Static Analysis of C++ Projects with CodeSonar

Similar documents
Finding the Static Analysis Sweet Spot

Lessons Learned in Static Analysis Tool Evaluation. Providing World-Class Services for World-Class Competitiveness

Static Analysis methods and tools An industrial study. Pär Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU

Gaps in Static Analysis Tool Capabilities. Providing World-Class Services for World-Class Competitiveness

Using Static Code Analysis to Find Bugs Before They Become Failures

Lecture 15 Software Testing

Announcements. Working on requirements this week Work on design, implementation. Types. Lecture 17 CS 169. Outline. Java Types

Static Analysis and Dataflow Analysis

Static Program Analysis Part 1 the TIP language

Darshan Institute of Engineering & Technology for Diploma Studies

Verification and Validation. Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 22 Slide 1

Verification and Validation

Static Analysis in C/C++ code with Polyspace

정형기법을활용한 AUTOSAR SWC 의구현확인및정적분석

Verification & Validation of Open Source

WHITE PAPER. 10 Reasons to Use Static Analysis for Embedded Software Development

Part 5. Verification and Validation

Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions

Optimizing for Bugs Fixed

Verification and Validation

Verification and Validation

Limitations of the stack

Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui

Principles of Software Construction: Objects, Design, and Concurrency (Part 2: Designing (Sub )Systems)

Simple Overflow. #include <stdio.h> int main(void){ unsigned int num = 0xffffffff;

Oracle Developer Studio Code Analyzer

CS-XXX: Graduate Programming Languages. Lecture 9 Simply Typed Lambda Calculus. Dan Grossman 2012

Today Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues

CS2141 Software Development using C/C++ Debugging

CERT C++ COMPLIANCE ENFORCEMENT

Modular and Verified Automatic Program Repairs

DEBUGGING: STATIC ANALYSIS

RELIABLE SOFTWARE SYSTEMS

COS 320. Compiling Techniques

Finding Concurrency Bugs in Java

Objectives. Chapter 19. Verification vs. validation. Topics covered. Static and dynamic verification. The V&V process

Chapter 8 Software Testing. Chapter 8 Software testing

Static Analysis with Goanna

Race Catcher. Automatically Pinpoints Concurrency Defects in Multi-threaded JVM Applications with 0% False Positives.

Recap. Advanced static analysis jobs. Secure Programming Lecture 14: Static Analysis II. Program understanding tools

Chapter 11, Testing. Using UML, Patterns, and Java. Object-Oriented Software Engineering

Verification Using Static Analysis

Advanced Software Testing Testing Code with Static Analysis

DRVerify: The Verification of Physical Verification

The Path Not Taken: Maximizing the ROI of Increased Decision Coverage

Type Checking Systems Code

Program Correctness and Efficiency. Chapter 2

CS4491/CS 7265 BIG DATA ANALYTICS

Static Analysis of Embedded C

[ANALYSIS ASSIGNMENT 10]

CSE 403: Software Engineering, Fall courses.cs.washington.edu/courses/cse403/16au/ Static Analysis. Emina Torlak

Static Analysis in Practice

Lecture 10: Introduction to Correctness

Software Testing. Software Testing

Write perfect C code to solve the three problems below.

Static program checking and verification

[0569] p 0318 garbage

Testing. ECE/CS 5780/6780: Embedded System Design. Why is testing so hard? Why do testing?

Program Analysis. CSCE Lecture 16-03/03/2016

CSE 501 Midterm Exam: Sketch of Some Plausible Solutions Winter 1997

Static and dynamic Testing

Evaluation Metrics. (Classifiers) CS229 Section Anand Avati

Memory Analysis tools

Verification and Validation. Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 22 Slide 1

Secure Programming Lecture 11: Program Analysis II

Verification and Validation. Assuring that a software system meets a user s needs. Verification vs Validation. The V & V Process

Verifying source code

Verification and Validation

principles and tools for ensuring software security.

CS 370 The Pseudocode Programming Process D R. M I C H A E L J. R E A L E F A L L

SCALABLE STATISTICAL BUG ISOLATION

Program Static Analysis. Overview

Principles of Software Construction: Objects, Design and Concurrency. Static Analysis. toad Spring 2013

Semantic Analysis. Outline. The role of semantic analysis in a compiler. Scope. Types. Where we are. The Compiler Front-End

Putting Static Analysis to Work for Verification

Examining the Code. [Reading assignment: Chapter 6, pp ]

CS558 Programming Languages

Page 1. Stuff. Last Time. Today. Safety-Critical Systems MISRA-C. Terminology. Interrupts Inline assembly Intrinsics

Sendmail crackaddr - Static Analysis strikes back

Ian Sommerville 2006 Software Engineering, 8th edition. Chapter 22 Slide 1

Why testing and analysis. Software Testing. A framework for software testing. Outline. Software Qualities. Dependability Properties

Automated Assessment Tools

School of Computer & Communication Sciences École Polytechnique Fédérale de Lausanne

Intro to Proving Absence of Errors in C/C++ Code

CSE543 - Computer and Network Security Module: Intrusion Detection

Finding Vulnerabilities in Web Applications

CSE543 - Computer and Network Security Module: Intrusion Detection

Web Applications (Part 2) The Hackers New Target

Scalable Program Analysis Using Boolean Satisfiability: The Saturn Project

Test Oracles. Test Oracle

Analysis/Bug-finding/Verification for Security

Variables, Memory and Pointers

Simulink Verification and Validation

Types and Type Inference

Goal. Overflow Checking in Firefox. Sixgill. Sixgill (cont) Verifier Design Questions. Sixgill: Properties 4/8/2010

Applications of Program analysis in Model-Based Design

Wanted: Students to participate in a user study

CS558 Programming Languages

A Gentle Introduction to Program Analysis

Lecture 9 Assertions and Error Handling CS240

Transcription:

Static Analysis of C++ Projects with CodeSonar John Plaice, Senior Scientist, GrammaTech jplaice@grammatech.com 25 July 2017, Meetup C++ de Montréal Abstract Static program analysis consists of the analysis of a computer program without actually executing it. Common problems detected using static analysis include taint analysis, null pointer detection, and buffer overruns. This talk introduced the topic of static analysis, and gave a demo using CodeSonar, the flagship product of GrammaTech. This short paper summarizes the talk. 1 What is Static Analysis? Static analysis infers information about software behavior based on a static representation of the software, without actually running it. It is not the same as simulation, nor does it require sample input or test cases. Static analysis usually is split into a two-phase process: Extract semantic information from source code; Use information to discover defects or other properties of interest. 2 Applications of Static Analysis Stronger type checking; Checking conformance with coding guidelines; Software metrics; Software architecture analysis; Finding bugs! 3 Benefits of Static Analysis Static analysis examines far more execution paths than conventional testing will ever do. Furthermore, static analysis can be applied automatically, right from the beginning of the development cycle. In general, static analysis Catches problems that test suites miss; Catches bugs early, when they are less expensive to fix; Pinpoints defects automatically, improving productivity; Shows if code quality is improving over time; Improves software quality (and security); Reduces time to market. 1

4 Why Use Advanced Static Analysis? Conventional testing is only as good as the test cases. The number of paths in a program far exceeds the number exercised by conventional testing. Most paths go untested, even in the most stringent approaches to testing. Tools like GrammaTech CodeSonar work directly on the code. They find interesting and serious bugs. Heuristics are used to avoid uninteresting results. Easy to apply in the development cycle. Much more scalable than formal verification systems using model checking. 5 Not All Flaws Are Equal Easy-to-find flaws Typically structural or syntactic issues; Usually unambiguous; Often unlikely to cause problems in the field; May also be easily revealed by testing. Hard-to-find flaws Typically semantic; Require advanced analysis to find; Prone to false positives; Usually expensive to fix in the field; Hard to find with conventional testing. 6 What Types of Bugs Can Be Identified Static-analysis tools can catch Language misuse: e.g., buffer overruns and null-pointer dereferences; Library misuse: e.g., calling accept() on a socket in wrong state; Suspicious code: e.g., dead code, redundant conditions. CodeSonar also provides an API to add custom checkers e.g., do not call foo() from within an interrupt handler. Static-analysis tools cannot catch Bugs that have to do with the functionality of an application e.g., This algorithm calculates the wrong answer. 2

7 Some CodeSonar Checks Buffer Overrun Null-pointer Dereference Divide by Zero Uninitialized Variable Free Non-heap Variable Use after Free Double Free/Close Free Null Pointer Format String Vulnerability Race Conditions Unreachable Code Memory/Resource Leak Return Pointer to Local Mismatched Array New/Delete Invalid Parameter Missing Return Statement Dangerous Cast Inconsistent Form User-defined Checks Many More... 8 Static Analysis Metrics Given TP = number of true positives FP = number of true negatives TN = number of false positives FN = number of false negatives Precision = Recall = TP TP + FP TP TP + FN Perfect Recall: No false negatives. Perfect Precision: No false positives. Ideal Performance: Runs fast, uses little memory. 3

9 The Core Tradeoff Perfect Recall is easy (no false negatives) All points in your program have bugs, or This tool only finds the easy-to-find bugs. Perfect Precision is easy (no false positives) There are no bugs in your program, or This tool only reports the obvious bugs. Ideal Performance is easy Either one of the above, or guess randomly. Core tradeoff Precision vs Recall vs Performance simultaneously for serious flaws. 10 Symbolic Execution Uses techniques from model checking and abstract interpretation. Using the control-flow graph (CFG): Simulate executions of a function. Use abstract values instead of concrete values: Domain of abstract values are typically equations describing relations between variables: x < 0, i = 2 j. Explore multiple paths. Use summaries at call sites. Look for anomalies: e.g., at x = *p, p == NULL Null pointer dereference. Use heuristics to suppress false positives. 11 Path Exploration All serious path-sensitive analyses limit path exploration. Need to keep time and space requirements roughly linear in the size of the program; Limit on number of paths or time spent explored per procedure; Some paths not considered: setjmp/longjmp, Indirect function calls, Context switches, Recursion; Current solutions are coarse and partial. 4

12 Demo I gave a demo of the CodeSonar tool, finding flaws in vivo in the latest GNUchess program. A lot of discussion took place. 13 When to Deploy? Recommendation: Deploy early in development cycle As soon as code is compilable. The cheapest bug is the one you find earliest. Avoids last-minute avalanche of problems. Get programmers writing for the tool : Encourages good style, and makes it easier for the tool. Get programmers extending the tool: Workflow? When a bug does surface: How could I have written the code so that the Static Analysis tool would have found this? Do a partial analysis before committing changes: Not as accurate as a full analysis, but faster. Do a complete analysis triggered by changes: New items can be correlated with the changes in a just-in-time fashion. 14 For more info... Please have a look at our Web site: http://www.grammatech.com 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback