Static Analysis of a Linux Distribution

Similar documents
Is code in your project sane enough?

Compiling QGIS for Fedora 19 in a few steps

Firefox quality. Mozilla Paris FOSDEM Feb 3rd 2018

Manual Install Package Rpm Linux Command Line

Bug Hunting and Static Analysis

Attack Surface Intelligence of Source Code

Bug tracking. Second level Third level Fourth level Fifth level. - Software Development Project. Wednesday, March 6, 2013

Organising benchmarking LLVM-based compiler: Arm experience

SCAP Security Guide Questions / Answers. Ján Lieskovský Contributor WorkShop November 2015

kpatch Have your security and eat it too!

Intro to Linux & Command Line

CodeDynamics 2018 Release Notes

SCAP Security Guide Questions / Answers. Contributor WorkShop Volume #2

Lessons Learned with Time Based Releases for the EFL

Fedora s MirrorManager - now and the future

Agenda. Several projects are using GIT Developer(s) Junio Hamano, Linus Torvalds. Qt Stable release (January 31, 2011)

Introduction to GIT. Jordi Blasco 14 Oct 2011

CS197U: A Hands on Introduction to Unix

Red Hat Enterprise Linux 7 RPM Packaging Guide

Flatpak and your distribution. Simon McVittie

Using Static Code Analysis to Find Bugs Before They Become Failures

Overview. 1. Install git and create a Github account 2. What is git? 3. How does git work? 4. What is GitHub? 5. Quick example using git and GitHub

New Tools Used by the Scientific Linux Team

Continuous Integration INRIA

Indexing Large, Mixed- Language Codebases. Luke Zarko

SQL Server on Linux and Containers

FreeBSD and Git. Ed Maste - FreeBSD Vendor Summit 2018

SE420 Software Quality Assurance

Linux Kernel Evolution. OpenAFS. Marc Dionne Edinburgh

Red Hat Developer Tools

SSH Deploy Key Documentation

Embedded M2M Software Testing

CS 261 Recitation 1 Compiling C on UNIX

Project 1. Fast correction

Deeper Understanding of Software Collections

Overview AEG Conclusion CS 6V Automatic Exploit Generation (AEG) Matthew Stephen. Department of Computer Science University of Texas at Dallas

Economies of Scale in Hacking Dave Aitel Immunity

Red Hat Software Collections. Ryan Hennessy Sr. Solutions Architect

Trends in Open Source Security. FOSDEM 2013 Florian Weimer Red Hat Product Security Team

LGTM Enterprise System Requirements. Release , August 2018

Lab 4: Interrupts and Realtime

Red Hat Developer Tools 2.1

Red Hat Security Data API 1.0

Introduction to Linux. Woo-Yeong Jeong Computer Systems Laboratory Sungkyunkwan University

Zero Install. Decentralised cross-platform package management

CSE 15L Winter Midterm :) Review

Introduction to Linux

Course Wiki. Today s Topics. Web Resources. Amazon EC2. Linux. Apache PHP. Workflow and Tools. Extensible Networking Platform 1

Red Hat Summit 2009 Rik van Riel

Semantic Analysis. Outline. The role of semantic analysis in a compiler. Scope. Types. Where we are. The Compiler Front-End

Fedora Extended Life cycle Support

Overview. What are community packages? Who installs what? How to compile and install? Setup at FSU RCC. Using RPMs vs regular install

Django-CSP Documentation

Red Hat Developer Tools

EECS Software Tools. Lab 2 Tutorial: Introduction to UNIX/Linux. Tilemachos Pechlivanoglou

Status.out and Debugging SWAMP Failures. James A. Kupsch. Version 1.0.2, :14:02 CST

RHEL Packaging. (making life easier with RPM) Jindr ich Novy Ph.D., June 26, 2012

Multi-Arch Layered Image Build System

Introduction to Linux

RED HAT DEVELOPER TOOLSET Build, Run, & Analyze Applications On Multiple Versions of Red Hat Enterprise Linux

CS11 Advanced C++ Fall Lecture 4

Frédéric Crozat SUSE Linux Enterprise Release Manager

Administrivia. Added 20 more so far. Software Process. Only one TA so far. CS169 Lecture 2. Start thinking about project proposal

Elivepatch Flexible distributed Linux Kernel live patching. Alice Ferrazzi

Benchmarking of Java Verification Tools at the Software Verification Competition (SV-COMP) Lucas Cordeiro Daniel Kroening Peter Schrammel

OpenShift is FanPaaStic. Linqing Lu PaaS Dragon

How we added software updates to AGL

HPE Security Fortify Plugins for Eclipse

Red Hat Developer Tools

Red Hat Enterprise Linux 8.0 Beta

Kernel Debugging with netdump and crash Worcester Linux Users Group January 13th, 2005

Mingw-w64 and Win-builds.org - Building for Windows

Introduction to Linux

manifold Documentation

TangeloHub Documentation

Software Architecture and Engineering: Part II

NSIGHT ECLIPSE EDITION

SECTION 1: CODE REASONING + VERSION CONTROL + ECLIPSE

Support Lifecycle Policy

Purpose of the Simulated function

JavaScript. What s wrong with JavaScript?

Continuous integration & continuous delivery. COSC345 Software Engineering

CREATING A COMMON SOFTWARE VERBS IMPLEMENTATION

Red Hat Mobile Application Platform Hosted 3

#jenkinsconf. Managing jenkins with multiple components project. Jenkins User Conference Israel. Presenter Name Ohad Basan

Table of Contents EVALUATION COPY

Eclipse Tutorial How To Write Java Program In Eclipse Step By Step Eclipse Tutorial For Beginners Java

openqa Avoiding Disasters of Biblical Proportions Marita Werner QA Project Manager

ECE 471 Embedded Systems Lecture 4

Keeping Up With The Linux Kernel. Marc Dionne AFS and Kerberos Workshop Pittsburgh

Lecture 1 Niyaz M. Salih

Phony Programming (Series 60 Symbian Phones)

Lecture 10 Declarations and Scope

Version Control. Second level Third level Fourth level Fifth level. - Software Development Project. January 17, 2018

Software Collectoins for bleeding edge stacks on enterprise

Best Practices. Joaquim Rocha IT-DSS-TD

How to Use This Lab Manual

productmd Documentation

The Joy of Software Development

Red Hat JBoss Developer Studio 10.4 Installation Guide

Transcription:

Kamil Dudka Red Hat, Inc. November 8th 2016 <kdudka@redhat.com>

How to find programming mistakes efficiently? 0 users (preferably volunteers) 1 Automatic Bug Reporting Tool 2 code review, automated tests 3 static analysis! 1 / 18

Static Analysis is a good alternative to testing, can detect bugs fully automatically, can detect bugs before the code even runs! 2 / 18

Agenda 1 Terminology 2 Static Analysis of a Linux Distribution

Terminology Linux Distribution operating system (OS) based on the Linux kernel a lot of other programs running in user space usually open source 3 / 18

Terminology Upstream vs. Downstream upstream SW projects usually independent downstream distribution of upstream SW projects Fedora and RHEL use the RPM package manager Files on the file system owned by packages: Dependencies form an oriented graph over packages. We can query package database. We can verify installed packages. 4 / 18

Terminology Fedora vs. RHEL Fedora new features available early driven by the community (developers, users,... ) RHEL (Red Hat Enterprise Linux) stability and security of running systems driven by Red Hat (and its customers) 5 / 18

Terminology Where do RPM packages come from? Developers maintain source RPM packages (SRPMs). Binary RPMs can be built from SRPMs using rpmbuild: rpmbuild --rebuild git-2.6.3-1.fc24.src.rpm Binary RPMs can be then installed on the system: sudo dnf install git 6 / 18

Terminology Reproducible builds Local builds are not reproducible. mock chroot-based tool for building RPMs: mock -r fedora-rawhide-i386 git-2.6.3-1.fc24.src.rpm koji service for scheduling build tasks koji build rawhide git-2.6.3-1.fc24.src.rpm 7 / 18

Agenda 1 Terminology 2 Static Analysis of a Linux Distribution

Static Analysis of a Linux Distribution approx. 150 Million lines of C/C++ code in RHEL-7 huge number of (potential?) defects in certain projects thousands of packages developed independently of each other no control over technologies and programming languages no control over upstream coding style 8 / 18

Which static analyzers? Not many of them are ready for scanning a Linux distribution. Some analyzers are tweaked for a particular project (e.g. sparse for kernel). How to use multiple static analyzers easily? The csmock tool provides a common interface to GCC, Clang, Cppcheck, Shellcheck, Pylint, and Coverity. Besides C/C++, Java, and C#, Coverity now also analyzes dynamic languages (JavaScript, PHP, Python, Ruby). 9 / 18

Example Defects Found by Coverity Analysis Error: IDENTIFIER_TYPO: [#def1] anaconda-21.48.22.90/pyanaconda/ui/gui/spokes/source.py:1388: identifier_typo: Using "mirorlist" appears to be a typo: * Identifier "mirorlist" is only known to be referenced here, or in copies of this code. * Identifier "mirrorlist" is referenced elsewhere at least 27 times. anaconda-21.48.22.90/pyanaconda/packaging/ init.py:1046: identifier_use: Example 1: Using identifier "mirrorlist". anaconda-21.48.22.90/pyanaconda/packaging/yumpayload.py:732: identifier_use: Example 2: Using identifier "mirrorlist". anaconda-21.48.22.90/pyanaconda/packaging/yumpayload.py:879: identifier_use: Example 3: Using identifier "mirrorlist". anaconda-21.48.22.90/pyanaconda/packaging/yumpayload.py:726: identifier_use: Example 4: Using identifier "mirrorlist". anaconda-21.48.22.90/pyanaconda/packaging/yumpayload.py:335: identifier_use: Example 5: Using identifier "mirrorlist". anaconda-21.48.22.90/pyanaconda/ui/gui/spokes/source.py:1388: remediation: Should identifier "mirorlist" be replaced by "mirrorlist"? # 1386 url = self._repourlentry.get_text().strip() # 1387 if self._repomirrorlistcheckbox.get_active(): # 1388 -> repo.mirorlist = proto + url # 1389 else: # 1390 repo.baseurl = proto + url Error: NESTING_INDENT_MISMATCH: [#def2] infinipath-psm-3.3-19_g67c0807_open/psm_diags.c:284: parent: This 'if' statement is the parent, indented to column 5. infinipath-psm-3.3-19_g67c0807_open/psm_diags.c:285: nephew: This 'if' statement is nested within its parent, indented to column 7. infinipath-psm-3.3-19_g67c0807_open/psm_diags.c:286: uncle: This 'if' statement is indented to column 7, as if it were nested within the preceding parent statement, but it is not. # 284 if (src == NULL dst == NULL) # 285 if (src) psmi_free(src); # 286 -> if (dst) psmi_free(dst); # 287 return -1; # 288 } Error: COPY_PASTE_ERROR (CWE-398): [#def3] gnome-shell-3.14.4/js/ui/boxpointer.js:517: original: "resx -= x2 - arroworigin" looks like the original copy. gnome-shell-3.14.4/js/ui/boxpointer.js:536: copy_paste_error: "resx" in "resx -= y2 - arroworigin" looks like a copy-paste error. gnome-shell-3.14.4/js/ui/boxpointer.js:536: remediation: Should it say "resy" instead? # 534 } else if (arroworigin >= (y2 - (borderradius + halfbase))) { # 535 if (arroworigin < y2) # 536 -> resx -= (y2 - arroworigin); # 537 arroworigin = y2; # 538 } 10 / 18

Example A Defect Found by ShellCheck Error: SHELLCHECK_WARNING: [#def4] /etc/rc.d/init.d/squid:136:10: warning: Use "${var:?}" to ensure this never expands to /*. [SC2115] # 134 RETVAL=$? # 135 if [ $RETVAL -eq 0 ] ; then # 136 -> rm -rf $SQUID_PIDFILE_DIR/* # 137 start # 138 else https://github.com/koalaman/shellcheck/wiki/sc2115 11 / 18

What is important for developers? The static analysis tools need to: be fully automatic provide reasonable signal to noise ratio be approximately as fast as compilation of the package deliver results in a predictable amount of time = timeouts! 12 / 18

Research Prototypes Researchers are done when their tool works on a few examples of their choice. (phase 0) SW companies are interested in tools that can reliably process a significant amount of their code base. (phase 1) 99% of work on developing a successful tool is the transition: phase 0 phase 1 Competition on Software Verification (SV-COMP): https://sv-comp.sosy-lab.org/2016/results/results-verified/ 13 / 18

Priority Assessment Problem Developers say: I have 200+ already known bugs in my project waiting for a fix. Why should I care about additional bugs that users are not aware of yet? Not all defects are equally important to be fixed! Scoring systems like CWE (Common Weakness Enumeration)... but none of them is universally applicable. 14 / 18

Differential scans We know that our packages contain a lot of potential bugs. It is easy to create new bugs while trying to fix existing bugs. Which bugs were added/fixed in an update of something? An example using the csbuild utility demo (GNU nano): csbuild -c "make -j9" csbuild -g v2.7.0..master -c "make -j9" csbuild -g v2.7.0..master --git-bisect \ -c "make clean && make -j9" 15 / 18

Upstream vs. Enterprise Different approaches to (differential) static analysis: Upstream Fix as many defects as possible. False positive ratio increases over time! Enterprise Verify code changes in ancient SW. 5 10% of defects are usually detected as new in an update. 5 10% of them are usually confirmed as real by developers. 16 / 18

Processing the Results of Static Analysis Some tools come with a user interface for waiving defects. Per-defect waivers do not scale for a Linux distribution. Certain developers prefer to use terminal over web browser. Utilities processing text line-by-line are not optimal for this: grep csgrep sort cssort... https://github.com/kdudka/csdiff 17 / 18

Continuous Integration It is expensive to fix bugs detected late in the release schedule. It is difficult and risky to fix bugs in already released products. We would like to catch bugs at the time they are created. An example using the csbuild utility demo: csbuild -c "./buildconf &&./configure && make -j9" \ --install libtool --git-bisect \ --gen-travis-yml >.travis.yml git add.travis.yml git commit -m "notify me about newly introduced defects" git push 18 / 18

Slides Available Online https://kdudka.fedorapeople.org/muni16.pdf

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback