Verification & Validation of Open Source

Similar documents
Static Analysis in C/C++ code with Polyspace

C and C++ Secure Coding 4-day course. Syllabus

CNIT 127: Exploit Development. Ch 18: Source Code Auditing. Updated

Principles of Software Construction: Objects, Design, and Concurrency (Part 2: Designing (Sub )Systems)

MC: Meta-level Compilation

CSE 565 Computer Security Fall 2018

RCU. ò Walk through two system calls in some detail. ò Open and read. ò Too much code to cover all FS system calls. ò 3 Cases for a dentry:

VFS, Continued. Don Porter CSE 506

(Early) Memory Corruption Attacks

A program execution is memory safe so long as memory access errors never occur:

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh

Lecture 9 Assertions and Error Handling CS240

CS 241 Honors Memory

CS2141 Software Development using C/C++ Debugging

Understanding Undefined Behavior

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Using Static Code Analysis to Find Bugs Before They Become Failures

Information Flow Analysis and Type Systems for Secure C Language (VITC Project) Jun FURUSE. The University of Tokyo

DEBUGGING: STATIC ANALYSIS

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

[0569] p 0318 garbage

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CISQ Weakness Descriptions

Oracle Developer Studio Code Analyzer

My other computer is YOURS!

Program Security and Vulnerabilities Class 2

Black Hat Webcast Series. C/C++ AppSec in 2014

Laboratory Assignment #3. Extending scull, a char pseudo-device. Summary: Objectives: Tasks:

Lessons Learned in Static Analysis Tool Evaluation. Providing World-Class Services for World-Class Competitiveness

Buffer overflow background

Important From Last Time

Page 1. Today. Important From Last Time. Is the assembly code right? Is the assembly code right? Which compiler is right?

Laboratory Assignment #3. Extending scull, a char pseudo-device

Important From Last Time

Entwicklung zuverlässiger Software-Systeme, Stuttgart 30.Juni 2011

Overview AEG Conclusion CS 6V Automatic Exploit Generation (AEG) Matthew Stephen. Department of Computer Science University of Texas at Dallas

Reflections on using C(++) Root Cause Analysis

Accelerated Library Framework for Hybrid-x86

Stanford University Computer Science Department CS 295 midterm. May 14, (45 points) (30 points) total

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Vector and Free Store (Pointers and Memory Allocation)

Lecture 14 Notes. Brent Edmunds

Introducing C++ to Java Programmers

Lecture 8 Dynamic Memory Allocation

How to Break Software by James Whittaker

Secure Coding Techniques

Examples of Code Roaches. First Draft List Cem Kaner September 11, 2005

Static Analysis of C++ Projects with CodeSonar

Objectives. Chapter 19. Verification vs. validation. Topics covered. Static and dynamic verification. The V&V process

Using Intel VTune Amplifier XE and Inspector XE in.net environment

05-01 Discussion Notes

6.828: OS/Language Co-design. Adam Belay

SoK: Eternal War in Memory

Simulink 모델과 C/C++ 코드에대한매스웍스의정형검증툴소개 The MathWorks, Inc. 1

Error num: 1 Meaning: Not owner Error num: 2 Meaning: No such file or directory Error num: 3 Meaning: No such process Error num: 4 Meaning:

Limitations of the stack

CSCI-1200 Data Structures Fall 2017 Lecture 5 Pointers, Arrays, & Pointer Arithmetic

ISA564 SECURITY LAB. Code Injection Attacks

Windows architecture. user. mode. Env. subsystems. Executive. Device drivers Kernel. kernel. mode HAL. Hardware. Process B. Process C.

Quickly Pinpoint and Resolve Problems in Windows /.NET Applications TECHNICAL WHITE PAPER

Program Analysis. CSCE Lecture 16-03/03/2016

Confinement (Running Untrusted Programs)

(In columns, of course.)

MEMORY MANAGEMENT TEST-CASE GENERATION OF C PROGRAMS USING BOUNDED MODEL CHECKING

Examining the Code. [Reading assignment: Chapter 6, pp ]

Identifying Memory Corruption Bugs with Compiler Instrumentations. 이병영 ( 조지아공과대학교

Last week. Data on the stack is allocated automatically when we do a function call, and removed when we return

Memory Corruption 101 From Primitives to Exploit

18-642: Code Style for Compilers

One-Slide Summary. Lecture Outline. Language Security

Research on the Static Analysis Method of the Localization Embedded Platform Software Code Zhijie Gaoa, Ling Lu, Wen Jiao

Lecture Notes on Memory Layout

CS 161 Exam II Winter 2018 FORM 1

Lecture 4 September Required reading materials for this class

Faster, Stronger C++ Analysis with the Clang Static Analyzer. George Karpenkov, Apple Artem Dergachev, Apple

CS201 - Introduction to Programming Glossary By

(Refer Slide Time: 1:26)

CS 161 Computer Security. Security Throughout the Software Development Process

Pointers and Memory 1

ClabureDB: Classified Bug-Reports Database

Automotive Software Security Testing

Security Coding Module - Buffer Overflow Data Gone Wild CS1

Intrusion Detection and Malware Analysis

CSCE : Computer Systems Homework #1 Part 1 (25 pts) Due date: 1/24/19

CSE 565 Computer Security Fall 2018

Copyright 2015 MathEmbedded Ltd.r. Finding security vulnerabilities by fuzzing and dynamic code analysis

CSCE 548 Building Secure Software Integers & Integer-related Attacks & Format String Attacks. Professor Lisa Luo Spring 2018

Verification and Test with Model-Based Design

Embedded/Connected Device Secure Coding. 4-Day Course Syllabus

Testing. ECE/CS 5780/6780: Embedded System Design. Why is testing so hard? Why do testing?

Guidelines for Writing C Code

Buffer Overflow Defenses

Brave New 64-Bit World. An MWR InfoSecurity Whitepaper. 2 nd June Page 1 of 12 MWR InfoSecurity Brave New 64-Bit World

Index. object lifetimes, and ownership, use after change by an alias errors, use after drop errors, BTreeMap, 309

Static Analysis in Practice

Chapter 17 vector and Free Store

Shared snapshots. 1 Abstract. 2 Introduction. Mikulas Patocka Red Hat Czech, s.r.o. Purkynova , Brno Czech Republic

CS527 Software Security

vector and Free Store

Transcription:

Verification & Validation of Open Source 2011 WORKSHOP ON SPACECRAFT FLIGHT SOFTWARE Gordon Uchenick Coverity, Inc

Open Source is Ubiquitous Most commercial and proprietary software systems have some open source component 2

Open Source in Embedded Software According to Gartner, by 2012, 80% of commercial software development projects will include open-source components Popularity of Linux kernel Even proprietary operating systems have absorbed some open source components 3

The Challenges When Using Open Source Incorporating open-source isn t free or effortless: 1. Quality Risk each developer tests according to his own requirements, probably limiting scope 2. Unit testing and integration testing have unknown rigor and coverage 3. Two ways of getting issues resolved: 1. Report issues upstream and wait for patches 2. Dedicate internal resources to maintain open source and then feed fixes back into the community 4

How Static Analysis Can Help Fewer defects escape dev Reduced Risk wrt Quality, Budget, & Schedule Design Development Quality Assurance Product Release Automated, Scalable, Fast Finds and reports defects in all parts of the code as well as defects due to integration

How Static Analysis Works Build Analyze Present & Manage Integrates with existing build systems Mimicks the behavior of dozens of compilers Statically tests all execution paths Finds defects and inconsistent coding patterns Explains the location and root cause of defects Manage and share triage of defects across teams

Static Analysis for Managing Risk from Open Source 1. Use static analysis to automate defect detection across the entire code base, including open source components 1. Having all source code instead of just API contracts enables a more complete analysis 2. Fixes can be verified 1. Did I fix the problem? 2. Did I break anything else? 7

Most Commonly Found Defects In Open Source Frequency in SCAN projects Risk NULL Pointer Dereference 27.60% Medium Resource Leak 23.19% High Unintentional Expressions 9.76% Medium Uninitialized Values Read 8.41% High Use After Free 5.91% High Buffer Overflow 5.52% High 8

Coverity SCAN: Accelerating Open Source Software Integrity Established in 2006 in collaboration with US Department of Homeland Security http://scan.coverity.com 2009 2010 Total LOC scanned 11.5 billion 14.5 billion Total Open Source Projects analyzed 280 291 Total Defects Found 38,453 49,654 Total Defects Fixed 11,246 15,278 9

Resources Coverity SCAN project: http://scan.coverity.com Software Integrity Risk Report: http://www.coverity.com/forrester-software- Integrity-Risk/ 2010 SCAN Report: http://softwareintegrity.coverity.com/2011scana ndroidreg.html 10

Thank You

Appendix A few Static Analysis examples

C/C++ Defects That Coverity Can Find Part 1 Resource Leaks Memory leaks Resource leak in object Incomplete delete Microsoft COM BSTR memory leak Uninitialized variables Missing return statement Uninitialized pointer/scalar/array read/write Uninitialized data member in class or structure Concurrency Issues Deadlocks Race conditions Blocking call misuse Integer handling issues Improper use of negative value Unintended sign extension Improper Use of APIs Insecure chroot Using invalid iterator printf() argument mismatch Memory-corruptions Out-of-bounds access String length miscalculations Copying to destination buffers too small Overflowed pointer write Negative array index write Allocation size error Memory-illegal access Incorrect delete operator Overflowed pointer read Out-of-bounds read Returning pointer to local variable Negative array index read Use/read pointer after free Control flow issues Logically dead code Missing break in switch Structurally dead code Error handling issues Unchecked return value Uncaught exception Invalid use of negative variables

C/C++ Defects That Coverity Can Find Part 2 Program hangs Infinite loop Double lock or missing unlock Negative loop bound Thread deadlock sleep() while holding a lock Null pointer differences Dereference after a null check Dereference a null return value Dereference before a null check Code maintainability issues Multiple return statements Unused pointer value Insecure data handling Integer overflow Loop bound by untrusted source Write/read array/pointer with untrusted value Format string with untrusted source Performance inefficiencies Big parameter passed by value Large stack use Security best practices violations Possible buffer overflow Copy into a fixed size buffer Calling risky function Use of insecure temporary file Time of check different than time of use User pointer dereference

C/C++ Resource Leaks Resource leaks occur when variables go out of scope while owning a resource Memory leaks are one of the most common kinds of resource leaks Technical Impact Crashes, inability to allocate more resources, Vulnerability to denial of service attacks 15

Example C++ Memory Leak Allocating memory into member field Destructor does not free member field 16

Example Memory Leak Allocated names Allocated other variables Checking for allocation failures for all variables Freeing the wrong variable in cleanup code. Cut and paste error? names leaked Bonus: potential double free 17

C++ Memory Leak with Incorrect Delete Constructor for each object allocates field Allocating array of objects Using delete instead of delete[] means destructor is not called, leaking the memory in the fields. 18

Other C/C++ Resource Leaks Coverity also detects incorrect delete patterns such as: delete a, b; // comma operator means only a is deleted Resource leaks on handles that refer to files, sockets, and other system resources 19

C/C++ Memory Corruption Memory corruption occurs when programs write to memory outside of the bounds of memory buffers Buffer overflow is another common name for memory corruption Technical Impact Crashes, unexpected behavior, security vulnerabilities 20

Example Memory Corruption Table has 6 ints, valid indices are 0..5 Loop from 0 to sizeof(table) Table indexed past the end of the array because sizeof(table) is measured in bytes 21

Example Memory Corruption Assigning ident to a constant string Freeing constant string causes memory corruption 22

Example Double Free Bonus: memory leak on buf3 Freeing buf1 Freeing buf1 again, copy and paste error 23

Example Buffer Overflow Possible security vulnerability through stack buffer overflow 24

Example String Buffer Escape C++ string s is destroyed when function returns, making the pointer returned from c_str() invalid. The caller of this function will find stack garbage there, caused unexpected behavior and possibly a crash. 25

Other Memory Corruption Defects Coverity Can Detect Coverity looks for over a dozen different patterns of memory corruption including: String length miscalculations Copying to too small destination buffers Negative array index write Allocation size error Integer overflow 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback