Your SlideShare is downloading. ×
0
Static Analysis Primer
Static Analysis Primer
Static Analysis Primer
Static Analysis Primer
Static Analysis Primer
Static Analysis Primer
Static Analysis Primer
Static Analysis Primer
Static Analysis Primer
Static Analysis Primer
Static Analysis Primer
Static Analysis Primer
Static Analysis Primer
Static Analysis Primer
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Static Analysis Primer

1,029

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,029
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Given the diversity of approaches and goals for static analysis tools, I wanted to better understand how static analysis tools differ.
  • There are three parts:the Build step captures information about how your code is compiled. We create a virtual build that wraps around your standard build process and transparently captures how it invokes your compiler(s). From this we capture all of the source files as well as the parameters describing how the source is compiled, including things like macro definitions and the meaning of command line options. This results in a high fidelity recording of your code and the way it’s assembled.The analysis is where we analyze every path through your code with a battery of tests, organized by what we call “checkers”. These checkers look for actual defects, not just coding style violations. These are patterns of code execution that can cause crashes, memory corruption, memory and handle leaks, and other kinds problems that are hard errors, not just stylistic rules. Throughout our analysis we have taken great care to try to eliminate false positives, which are error reports that are not true defects. Our false positive rate is the lowest in the industry, typically less than 20% out of the box. This is important because developers will not adopt tools that are mostly a waste of their time.Finally it’s important to present the results clearly because it’s not only about finding defects, it’s about fixing them. The results are stored in a database and presented to give actionable information so developers can fix them efficiently.We’ll focus this talk on the Analysis and Presentation. For more about the Build, click on the Build icon, otherwise we will skip this.
  • The analysis is where we analyze every path through your code with a battery of tests, organized by what we call “checkers”. These checkers look for actual defects, not just coding style violations. These are patterns of code execution that can cause crashes, memory corruption, memory and handle leaks, and other kinds problems that are hard errors, not just stylistic rules. Throughout our analysis we have taken great care to try to eliminate false positives, which are error reports that are not true defects. Our false positive rate is the lowest in the industry, typically less than 20% out of the box. This is important because developers will not adopt tools that are mostly a waste of their time.Finally it’s important to present the results clearly because it’s not only about finding defects, it’s about fixing them. The results are stored in a database and presented to give actionable information so developers can fix them efficiently.We’ll focus this talk on the Analysis and Presentation. For more about the Build, click on the Build icon, otherwise we will skip this.
  • Transcript

    • 1. Static Analysis Primer
    • 2. What It Is“A family of techniques of program analysis wherethe program is not actually executed but is analyzedby tools to produce useful information.Techniques range from the most mundane(statistics on the density of comments, for instance)to the more complex, semantics-based techniques.Qualities sought in static analysis techniques aresoundness and completeness.”2Source: Webster’s Dictionary
    • 3. Why You Should Use It1. It Saves Time and Money
    • 4. Static Analysis: Why You Should Use ItThe later software defects are addressed in the productlifecycle, the more expensive they are to fix.SoftwareDevelopmentStagePost ReleaseBeta TestingIntegration and System TestingCode and Unit TestingRequirements and Design30X15X10X5X1XGraph data source: The Economic Impacts of Inadequate Infrastructure for Software Testing,National Institute of Standards and Technology (NIST), 2002Cost to FixStatic analysis findsproblems hereIt can cost 30x moreto find and fix defectspost-release vs. in theRequirements & Designphase of development.
    • 5. Why You Should Use It2. It works while you sleep
    • 6. Resource Leaks• Memory leaks• Resource leak in object• Incomplete delete• Microsoft COM BSTR memory leakUninitialized variables• Missing return statement• Uninitialized pointer/scalar/array read/write• Uninitialized data member in class orstructureConcurrency Issues• Deadlocks• Race conditions• Blocking call misuseInteger handling issues• Improper use of negative value• Unintended sign extension• Incompatible castImproper Use of APIs• Insecure chroot• Using invalid iterator• printf() argument mismatchMemory Corruptions• Out-of-bounds access• String length miscalculations• Copying to destination buffers too small• Overflowed pointer write• Negative array index write• Allocation size errorMemory-illegal access• Incorrect delete operator• Overflowed pointer read• Out-of-bounds read• Returning pointer to local variable• Negative array index read• Use/read pointer after freeControl flow issues• Logically dead code• Missing break in switch• Structurally dead codeError handling issues• Unchecked return value• Uncaught exception• Invalid use of negative variablesWhat It Can Find
    • 7. Program hangs• Infinite loop• Double lock or missing unlock• Negative loop bound• Thread deadlock• sleep() while holding a lockNull pointer differences• Dereference after a null check• Dereference a null return value• Dereference before a null checkCode maintainability issues• Multiple return statements• Unused pointer valueIncorrect expressions• Evaluation order violation• Copy and paste errorInsecure data handling• Integer overflow• Loop bound by untrusted source• Write/read array/pointer withuntrusted value• Format string with untrusted sourcePerformance inefficiencies• Big parameter passed by value• Large stack useSecurity best practices violations• Possible buffer overflow• Copy into a fixed size buffer• Calling risky function• Use of insecure temporary file• Time of check different than time of use• User pointer dereferenceWhat It Can Find
    • 8. How It Works• Three steps…AnalyzeBuildPresent &Manage
    • 9. • Captures information about howyour code is compiled.• Creates a virtual build that wrapsaround your standard buildprocess and captures how itinvokes your compiler(s).• Captures all source files, incl.parameters about how thesource is compiled• Macro definitions, meaning ofcommand line options, etc.• Provides a high-fidelityrecording of your code and howit’s assembled.How It WorksBuild
    • 10. • Analyzes every path throughyour code via “checkers” whichlook for actual defects vs. styleviolations.• Patterns of code execution thatcause crashes, memorycorruption, memory and handleleaks, etc.• Eliminates false positives.• Industry accepted standard for a“good” false positive rate is lessthan 20%How It WorksAnalyze
    • 11. • Clearly presents resultsincluding actionableinformation, enabling defectsto be quickly and efficientlyfound AND fixed.How It WorksPresent &Manage
    • 12. How It Fits Into the SDLC12• Security Audits• Product ReleaseManagementQANightly/ContinuousBuild• Desktop Analysis• Review defects• Prioritize actions• Make fixes• Track progressCode Check InStatic AnalysisResults• Functional Testing• Performance Testing• Stress Testing• Integration TestingDevelopmentProductRelease &ManagementStatic AnalysisResultsFor illustration only…other workflow integrations are possible.
    • 13. 13CodeBuildTestNightly BuildContinuousIntegrationHigh-FidelityCodeCompilationHigh-PerformanceAnalysisLow FalsePositive RateDetectingCriticalDefectsEasy DefectNavigation andComprehensionComprehensiveTriage andRemediationManagementVisibility andGovernanceTeamCollaborationWhat To Look For…
    • 14. Copyright 2013 Coverity, Inc.

    ×