GrammaTech open-sources Swap Detector tool that helps developers identify errors due to swapped function arguments in code
GrammaTech has released the open-source version of the Swap Detector tool that will help developers and DevOps teams to identify errors due to swapped function arguments in the deployed codes. The Swap Detector tool was developed by GrammaTech under the aegis of DHS Static Tool Analysis Modernization Project (STAMP). Swap Detect can help developers in scrutinizing their APIs for swap errors and improve application security testing.
The Swap Detector tool itself comprises a variety of static analysis tools, such as the Clang Static Analyzer, Clang-Tidy, and PyLint. Though it is meant for codes written in C/C++ programming language, Swap Detector can be used for other programming languages as well. It is specifically useful for programming languages that are interpreted and not compiled.
As smartphone usage grows, the APIs now form the crux of development with many programs using third-party APIs, libraries, or frameworks. These third-party APIs can bring in bugs and swapping errors, Swap Detector will help developers understand the API usage errors for a security audit.
“Traditional static-analysis techniques do not take advantage of the vast wealth of information on what represents error-free coding practices available in the open-source domain,” says Alexey Loginov, VP of Research at GrammaTech. “With Swap Detector we applied Big Data analysis techniques, what we call Big Code analysis, to the Fedora RPM open-source repository to baseline correct API usage. This allowed us to develop error-detection capabilities that far exceed the scalability and accuracy of conventional approaches to program analysis.”
Swap Detector consumes input information about a call site, and optionally, function declaration information pertaining to that call site. If it detects a potential swapped-argument error at that call site, it outputs an appropriate warning message and a score for the warning. Swap Detector uses multiple error-detection techniques, layered together to increase accuracy. For example, it compares argument names used in call sites with the parameter names used in corresponding declarations. In addition, it uses “Big Code” techniques, applying statistical information about usages of “known good” API-usage patterns collected from a large corpus of code, and flagging usages that are statistically anomalous as potential errors.
To improve the precision of the reported warnings, Swap Detector applies false-positive reduction strategies to the output of both techniques.