Gaps in Static Analysis Tool Capabilities. Providing World-Class Services for World-Class Competitiveness

Similar documents
Lessons Learned in Static Analysis Tool Evaluation. Providing World-Class Services for World-Class Competitiveness

Static Analysis of C++ Projects with CodeSonar

RiskSense Attack Surface Validation for IoT Systems

MIS Week 9 Host Hardening

Today Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues

RiskSense Attack Surface Validation for Web Applications

Testing! Prof. Leon Osterweil! CS 520/620! Spring 2013!

Verification & Validation of Open Source

Managed Application Security trends and best practices in application security

Manifest Safety and Security. Robert Harper Carnegie Mellon University

Static Analysis methods and tools An industrial study. Pär Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU

Security Correlation Server System Deployment and Planning Guide

Appendix to The Health of Software Engineering Research

CS 161 Computer Security

CYSE 411/AIT 681 Secure Software Engineering. Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun

4. Risk-Based Security Testing. Reading. CYSE 411/AIT 681 Secure Software Engineering. Seven Touchpoints. Application of Touchpoints

Security Solutions. Overview. Business Needs

11.1 Facility Location

Testing. ECE/CS 5780/6780: Embedded System Design. Why is testing so hard? Why do testing?

Using Static Code Analysis to Find Bugs Before They Become Failures

Static Analysis in C/C++ code with Polyspace

Static Analysis Techniques

Oracle Developer Studio Code Analyzer

IT Attestation in the Cloud Era

Software Excellence via. at Microsoft

Language Techniques for Provably Safe Mobile Code

Goal. Overflow Checking in Firefox. Sixgill. Sixgill (cont) Verifier Design Questions. Sixgill: Properties 4/8/2010

Code Reviews. James Walden Northern Kentucky University

Web Applications (Part 2) The Hackers New Target

CIS 890: Safety Critical Systems

Static Analysis in Practice

Larry Maccherone Carnegie Mellon CyLab

Automatic Qualification of Abstract Interpretation-based Static Analysis Tools. Christian Ferdinand, Daniel Kästner AbsInt GmbH 2013

Stephen McLaughlin. From Uncertainty to Belief: Inferring the Specification Within

Inference of Memory Bounds

Research on the Static Analysis Method of the Localization Embedded Platform Software Code Zhijie Gaoa, Ling Lu, Wen Jiao

Taking White Hats to the Laundry: How to Strengthen Testing in Common Criteria

Software Excellence via Program Analysis at Microsoft. Manuvir Das

Verification and Validation

DR. CHECKER. A Soundy Analysis for Linux Kernel Drivers. University of California, Santa Barbara. USENIX Security seclab

A program execution is memory safe so long as memory access errors never occur:

Accelerate Your Enterprise Private Cloud Initiative

The Checker Framework: pluggable static analysis for Java

EXPERT SERVICES FOR IoT CYBERSECURITY AND RISK MANAGEMENT. An Insight Cyber White Paper. Copyright Insight Cyber All rights reserved.

Types, Universes and Everything

MC: Meta-level Compilation

Static Analysis and Dataflow Analysis

GNAT Pro Innovations for High-Integrity Development

Know Your Network. Computer Security Incident Response Center. Tracking Compliance Identifying and Mitigating Threats

Splint Pre-History. Security Flaws. (A Somewhat Self-Indulgent) Splint Retrospective. (Almost) Everyone Hates Specifications.

Lecture 15 Software Testing

Julia Allen Principal Researcher, CERT Division

Retrieval Evaluation. Hongning Wang

IntFlow: Integer Error Handling With Information Flow Tracking

Rigorously Test Composite Applications Faster With CA Test Data Manager and CA Agile Requirements Designer

Certification Report

Verification by Static Analysis

Dependability and Architecture: An HDCP Perspective

The New Era of Cognitive Security

Improve the User Experience on Your Website

Certification Report

Static Analysis in Practice

Program Verification. Aarti Gupta

Engineering Improvement in Software Assurance: A Landscape Framework

Security Analyses For The Lazy Superhero

Chapter-3. Reasons and Remedies of False Positive

Checking Program Properties with ESC/Java

An Overview of ISO/IEC family of Information Security Management System Standards

Flat Clustering. Slides are mostly from Hinrich Schütze. March 27, 2017

Lecture 1 Contracts. 1 A Mysterious Program : Principles of Imperative Computation (Spring 2018) Frank Pfenning

Language Security. Lecture 40

Binding and Storage. COMP 524: Programming Language Concepts Björn B. Brandenburg. The University of North Carolina at Chapel Hill

CS162 - POINTERS. Lecture: Pointers and Dynamic Memory

Tolerating Hardware Device Failures in Software. Asim Kadav, Matthew J. Renzelmann, Michael M. Swift University of Wisconsin Madison

Java Software Solutions for AP Computer Science 3rd Edition, Lewis et al. 2011

Hugbúnaðarverkefni 2 - Static Analysis

Coding and Unit Testing! The Coding Phase! Coding vs. Code! Coding! Overall Coding Language Trends!

Testing, code coverage and static analysis. COSC345 Software Engineering

Search. CS 3793/5233 Artificial Intelligence Search 1

Static Program Analysis Part 1 the TIP language

C Source Code Analysis for Memory Safety

APISan: Sanitizing API Usages through Semantic Cross-checking

Subject : Computer Science. Paper : Software Quality Management. Module : CASE Tools

How Can You Trust Formally Verified Software?

8/3/2017. Contour Assessment for Quality Assurance and Data Mining. Objective. Outline. Tom Purdie, PhD, MCCPM

Mixing formal methods to increase robustness against cyber-attacks

Introduction to Information Retrieval

Static Analysis versus Software Model Checking for bug finding

Memory Safety (cont d) Software Security

Leveraging Formal Verification Throughout the Entire Design Cycle

Security: The Key to Affordable Unmanned Aircraft Systems

Lecture 1 Contracts : Principles of Imperative Computation (Fall 2018) Frank Pfenning

finding vulnerabilities

ETSI Zero touch network and Service Management (ZSM)

Evaluating Bug Finders

Violations of the contract are exceptions, and are usually handled by special language constructs. Design by contract

A bit of theory: Algorithms

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Static Analysis. Systems and Internet Infrastructure Security

Principles of Software Construction: Objects, Design, and Concurrency (Part 2: Designing (Sub )Systems)

Transcription:

Gaps in Static Analysis Tool Capabilities 1

Overview Gaps in Static Analysis tools as identified during the evaluation of five (5) commercially available static analysis tools Collaborative effort between CTC, Carnegie Mellon CyLab Topics Perspective Desirable Characteristics Significant Capability Gaps A Way Forward Summary 2

Perspective: Experience with the Tools Thoroughly examined and compared five (5) commercial static analysis tools Subjected to a variety of tests involving both synthetic and real-world code Helping to develop a methodology for extracting assurance about software using static analysis 3

Perspective: Constraints Assume two (2) third party analysts (possibly experienced) Assume one month to complete the evaluation Assume projects may scale to millions of lines of code (LOC) Assume no single tool covers requirements Need tools that can facilitate this type of analysis Worst possible evaluation scenario No knowledge of the code Varying degrees of expertise Different requirements than the developers 4

Desirable Characteristics Characteristics that still cut across all tools: Low False Positive (FP) and False Negative (FN) rates Deep coverage of at least one flaw type Wider coverage of major security flaw types Easy to perform analysis Support for major programming languages Tunable 5

Existing Features (the good) Code understanding facilities Extensibility Application Programming Interfaces (API) Interprocedural analysis Review/Audit Support API modeling Flow analysis Flaw pre/post conditions Security knowledge bases Data export & import Code browsing Trend analysis Scalability Multi-language analysis Analysis without build modification Flaw Filtering 6

Significant Gaps Reliability Is the tool's analysis thorough enough? Transparency Can we tell what the tool is and isn't doing? Flaw Detection Can tool that can detect flaws of a certain type? Interoperability Can we get multiple tools to work together? 7

Reliability Really Hard problems: Handling in-line assembly Pointer arithmetic Code generated or loaded at run time Deep Data Flow (DF) Control Flow (CR) Affine Relations (AR) Value Set (VS) Context Sensitive (CS) analysis (all at once) 8

Reliability Heuristically solvable but difficult problems: Binary analysis Inter-procedural logic Multi-lingual analysis Analysis in the face of loops and recursion Understanding data structures Understanding the run-time environment 9

Transparency Evidence that a flaw is genuine Tool confidence Formal proofs of correctness Complete description of how and why the flaw was flagged Evidence that non-flagged code can be trusted Bounds of uncertainty Knowledge of what the tool doesn't detect 10

Flaw Detection 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Improper Return Value Use Format String Memory Leak TOCTOU Buffer Overflow Command Injection Null Pointer Dereference Tainted Data Uninitialized Variable Use Use After Free Found by exactly 5 tools Found by exactly 4 tools Found by exactly 3 tools Found by exactly 2 tools Found by exactly 1 tools 11

Interoperability Unparsable output No standard for result correlation No standard API for: New checkers Data exchange Review of results Accessing program models 12

A Way Forward Minimum Requirements for Review Assistance Potential Incident Identification Standard Result Format Standard IR API Annotation & Assertion Support Source code and tool output Bridging the Gap 13

Minimum Requirements for Review Assistance Cross referenced browsable results with source code Providing pre/post conditions Providing flow analysis Supporting value sets for variables Supporting programming slicing Helping to visualize code Helping to easily query code Presenting the body of evidence of a flaw 14

Potential Incident Identification Identify all constructs that could cause a particular type of flaw Helps to determine how often the programmers got it right Helps in estimating how much the analysis covered and the breadth of exposure 15

Standard Result Format Addresses: Interoperability Review assistance Requires: Std. source locations Std. line counting Std. flaw types Std. characterizations Provides: Data exchange Collaboration External audit 16

Standard IR API Addresses: Interoperability Extensibility Requires: Vendor and Community buy in Funding? Provides: Customization Technology Transfer Speeds tool development 17

Annotation Support Tool support for language annotations Verifying assertions Inferring design intent Tool support for generating annotations Verifiable assertions about the code Provide annotations to assist code review 18

Summary Current state of software assurance demands much but there are limited practical solutions Static analysis tools offer a promise to help but must first overcome issues of reliability, transparency, detection and interoperability Common open data formats and APIs can enhance the tools and improve our ability to use them 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback