Thesis: Master Thesis

Description:

Static Application Security Testing (SAST) tools are powerful instruments for detecting security vulnerabilities in software, but they are computationally expensive: running a full taint analysis on large codebases can take hundreds of seconds or more. A promising direction to address this is to restrict the analysis to the most security-critical parts of the code before SAST is even invoked.

This thesis builds on an existing framework for security-criticality assessment of Java methods. The framework (the details of which will be introduced at the start of the thesis) computes a score for each method using dangerous function calls, also known as Security-Relevant Methods (SRMs), that are known to be involved in security-sensitive operations. Methods with higher scores are considered more security-critical and are thus better candidates as entry points for a subsequent SAST analysis.

Preliminary results show that using these scores to restrict SAST entry points already reduces analysis time by 20% to 34% depending on taint-analysis configuration, without significant loss in vulnerability detection. However, different strategies for selecting entry points, such as filtering by score threshold, or by granularity (method vs. class vs. file level) have not been systematically compared, and the speed-versus-completeness trade-off has not been formally characterized.

This thesis will design, implement, and rigorously evaluate a family of such entry-point selection strategies, benchmark them across real-world projects, and also compare the best-performing strategy against AI-based vulnerability detection tools.

Requirements:

• Interest in software security and static program analysis (required)
• Solid Java development skills (required)
• Willingness to work with large existing codebases and toolchains (required)
• Optional: Prior knowledge of SAST tools, taint analysis, and Python (for automatic experiments)
• Optional: Previous attendance of DECA1 and/or DECA2

Tasks:

• Survey SAST tools and existing entry-point prioritization strategies.
• Design and implement multiple entry-point selection strategies within the existing security-criticality assessment toolchain.
• Integrate the strategies with SAST tools such as SecuCheck, SemGrep, and SpotBugs.
• Benchmark all strategies across multiple projects (WebGoat, SecuCheck-Catalog, Apache OFBiz) measuring analysis time, true positive rate, and false negative rate.
• Investigate how the quality and size of the underlying SRM list affects the effectiveness of the approach.
• Compare the best-performing strategy against AI-based vulnerability detection tools.

Language: The thesis will be written in English.

Learning Outcomes:

• Hands-on experience with static application security testing tools and taint analysis.
• Deep understanding of the trade-offs between analysis speed and vulnerability detection completeness.
• Experience designing and conducting rigorous empirical software security evaluations.
• Exposure to both classical and AI-based approaches to automated vulnerability detection.