During the period of November 6th to November 29th, Mr. Aniruddhan Murali & Mr. Noble Saji Mathews from University of Waterloo, Canada, will visit us at the Secure Software Engineering group. You are all welcome to connect during their stay. As an opening, both will give brief presentations on November 7th, the abstracts of which you can find below. You are all invited to attend!
Mr Aniruddhan Murali
Room: F0.225
Title: FuzzSlice: Pruning False Positives in Static Analysis Warnings Through Function-Level Fuzzing
Abstract: Manual confirmation of static analysis reports is a daunting task. This is due to both the large number of warnings and the high density of false positives among them. Fuzzing techniques have been proposed to verify static analysis warnings. However, a major limitation is that fuzzing the whole project to reach all static analysis warnings is not feasible. This can take several days and exponential machine time to increase code coverage linearly.
Therefore, we propose FuzzSlice, a novel framework that automatically prunes possible false positives among static analysis warnings. Unlike prior work that mostly focuses on confirming true positives among static analysis warnings, which inevitably requires end-to-end fuzzing, FuzzSlice focuses on ruling out potential false positives, which are the majority in static analysis reports. The key insight that we base our work on is that a warning that does not yield a crash when fuzzed at the function level in a given time budget is a possible false positive. To achieve this, FuzzSlice first aims to generate compilable code slices at the function level. Then, FuzzSlice fuzzes these code slices instead of the entire binary to prune possible false positives. Our evaluation shows that the ground truth in the Juliet dataset had 864 false positives which were all detected by FuzzSlice. For the open-source repositories, we were able to get the developers from two of these open-source repositories to independently label these warnings. FuzzSlice automatically identifies 33 out of 53 false positives confirmed by developers in these two repositories. This implies that FuzzSlice can reduce the number of false positives by 62.26% in the open-source repositories and by 100% in the Juliet dataset.
Mr Noble Saji Mathews
Room: F0.225
Title: Advances in Code Understanding: From Static Analysis to AI-Driven Software Engineering
Abstract: With the success of tools like Copilot and AI-driven assistants, software engineering is shifting toward an intent-driven approach, bringing new opportunities and challenges. AI now helps us build systems that understand language, and, in effect, code, in ways that weren’t possible before, changing how we develop and maintain software. This talk will cover my journey, which began with static and dynamic analysis during my undergrad and expanded into code representation learning and, more recently, research on large language models (LLMs) in software engineering. I’ll share an overview of my past projects and interests, alongside a retrospective on how code understanding has evolved in just a few years. Where might the next generation of code analysis tools go? I believe it’s an exciting time to be a researcher in software engineering!