Swap Detector: Open source tool for detecting API usage errors
GrammaTech has released Swap Detector, an open source tool that enables developers and DevOps teams to identify errors due to swapped function arguments, which can also be present in deployed code.
The tool, developed as part of a research project sponsored by the DHS Static Tool Analysis Modernization Project (STAMP), improves application security testing for DevOps.
Modern software development involves the use of third-party APIs, libraries, and/or frameworks that are complex, rapidly evolving, and sometimes poorly documented. According to industry estimates, open source components can represent up to 90% of the code in the average application. Meanwhile, API usage errors are a common source of security and reliability vulnerabilities.
“Traditional static-analysis techniques do not take advantage of the vast wealth of information on what represents error-free coding practices available in the open-source domain,” says Alexey Loginov, VP of Research at GrammaTech. “With Swap Detector we applied Big Data analysis techniques, what we call Big Code analysis, to the Fedora RPM open-source repository to baseline correct API usage. This allowed us to develop error-detection capabilities that far exceed the scalability and accuracy of conventional approaches to program analysis.”
Swap Detector consumes input information about a call site, and optionally, function declaration information pertaining to that call site. If it detects a potential swapped-argument error at that call site, it outputs an appropriate warning message and a score for the warning.
The Swap Detector interface integrates with a variety of static analysis tools, such as Clang Static Analyzer, Clang-Tidy, and PyLint. Although initially focused on C/C++ programs, Swap Detector is applicable to programs in other languages; and is especially beneficial for languages that are interpreted and not compiled.
Swap Detector uses multiple error-detection techniques, layered together to increase accuracy. For example, it compares argument names used in call sites with the parameter names used in corresponding declarations. In addition, it uses “Big Code” techniques, applying statistical information about usages of “known good” API-usage patterns collected from a large corpus of code, and flagging usages that are statistically anomalous as potential errors.
To improve the precision of the reported warnings, Swap Detector applies false-positive reduction strategies to the output of both techniques.