William Snavely
Carnegie Mellon University
Publications by William Snavely
-
Composing Effective Software Security Assurance Workflows
October 18, 2018 • Technical Report
William NicholsJim McHaleDavid Sweeney
In an effort to determine how to make secure software development more cost effective, the SEI conducted a research study to empirically measure the effects that security tools—primarily automated static analysis tools—had on costs and benefits.
read -
Detecting Leaks of Sensitive Data Due to Stale Reads
October 05, 2018 • Conference Paper
William SnavelyWilliam KlieberRyan Steele
This paper introduces a heuristic-driven dynamic analysis that aims to detect reads that may be accessing stale sensitive data.
read -
Practical Precise Taint-flow Static Analysis for Android App Sets
August 27, 2018 • White Paper
William KlieberLori FlynnWilliam Snavely
This paper describes how to detect taint flow in Android app sets with a static analysis method that is fast and uses little disk and memory space.
read -
Prioritizing Alerts from Multiple Static Analysis Tools, Using Classification Models
August 14, 2018 • Conference Paper
Lori FlynnWilliam SnavelyDavid Svoboda
This paper was accepted by the SQUADE workshop at ICSE 2018. It describes the development of several classification models for the prioritization of alerts produced by static analysis tools and how those models were tested for accuracy.
read -
Hands-On Tutorial: Auditing Static Analysis Alerts Using a Lexicon and Rules
September 24, 2017 • Presentation
Lori FlynnDavid SvobodaWilliam Snavely
In this tutorial, SEI researchers describe auditing rules and a lexicon that SEI developed.
read -
DidFail: Coverage and Precision Enhancement
July 06, 2017 • Technical Report
Karan Dwivedi (No Affiliation)Hongli Yin (No Affiliation)Pranav Bagree (No Affiliation)
This report describes recent enhancements to Droid Intent Data Flow Analysis for Information Leakage (DidFail), the CERT static taint analyzer for sets of Android apps.
read -
Automated Code Repair Based on Inferred Specifications
November 03, 2016 • Conference Paper
William KlieberWilliam Snavely
In this paper, the authors describe automated repairs for three types of bugs: integer overflows, missing array bounds checks, and missing authorization checks.
read -
Static Analysis Alert Audits: Lexicon & Rules
November 03, 2016 • Conference Paper
David SvobodaLori FlynnWilliam Snavely
In this paper, the authors provide a suggested set of auditing rules and a lexicon for auditing static analysis alerts.
read -
Making DidFail Succeed: Enhancing the CERT Static Taint Analyzer for Android App Sets
March 04, 2015 • Technical Report
Jonathan BurketLori FlynnWill Klieber
In this report, the authors describe how the DidFail tool was enhanced to improve its effectiveness.
read