Search for Errors in C# Source Code Based on Static Taint Analysis
https://doi.org/10.15514/ISPRAS-2026-38(1)-4
Abstract
Various static analysis methods can detect errors in source code that often lead to vulnerabilities. Tainted data analysis, in particular, offers several advantages. This paper proposes a set of methods that, when combined with an IFDS-based taint propagation algorithm, can outperform existing industrial tools. The method set has been implemented in the industrial-grade SharpChecker analyzer and evaluated on both static analyzer test suites – such as Juliet and WebGoat – to assess completeness, and on real-world projects to measure accuracy and performance. A comparison with popular analyzers, including InferSharp, Security Code Scan, and others, demonstrates SharpChecker's comparatively high completeness and accuracy. These results lead to the conclusion that the proposed method set is of high practical value for vulnerability detection.
About the Authors
Mikhail Vladimirovich BELYAEVRussian Federation
Junior Researcher at ISP RAS. Research interests: compiler technologies, static code analysis, taint analysis.
Polina Ilyinichna RAGOZINA
Russian Federation
Senior Laboratory Assistant at ISP RAS, a researcher at the Department of Compiler Technologies. Scientific interests: static analysis of programs, symbolic execution, taint analysis.
Valery Nikolayevich IGNATYEV
Russian Federation
Cand. Sci. (Phys.-Math.) in computer sciences, senior researcher at Ivannikov Institute for System Programming RAS and associate professor at system programming division of CMC faculty of Lomonosov Moscow State University. His research interests include program analysis techniques for error detection in program source code using classical static analysis and machine learning.
References
1. Belyaev M. V. et al. Comparative analysis of two approaches to static taint analysis //Programming and Computer Software. – 2018. – Т. 44. – №. 6. – С. 459-466.
2. Кулямин В. В. Обзор методов динамического анализа программного обеспечения //Труды Института системного программирования РАН. – 2023. – Т. 35. – №. 4. – С. 7-44.
3. The MITRE Corporation, CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), MITRE CWE. Available at: https://cwe.mitre.org/data/definitions/78, accessed 10.10.2025.
4. Ignatyev V. N. A Holistic Static Analysis for Finding Errors in Source Code //Программная инженерия. – 2025. – Т. 16. – №. 10. – С. 517-531.
5. Reps T., Horwitz S., Sagiv M. Precise interprocedural dataflow analysis via graph reachability //Proceedings of the 22nd ACM SIGPLAN-SIGACT symposium on Principles of programming languages. – 1995. – С. 49-61. DOI: 10.1145/199448.199462.
6. Shimchik N. V., Ignatyev V. N., Belevantsev A. A. Improving accuracy and completeness of source code static taint analysis //2021 Ivannikov Ispras Open Conference (ISPRAS). – IEEE, 2021. – С. 61-68.
7. Biktimirov M. G., Ignatyev V. N., Belyaev M. V. Improving the accuracy of library function modeling in the static analyzer //2023 Ivannikov Ispras Open Conference (ISPRAS). – IEEE, 2023. – С. 26-32.
8. The Roslyn .NET compiler provides C# and Visual Basic languages with rich code analysis APIs. Available at: https://github.com/dotnet/Roslyn, accessed 10.10.2025.
9. Кошелев В. К., Игнатьев В. Н., Борзилов А. И. Инфраструктура статического анализа программ на языке C //Труды Института системного программирования РАН. – 2016. – Т. 28. – №. 1. – С. 21-40. DOI: 10.15514/ISPRAS-2016-28(1)-2.
10. Koshelev V. K. et al. SharpChecker: Static analysis tool for C# programs //Programming and Computer Software. – 2017. – Т. 43. – №. 4. – С. 268-276.
11. The MITRE Corporation, CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), MITRE CWE. Available at: https://cwe.mitre.org/data/definitions/89, accessed 10.10.2025.
12. The MITRE Corporation, CWE-798: Use of Hard-coded Credentials, MITRE CWE. Available at: https://cwe.mitre.org/data/definitions/798, accessed 10.10.2025.
13. Ignatyev V. N. et al. Large language models in source code static analysis //2024 Ivannikov Memorial Workshop (IVMEM). – IEEE, 2024. – С. 28-35.
14. TIOBE Index - TIOBE. Available at: https://www.tiobe.com/tiobe-index/, accessed 08.11.2025.
15. Карцев В. С., Игнатьев В. Н. Поддержка Visual Basic. NET в статическом анализаторе SharpChecker //Труды Института системного программирования РАН. – 2024. – Т. 36. – №. 3. – С. 49-62. DOI: 10.15514/ISPRAS-2024-36(3)-4
16. Code for the EVE Isk per Hour program. Available at: https://github.com/EVEIPH/EVE-IPH, accessed 27.11.2025.
17. Black P. E. Juliet 1.3 test suite: Changes from 1.2. – Gaithersburg, MD, USA : US Department of Commerce, National Institute of Standards and Technology, 2018.
18. WebGoat.NET is a deliberately insecure application. Available at: https://github.com/jerryhoff/WebGoat.NET, accessed 25.11.2025.
19. Puma Prey contains vulnerable .NET applications, which provide a target for running secure coding challenges, CTFs, and testing the Puma Scan analyzers. Available at: https://github.com/pumasecurity/puma-prey, accessed 25.11.2025.
20. Infersharp. Available at: https://github.com/microsoft/infersharp, accessed 10.10.2025.
21. Calcagno C., Distefano D. Infer: An automatic program verifier for memory safety of C programs //NASA Formal Methods Symposium. – Berlin, Heidelberg : Springer Berlin Heidelberg, 2011. – С. 459-465. DOI: 10.1007/978-3-642-20398-5_33
22. security-code-scan: Vulnerability Patterns Detector for C# and VB.NET. Available at: https://github.com/security-code-scan/security-code-scan, accessed 15.10.2025
23. SonarQube. Available at: https://github.com/SonarSource/sonarqube, accessed 15.10.2025.
24. OpenSimulator is an open source multi-platform, multi-user 3D application server. Available at: http://opensimulator.org/wiki/Main_Page, accessed 01.11.2025.
Review
For citations:
BELYAEV M.V., RAGOZINA P.I., IGNATYEV V.N. Search for Errors in C# Source Code Based on Static Taint Analysis. Proceedings of the Institute for System Programming of the RAS (Proceedings of ISP RAS). 2026;38(1):45-60. (In Russ.) https://doi.org/10.15514/ISPRAS-2026-38(1)-4






