Using Static Code Analysis to Find Bugs Before They Become Failures

Similar documents
CONFERENCE PROCEEDINGS QUALITY CONFERENCE. Conference Paper Excerpt from the 28TH ANNUAL SOFTWARE. October 18th 19th, 2010

Ian Sommerville 2006 Software Engineering, 8th edition. Chapter 22 Slide 1

ΗΜΥ 317 Τεχνολογία Υπολογισμού

Objectives. Chapter 19. Verification vs. validation. Topics covered. Static and dynamic verification. The V&V process

Static Analysis of C++ Projects with CodeSonar

CS2141 Software Development using C/C++ Debugging

Oracle Developer Studio Code Analyzer

Verification & Validation of Open Source

Type Checking and Type Equality

Static Analysis in C/C++ code with Polyspace

Part 5. Verification and Validation

CMSC 341 Lecture 2 Dynamic Memory and Pointers

Verification and Validation

Black Hat Webcast Series. C/C++ AppSec in 2014

18-642: Code Style for Compilers

6. Pointers, Structs, and Arrays. 1. Juli 2011

Variables, Memory and Pointers

Verification Using Static Analysis

Memory Leak. C++: Memory Problems. Memory Leak. Memory Leak. Pointer Ownership. Memory Leak

Examining the Code. [Reading assignment: Chapter 6, pp ]

Simple Overflow. #include <stdio.h> int main(void){ unsigned int num = 0xffffffff;

Static Program Analysis Part 1 the TIP language

Ingegneria del Software II academic year: Course Web-site: [

XMEM. Extended C/C++ Dynamic Memory Control and Debug Library. XMEM Manual. Version 1.7 / September 2010

Verification and Validation. Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 22 Slide 1

18-642: Code Style for Compilers

Bug Hunting and Static Analysis

CSCI-1200 Data Structures Spring 2016 Lecture 6 Pointers & Dynamic Memory

Introducing C++ to Java Programmers

Static Analysis methods and tools An industrial study. Pär Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU

6. Pointers, Structs, and Arrays. March 14 & 15, 2011

Programming vulnerabilities for C++ (part of WG23 N0746)

CS Programming In C

Buffer overflow background

Vector and Free Store (Vectors and Arrays)

CSC C69: OPERATING SYSTEMS

In Java we have the keyword null, which is the value of an uninitialized reference type

Lessons Learned in Static Analysis Tool Evaluation. Providing World-Class Services for World-Class Competitiveness

Verification and Validation. Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 22 Slide 1

C and C++ Secure Coding 4-day course. Syllabus

EL2310 Scientific Programming

Programming Abstractions

[0569] p 0318 garbage

CS 241 Honors Memory

SoK: Eternal War in Memory

Object-Oriented Programming for Scientific Computing

CS558 Programming Languages

Introduction to Java

Secure Programming. An introduction to Splint. Informatics and Mathematical Modelling Technical University of Denmark E

CSCI0330 Intro Computer Systems Doeppner. Lab 02 - Tools Lab. Due: Sunday, September 23, 2018 at 6:00 PM. 1 Introduction 0.

Application parallelization for multi-core Android devices

CERT C++ COMPLIANCE ENFORCEMENT

Chapter 1 INTRODUCTION SYS-ED/ COMPUTER EDUCATION TECHNIQUES, INC.

NOTE: Debug and DebugSingle are the only MPI library configurations that will produce trace output.

Systems software design. Software build configurations; Debugging, profiling & Quality Assurance tools

Identifying Memory Corruption Bugs with Compiler Instrumentations. 이병영 ( 조지아공과대학교

Memory Corruption 101 From Primitives to Exploit

Taking White Hats to the Laundry: How to Strengthen Testing in Common Criteria

Memory and C++ Pointers

1 Visible deviation from the specification or expected behavior for end-user is called: a) an error b) a fault c) a failure d) a defect e) a mistake

Scalable Post-Mortem Debugging Abel Mathew. CEO -

nptr = new int; // assigns valid address_of_int value to nptr std::cin >> n; // assigns valid int value to n

Announcements. assign0 due tonight. Labs start this week. No late submissions. Very helpful for assign1

Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui

CS558 Programming Languages

SAMATE (Software Assurance Metrics And Tool Evaluation) Project Overview. Tim Boland NIST May 29,

Verification and Validation

System Administration and Network Security

Limitations of the stack

Program Analysis. CSCE Lecture 16-03/03/2016

Lecture Notes on Memory Management

Reversed Buffer Overflow Cross Stack Attacks. Kris Kaspersky Endeavor Security, Inc.

1.1 For Fun and Profit. 1.2 Common Techniques. My Preferred Techniques

Chapter 8. Achmad Benny Mutiara

Lecture 4 September Required reading materials for this class

Software Design and Analysis for Engineers

J2EE Development Best Practices: Improving Code Quality

Important From Last Time

The Compiler So Far. CSC 4181 Compiler Construction. Semantic Analysis. Beyond Syntax. Goals of a Semantic Analyzer.

To obtain the current global trace mask, call meitraceget(...). To modify the global trace mask, call meitraceset(...).

Secure coding practices

Analysis Tool Project

Stanford University Computer Science Department CS 295 midterm. May 14, (45 points) (30 points) total

Verification and Validation

Verification and Validation

CS162 - POINTERS. Lecture: Pointers and Dynamic Memory

WHITE PAPER. 10 Reasons to Use Static Analysis for Embedded Software Development

An Overview of the BLITZ System

CSci 4061 Introduction to Operating Systems. Programs in C/Unix

CNIT 127: Exploit Development. Ch 18: Source Code Auditing. Updated

MISRA-C. Subset of the C language for critical systems

Memory Analysis tools

Programming Language Implementation

Page 1. Stuff. Last Time. Today. Safety-Critical Systems MISRA-C. Terminology. Interrupts Inline assembly Intrinsics

Buffer Overflows Defending against arbitrary code insertion and execution

Testing Objectives. Successful testing: discovers previously unknown errors

Using Intel VTune Amplifier XE and Inspector XE in.net environment

Lecture 07 Debugging Programs with GDB

INITIALISING POINTER VARIABLES; DYNAMIC VARIABLES; OPERATIONS ON POINTERS

Automotive Software Security Testing

Transcription:

Using Static Code Analysis to Find Bugs Before They Become Failures Presented by Brian Walker Senior Software Engineer, Video Product Line, Tektronix, Inc. Pacific Northwest Software Quality Conference, 2010

In the Beginning, There Was Lint Syntactic analysis found many simple coding mistakes Mismatched arguments Incompatible data type usage Uninitialized variables Printf() format argument mismatch Analyzed one source file at a time Generated lot s of warnings Not all of them useful Function is now integrated into most compiler

Beyond Lint Functional analysis without execution Functional analysis, not just compilation errors Data flow and control flow analysis Typically automated Incorporates some aspects of reverse engineering Analyzes objects and their usage Follows resource allocation, initialization and de-allocation Considers the whole program Analyses entire build, not just individual files Examines all execution paths within functions and between functions Calculates range of possible values for each variable line by line, complete coverage (for known issues) Quality, not quantity Balance aggressiveness with restraint

Elements of a Static Code Analysis System Library of issues and patterns Identifies problem severity Ability to define new patterns or suppress unwanted patterns Database for tracking issues Manage issue priority and ignore false positives Identify new issues over time and track as source files change Identify fixed issues Accessible issue reporting interface Detailed description of specific issue and location in source code Assist developers to understand, investigate and fix bugs Sometimes integrated into IDE Compilation process to perform analysis May require as much time as actual build Must be run with the same options and compiler flags

Using the Klocwork Static Analysis Tool Klocwork Insight Software developed at Nortel Networks Analyzes C, C++, C# and Java Uses build auditing approach Manifest generator runs normal build script Captures files, commands and options Generates manifest Directs analysis Consults library Queries database Updates database Generates reports Library Build Manifest Analyze Database Report

Configuring the Analysis Klocwork does not support incremental builds Needs to know all of the files in the build, needs to be reminded Vendor suggested rebuild the manifest after adding/removing files or, Perform full build every time Integration with ClearCase ClearCase records complete configuration record for build Build manifest file format clearly described in Klocwork documentation Developed simple script to create manifest from ClearCase config record Generate file ownership from version history Build Firmware Package Manifest Generator Build Manifest Analysis Ownership script Owner Record

Integrating Static Analysis in our Environment Incorporated into nightly builds Klocwork analysis runs as a step in the nightly build Uses ClearCase configuration record to produce manifest Uses ClearCase version history to determine file ownership Manual review of new issues reported Review of new and uncited issues Set status according to severity and priority Forward new issues to team members Investigate and make changes to source code Analysis usually provides enough detail to quickly fix issue Use browser to search for declarations and implementation Compile Review Prioritize Investigate Fix

Managing Issues in Klocwork Klocwork determines the state of an issue Identifies issues as new, existing, recurred, fixed or not in scope Maintains history of current issues Detects when new issues are discovered Reviewer determines the status of an issue Analysis -> Citing -> Resolution Every new issue starts with status set to analyze (uncited) Users choose fix, fix in next release, fix in later release, not a problem Reviewer and implementer can add notes to issue record Analyze or Fix status identifies open issues Issues with issue management process Would be nice if citing could automatically generate bug report Does not provide real tracking capability

Klocwork Issue Reports Contains a specific description of the problem Array foo of size 22 may use index values or -2.. -1. Also there are similar errors on lines 491, 494. Provides traceback of analysis showing all locations that affect value Traceback references highlighted in source code listing Nested references can be expanded for deeper dive Cross reference interface allows exploration of source code Finds declarations functions, variables, macros and constants Finds where items are used, referenced, read or written Welcome feature to aid in the investigation of issues

Klocwork Issue Detail Display Issue description Summary Link to record Name Location Owner Severity State Status Comments Traceback of problem path Listed in order of execution References to lines of code Nested references to other functions Nested references expand for deeper investigation

Klocwork Issue Identification Klocwork uses short hand notation to identify problem types ABR: Array Buffer Overrun NNTS: Non-Null-Terminating String Tends to be concise and memorable Can often determine type of problem in a glance Online documentation tends to be well written and informative Provides description, specific vulnerabilities, risks, mitigation and prevention Focus on security One common distinction: must vs. might Must issues indicate error that occur as a result of a single failure NPD.FUNC.MUST: NULL pointer returned by function always dereferenced Might indicates a failure might occur if more than one condition is true NPD.FUNC.MIGHT: NULL pointer dereferenced under certain conditions

Types of Issues Found by Static Analysis Null pointer dereferences Very effective in discovering null pointer dereference issues Many due to not checking pointer parameters for NULL NPD.CHECK.MIGHT: pointer checked for NULL but still dereferenced Can be quite insidious and may be overlooked in code review int handle_request( int op, int reqid, PduType *pdu, SyncState *state) { if (reqid!= state->reqid && pdu && pdu->command!= MSG_REPORT) { return 0; } if (op == RECEIVED_MESSAGE) { if (pdu->command == MSG_REPORT) { blah; blah; blah; } }

Types of Issues Found by Static Analysis Array buffer overruns Klocwork has discovered quite a few flavors String handling is common theme, especially regarding numbers char buffer[8]; sprintf( buffer, %s%d, type, value); Memory leaks Often caused by improper error handling Often not covered by functional testing Might be covered by unit testing C++ class constructors and destructors Expects that memory allocated in a constructor is freed in destructor Also expects copy constructor and assignment operator Death by a thousand pin pricks

Types of Issues Found by Static Analysis Use of freed memory Checks for use of memory pointer after return to system heap Did not expect to see in our software Found in third-party and open source components File Resource Leaks Like memory leaks, often the result of improper error handling Klocwork reports as lower priority Have found instances where file handles can be lost Concurrency violations Our software is often multithreaded Uncovered problems with semaphore handling Warns when semaphores taken but not returned within a function Warns when thread goes to sleep while still holding semaphore

Types of Issues Found by Static Analysis Security vulnerabilities Becoming a greater concern as more devices become connected Secure programming practices less obvious and often overlooked Vulnerable program will still pass functional tests Testing requires effort to actively exploit vulnerabilities Number of reported vulnerabilities continues to grow Risk of failure includes potential for exposure of sensitive data Prevention is far more effective than remediation Most vulnerabilities can be traced to a relatively small number of programming errors Klocwork references Common Weakness Enumeration dictionary Klocwork recently added support for MISRA C and C++ coding standards Adopted by aerospace, telecommunications, medical, defense and others

Analyzing the Analysis Finds many high-quality issues in the source code From 500,000 lines of C/C++ in more than 2000 files Found 1500 issues Rejected 175 issues Somebody had to look at those 1500 Issues Established code base, and third-party contributions Examine, prioritize and eventually fix True value seen after bug debt has been paid Problems found can be quickly identified and corrected Most useful when employed on new software as preventative

Analyzing the Analysis Potential to save many hours of frustration Hours spent trying to reproduce and capture and instance of a crash bug Race conditions can be the most devious and time consuming Found in Klockwork database after the fact. Other bugs are more treacherous Array access may overflow into unrelated data structure May cause mayhem in unrelated thread Or write over a virtual table causing mysterious crash Debugging requires setting watch point to catch in the act But, not perfect Has reported at least one false positive Has missed at least one array buffer overrun that caused random crash Ideally maintains a balance between useful and annoying Promotes good programming practices

Looking Forward Desktop integration Potentially provide instant feedback to developers Developers could fix errors before committing to version control system Many vendors provide integrations for Eclipse and Visual Studio Still perform bulk of analysis nightly Compiler integration Some vendors provide static analysis in compiler Integrated with build processes Limits choice of compiler

Fitting it all Together Excellent tool for finding bugs early in development Compliments compiler warnings Does not require actual hardware to analyze software Complements dynamic analysis (functional testing) Able to follow all/most paths within each function Testing and analysis are adept at finding different kinds of faults Cannot test functional requirements through static analysis Cannot reproduce all scenarios through emulation Complements formal code review and peer review Consistently finds instances of known issues Cannot replace expert eyes of peers Best option for testing third-party and open source software Most open source software is provided as-is and without warrantee Increases the tribal knowledge of an organization

Questions and Answers Brian Walker Brian.R.Walker@tektronix.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback