Student Job at Fraunhofer SIT
In order to resolve security flaws in applications, organizations must be able to identify the broadest possible array of potentially exploitable vulnerabilities. One of the primary methods to accomplish this is static analysis. While static source code analyzers can locate more types of vulnerabilities than any other method, they also output hundreds, if not thousands of findings, among which are a good number of false positives (warnings given by the tool that are not actual security flaws). Reducing the number of false positives is a gain of time and proves useful for the developers who have to process the list of warnings afterwards.
False positives are often created by the tools’ limitations, so called over-approximations. When the tool encounters those limitations while scanning a program, it produces incorrect data flows which result in false positives. Your task will be to identify such data flows using machine learning and graph pattern recognition.
The tasks of the student would be to:
(1) Create a library of known over-approximations
(2) Explore how to recognize such over-approximations in order to determine an analysis’ weaknesses
(3) Classify warnings that might correspond to unknown patterns to complete the library
Ideal candidates should have a good understanding of the Java language and good software design skills. Prior knowledge of static analysis is helpful, but not absolutely necessary.