that interleaves code development and bug fixing in an integrated development environment (IDE). Unlike traditional batch-style analysis tools, a JIT analysis tool presents warnings to code developers over time, providing the most relevant results quickly, and computing less relevant results incrementally later. In this paper, we describe general guidelines for designing JIT analyses.” 

One of the aims of this project is to ensure continuous developer involvement with static analysis tools, avoiding tool abandonment issues.

One of the key challenges is that developers face what’s known as the “wall-of-bugs syndrome” – they run the analysis tool overnight and then, by the morning, return to a list of thousands of analysis warnings they have to plough through; not very many developers are willing to do that,” Dr. Livshits explains. “The goal of just-in-time analysis is to ease the job of the developer, leading to higher-quality, more secure software in the long run. The long-term hope is that just-in-time analysis will be successful at preventing bugs and vulnerabilities early in the software development cycle, thereby making software products we use daily more reliable, less prone to crash or to be exploited. We are very excited to be receiving the distinguished paper and see it as a sign of recognition of the importance of this area of research."

Collaborations with universities in Germany and the US allowed Imperial researchers to conduct comprehensive user studies as part of the research effort, involving both student and professional developers. “Increasingly, when we talk about developer tools, we as scientists will need to measure interactions with real programmers to properly gauge tools’ effectiveness,” said Dr. Livshits. "We are also starting to engage with premier companies that develop and sell static analysis tools such as Checkmarx to take this work further."