Software Security             Static analysis tools                                        Presented by                   ...
1. What is Static Analysis?2. Static Analysis Advantages3. Static Analysis Tools for C/C++, Java4. Samples
What is Static Analysis?
What is Static Analysis?● performed without actually executing or runningthat software●   performed by an automated tool
Static Analysis Advantages
Static Analysis Advantages●   improve the quality and reliability of embedded    systems software●   significant reduction...
Static Analysis Advantages●   can detect    ● buffer overflows,    ● security vulnerabilities,    ● memory leaks,    ● tim...
Static Analysis Tools
Software Tool         Domain    Responsible Party     Languages      PlatformsCodeSonar         Commercial     Grammatech ...
C/C++
rats-2.3●   Rough Auditing Tool for Security●   open source tool●   C, C++, Perl, PHP and Python source code●   rough anal...
rats-2.3●   error messages controlled by XML reporting filters    (requires the XML tool expat to also be installed)●   co...
rats-2.3●   extremely simple●   scans through a file (lexically) looking for    syntactic matches based on several simple ...
rats-2.3●   the use of greedy pattern matchings●   "printf" will match not only "print()" calls but also    "vsnprintf()"●...
Usagerats [-d ] [-h] [-r] [-w ] [-x] [file1 file2 ... filen]Options explained:  -d Specifies a vulnerability database to b...
SamplesIssue: fixed size global buffer Severity: HighExtra care should be taken to ensure that character arrays that are a...
SamplesIssue: strcpy Severity: HighCheck to be sure that argument 2 passed to this function call will not copy more data t...
Caveats●   the lack of any preprocessing, so no macros or definitions are expanded    #define p(x) printf ## x    char *st...
Conclusions●   source code scanners can help improve the state    of your code in development or afterwards●   these are t...
Upcoming SlideShare
Loading in …5
×

Software Security - Static Analysis Tools

1,202 views

Published on

Published in: Technology
1 Comment
0 Likes
Statistics
Notes
  • Hello. I would invite all who are interested in static code analysis, try our tool PVS-Studio.
    PVS-Studio is a static analyzer that detects errors in source code of C/C++/C++11 applications (Visual Studio 2005/2008/2010).
    Examples of use PVS-Studio:
    100 bugs in Open Source C/C++ projects
    http://www.viva64.com/en/a/0079/
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Views
Total views
1,202
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
31
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide

Software Security - Static Analysis Tools

  1. 1. Software Security Static analysis tools Presented by Emanuela Boroș“Al. I. Cuza” University, Faculty of Computer Science Master of Software Engineering, II
  2. 2. 1. What is Static Analysis?2. Static Analysis Advantages3. Static Analysis Tools for C/C++, Java4. Samples
  3. 3. What is Static Analysis?
  4. 4. What is Static Analysis?● performed without actually executing or runningthat software● performed by an automated tool
  5. 5. Static Analysis Advantages
  6. 6. Static Analysis Advantages● improve the quality and reliability of embedded systems software● significant reductions in development testing and field failures● careful when large amount of code is used in the development projects
  7. 7. Static Analysis Advantages● can detect ● buffer overflows, ● security vulnerabilities, ● memory leaks, ● timing anomalies (such as race conditions, deadlocks, and livelocks), ● dead or unused source code segments, ● and other common programming mistakes
  8. 8. Static Analysis Tools
  9. 9. Software Tool Domain Responsible Party Languages PlatformsCodeSonar Commercial Grammatech C, C++ WindowsCoverity Commercial Coverty, Inc. C, C++ WindowsCodeSurfer Commercial Grammatech C, C++ WindowsFlawFinder GPL David A. Wheeler C, C++ UNIXITS4 Commercial Cigital C, C++ Linux, Solaris, WindowsJava PathFinder Academic NASA Ames Java Any JVM compatible platformJLint Academic Konstantin Knizhnik Java Any JVM Cyrille Arthro compatible platformPREfix and Commercial Microsoft C, C++, C# WindowsPREfastRATS Academic Secure Software C, C++ Windows, UnixSplint Academic University of Virginia, C Windows, Unix, Department of Linux Computer Science
  10. 10. C/C++
  11. 11. rats-2.3● Rough Auditing Tool for Security● open source tool● C, C++, Perl, PHP and Python source code● rough analysis of source code● manual inspection of the code is still necessary, but greatly aided with this tool
  12. 12. rats-2.3● error messages controlled by XML reporting filters (requires the XML tool expat to also be installed)● configure the level of output● alternative vulnerability databases● buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions
  13. 13. rats-2.3● extremely simple● scans through a file (lexically) looking for syntactic matches based on several simple rules that might indicate possible security vulnerabilities● “use of strcpy() should be avoided”
  14. 14. rats-2.3● the use of greedy pattern matchings● "printf" will match not only "print()" calls but also "vsnprintf()"● authors of RATS and Flawfinder, by the way, plan to coordinate their development efforts to produce a high quality, open-source development tool
  15. 15. Usagerats [-d ] [-h] [-r] [-w ] [-x] [file1 file2 ... filen]Options explained: -d Specifies a vulnerability database to be loaded. You may have multiple -d options and each databasespecified will be loaded. -h Displays a brief usage summary -i Causes a list of function calls that were used which accept external input to be produced at the end of thevulnerability report. -l Force the specified language to be used regardless of filename extension. Currently valid language names are"c", "perl", "php" and "python". -r Causes references to vulnerable function calls that are not being used as calls themselves to be reported. -w Sets the warning level. Valid levels are 1, 2 or 3. Warning level 1 includes only default and high severity Level2 includes medium severity. Level 2 is the default warning level 3 includes low severity vulnerabilities. -x Causes the default vulnerability databases to not be loaded.
  16. 16. SamplesIssue: fixed size global buffer Severity: HighExtra care should be taken to ensure that character arrays that are allocated on the stack are used safely. Theyare prime targets for buffer overflow attacks.int main(int argc, char *argv[]){ char dir[1024]; char cmd[1200]; char buff[1024];...Issue: sprintf Severity: HighCheck to be sure that the format string passed as argument 2 to this function call does not come from an untrustedsource that could have added formatting characters that the code is not prepared to handle. Additionally, theformat string could contain `%s without precision that could result in a buffer overflow.if (getenv("HOME") != NULL) { sprintf(dir, "%s", getenv("HOME"));}...
  17. 17. SamplesIssue: strcpy Severity: HighCheck to be sure that argument 2 passed to this function call will not copy more data than can be handled,resulting in a buffer overflow.if (argc == 2){ strcpy(dir, argv[1]);}
  18. 18. Caveats● the lack of any preprocessing, so no macros or definitions are expanded #define p(x) printf ## x char *string1, *string2; /* stuff happens ... */ p((string1)); /* insecure! */ p((string2)); /* insecure! */ p(("%s", string1)); /* correct! */● produces only one error in the definition but not in the use of the macro● insecure calls can be made multiple times, which will go unnoticed by the code scanner
  19. 19. Conclusions● source code scanners can help improve the state of your code in development or afterwards● these are tools help assist you in the auditing process, not automate it

×