The document discusses static analysis of C/C++ code using the PVS-Studio analyzer. It provides examples of errors found by PVS-Studio in various projects, including uninitialized buffers, potential null pointer dereferences, and array overruns. It also describes some of the techniques used by PVS-Studio, such as type inference, data flow analysis, symbolic execution, and pattern-based analysis to detect errors. Method annotations are used to provide information about standard library functions to improve analysis accuracy.
Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."
The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. CVE-2015-0235 has been assigned to this issue.
Qualys security researchers discovered this bug and worked closely with Linux distribution vendors. And as a result of that we are releasing this advisory today as a coordinated effort, and patches for all distribution are available January 27, 2015.
Самые вкусные баги из игрового кода: как ошибаются наши коллеги-программисты ...DevGAMM Conference
Один из лучших способов снизить количество багов в играх – это показывать программистам, как не стоит писать код. В своём докладе я соберу самые вкусные и необычные ошибки, которые удалось найти в C++ и C# коде таких игр, как VVVVVV, Space Engineers, Command & Conquer, osu! и даже Doom. Я уверен, что каждый из слушателей обязательно узнает для себя что-то новое. В конце концов, это просто приятно – лично увидеть ошибки из кода знакомой и любимой игры!
Story of static code analyzer developmentAndrey Karpov
Greetings from the past: simple tools and bad standards. Regular expressions don’t work. What is inside modern static code analyzers on the PVS-Studio example. About machine learning. Learning vs Data Flow analysis.
it is and slide contains Save to your mobile device with our new app
Don't have time to read now? Save SlideShares to read later or offline - anytime, anywhere.
dding more information (description, tags, category) makes it easier for others to find your content. The score increases as you add each item.
Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."
The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. CVE-2015-0235 has been assigned to this issue.
Qualys security researchers discovered this bug and worked closely with Linux distribution vendors. And as a result of that we are releasing this advisory today as a coordinated effort, and patches for all distribution are available January 27, 2015.
Самые вкусные баги из игрового кода: как ошибаются наши коллеги-программисты ...DevGAMM Conference
Один из лучших способов снизить количество багов в играх – это показывать программистам, как не стоит писать код. В своём докладе я соберу самые вкусные и необычные ошибки, которые удалось найти в C++ и C# коде таких игр, как VVVVVV, Space Engineers, Command & Conquer, osu! и даже Doom. Я уверен, что каждый из слушателей обязательно узнает для себя что-то новое. В конце концов, это просто приятно – лично увидеть ошибки из кода знакомой и любимой игры!
Story of static code analyzer developmentAndrey Karpov
Greetings from the past: simple tools and bad standards. Regular expressions don’t work. What is inside modern static code analyzers on the PVS-Studio example. About machine learning. Learning vs Data Flow analysis.
it is and slide contains Save to your mobile device with our new app
Don't have time to read now? Save SlideShares to read later or offline - anytime, anywhere.
dding more information (description, tags, category) makes it easier for others to find your content. The score increases as you add each item.
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itSergey Platonov
The talk will look at limitations of compilers when creating fast code and how to make more effective use of both the underlying micro-architecture of modern CPU's and how algorithmic optimizations may have surprising effects on the generated code. We shall discuss several specific CPU architecture features and their pros and cons in relation to creating fast C++ code. We then expand with several algorithmic techniques, not usually well-documented, for making faster, compiler friendly, C++.
Note that we shall not discuss caching and related issues here as they are well documented elsewhere.
This a collection of micro optimizations done for a course at vienna university of technology.
The code is available at: https://github.com/grill/micro-optimisations
Presented at DevWeek (25th March 2015)
These days, testing is considered a sexy topic for programmers. Who’d have thought it? But what makes for good unit tests (GUTs)? There’s more to effective unit testing than just knowing the assertion syntax of a testing framework.
Testing represents a form of communication and, as such, it offers multiple levels and forms of feedback, not just basic defect detection. Effective unit testing requires an understanding of what forms of feedback and communication are offered by tests, and what styles encourage or discourage such qualities.
What style of test partitioning is most common, and yet scales poorly and is ineffective at properly expressing the behaviour of a class or component? What styles, tricks and tips can be used to make tests more specification-like and can scale as the codebase grows?
This session will address these questions and outline exactly what makes a good unit test.
Intel IPP Samples for Windows - error correctionPVS-Studio
This is one of my posts on how PVS-Studio makes programs safer. That is where and what types of errors it detects. This time it is samples demonstrating handling of the IPP 7.0 library (Intel Performance Primitives Library) we are going to examine.
Intel IPP Samples for Windows - error correctionAndrey Karpov
This is one of my posts on how PVS-Studio makes programs safer. That is where and what types of errors it detects. This time it is samples demonstrating handling of the IPP 7.0 library (Intel Performance Primitives Library) we are going to examine.
University of Virginia
cs4414: Operating Systems
http://rust-class.org
What happened with Apple's SSL implementation
How to make sure this doesn't happen to you!
Sharing data
ARCs in Rust
Scheduling
For embedded notes, see:
Living with Garbage by Gregg Donovan at LuceneSolr Revolution 2013Gregg Donovan
Understanding the impact of garbage collection, both at a single node and a cluster level, is key to developing high-performance, high-availability Solr and Lucene applications. After a brief overview of garbage collection theory, we will review the design and use of the various collectors in the JVM.
At a single-node level, we will explore GC monitoring -- how to understand GC logs, how to monitor what % of your Solr request time is spend on GC, how to use VisualGC, YourKit, and other tools, and what to log and monitor. We will review GC tuning and how to measure success.
At a cluster-level, we will review how to design for partial availability -- how to avoid sending requests to a GCing node and how to be resilient to mid-request GC pauses.For application development, we will review common memory leak scenarios in custom Solr and Lucene application code and how to detect them.
University of Virginia
cs4414: Operating Systems
http://rust-class.org
Explicit vs. Automatic Memory Management
Garbage Collection, Reference Counting
Rust ownership types
For embedded notes, see: http://rust-class.org/class9-pointers-in-rust.html
Rust — это современный, практический, быстрый и безопасный язык программирования. Некоторые говорят, что Rust — это как C++, если бы его писал человек, знающий Haskell.
Система типов Rust решает главную проблему C++ — небезопасность. C++ очень легко сделать ошибки, которые приведут к поломкам (например, use after free). Rust позволяет писать безопасный код, сохраняя при этом выразительность и околонулевые накладные расходы C++. В докладе будут подробно описаны механизмы языка, которые контролируют безопасность программы.
Хотя в данный момент Rust ещё не подходит для использования в продакшне, его всё равно стоит изучать. Во-первых, потому что это очень интересный подход к программированию, а во-вторых, потому что через несколько лет для разработки требовательных к ресурсам программ будет необходим именно Rust или другой похожий инструмент.
Multithreading with modern C++ is hard. Undefined variables, Deadlocks, Livelocks, Race Conditions, Spurious Wakeups, the Double Checked Locking Pattern, etc. And at the base is the new Memory-Modell which make the life not easier. The story of things which can go wrong is very long. In this talk I give you a tour through the things which can go wrong and show how you can avoid them.
PVS-Studio team experience: checking various open source projects, or mistake...Andrey Karpov
To let the world know about our product, we check open-source projects. By the moment we have checked 245 projects. A side effect: we found 9574 errors and notified the authors about them.
PVS-Studio is a tool for detecting bugs and security weaknesses in the source code of programs, written in C, C++, C# and Java. It works under 64-bit systems in Windows, Linux and macOS environments, and can analyze source code intended for 32-bit, 64-bit and embedded ARM platforms.
Static analysis and writing C/C++ of high quality code for embedded systemsAndrey Karpov
Static analysis is not a silver bullet
Static analysis is the answer to the question: "How to make our code better?"
What does mean " better "? It will be easier to maintain and develop it, eliminate problems in it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itSergey Platonov
The talk will look at limitations of compilers when creating fast code and how to make more effective use of both the underlying micro-architecture of modern CPU's and how algorithmic optimizations may have surprising effects on the generated code. We shall discuss several specific CPU architecture features and their pros and cons in relation to creating fast C++ code. We then expand with several algorithmic techniques, not usually well-documented, for making faster, compiler friendly, C++.
Note that we shall not discuss caching and related issues here as they are well documented elsewhere.
This a collection of micro optimizations done for a course at vienna university of technology.
The code is available at: https://github.com/grill/micro-optimisations
Presented at DevWeek (25th March 2015)
These days, testing is considered a sexy topic for programmers. Who’d have thought it? But what makes for good unit tests (GUTs)? There’s more to effective unit testing than just knowing the assertion syntax of a testing framework.
Testing represents a form of communication and, as such, it offers multiple levels and forms of feedback, not just basic defect detection. Effective unit testing requires an understanding of what forms of feedback and communication are offered by tests, and what styles encourage or discourage such qualities.
What style of test partitioning is most common, and yet scales poorly and is ineffective at properly expressing the behaviour of a class or component? What styles, tricks and tips can be used to make tests more specification-like and can scale as the codebase grows?
This session will address these questions and outline exactly what makes a good unit test.
Intel IPP Samples for Windows - error correctionPVS-Studio
This is one of my posts on how PVS-Studio makes programs safer. That is where and what types of errors it detects. This time it is samples demonstrating handling of the IPP 7.0 library (Intel Performance Primitives Library) we are going to examine.
Intel IPP Samples for Windows - error correctionAndrey Karpov
This is one of my posts on how PVS-Studio makes programs safer. That is where and what types of errors it detects. This time it is samples demonstrating handling of the IPP 7.0 library (Intel Performance Primitives Library) we are going to examine.
University of Virginia
cs4414: Operating Systems
http://rust-class.org
What happened with Apple's SSL implementation
How to make sure this doesn't happen to you!
Sharing data
ARCs in Rust
Scheduling
For embedded notes, see:
Living with Garbage by Gregg Donovan at LuceneSolr Revolution 2013Gregg Donovan
Understanding the impact of garbage collection, both at a single node and a cluster level, is key to developing high-performance, high-availability Solr and Lucene applications. After a brief overview of garbage collection theory, we will review the design and use of the various collectors in the JVM.
At a single-node level, we will explore GC monitoring -- how to understand GC logs, how to monitor what % of your Solr request time is spend on GC, how to use VisualGC, YourKit, and other tools, and what to log and monitor. We will review GC tuning and how to measure success.
At a cluster-level, we will review how to design for partial availability -- how to avoid sending requests to a GCing node and how to be resilient to mid-request GC pauses.For application development, we will review common memory leak scenarios in custom Solr and Lucene application code and how to detect them.
University of Virginia
cs4414: Operating Systems
http://rust-class.org
Explicit vs. Automatic Memory Management
Garbage Collection, Reference Counting
Rust ownership types
For embedded notes, see: http://rust-class.org/class9-pointers-in-rust.html
Rust — это современный, практический, быстрый и безопасный язык программирования. Некоторые говорят, что Rust — это как C++, если бы его писал человек, знающий Haskell.
Система типов Rust решает главную проблему C++ — небезопасность. C++ очень легко сделать ошибки, которые приведут к поломкам (например, use after free). Rust позволяет писать безопасный код, сохраняя при этом выразительность и околонулевые накладные расходы C++. В докладе будут подробно описаны механизмы языка, которые контролируют безопасность программы.
Хотя в данный момент Rust ещё не подходит для использования в продакшне, его всё равно стоит изучать. Во-первых, потому что это очень интересный подход к программированию, а во-вторых, потому что через несколько лет для разработки требовательных к ресурсам программ будет необходим именно Rust или другой похожий инструмент.
Multithreading with modern C++ is hard. Undefined variables, Deadlocks, Livelocks, Race Conditions, Spurious Wakeups, the Double Checked Locking Pattern, etc. And at the base is the new Memory-Modell which make the life not easier. The story of things which can go wrong is very long. In this talk I give you a tour through the things which can go wrong and show how you can avoid them.
PVS-Studio team experience: checking various open source projects, or mistake...Andrey Karpov
To let the world know about our product, we check open-source projects. By the moment we have checked 245 projects. A side effect: we found 9574 errors and notified the authors about them.
PVS-Studio is a tool for detecting bugs and security weaknesses in the source code of programs, written in C, C++, C# and Java. It works under 64-bit systems in Windows, Linux and macOS environments, and can analyze source code intended for 32-bit, 64-bit and embedded ARM platforms.
Static analysis and writing C/C++ of high quality code for embedded systemsAndrey Karpov
Static analysis is not a silver bullet
Static analysis is the answer to the question: "How to make our code better?"
What does mean " better "? It will be easier to maintain and develop it, eliminate problems in it
So, what is PVS-Studio? PVS-Studio is a ecosystem that provides you static code analyzer for C, C++, C# and Java programming languages and utilities to make life with static code analyzer easier. PVS-Studio works on Windows, Linux and macOS platforms.
I’ll focus more on C/C++ features. So, we support modern and famous compilers such as: MSVC, GCC, Clang - and several compiler for Embedded systems: ARM GCC/Clang, Keil, IAR, TI.
We also have several plugins for modern IDEs for convenient work: Visual Studio 2010-2019, JetBrains Rider and IntelliJ IDEA. Compilation monitoring. We provide a tool that may help you to check your project with “exotic” build system (e.g. SCons, Bazel, etc).
Suppress files. After you’ve checked your project, you may get tons of warnings on your legacy code. There is a solution – you push all your warnings in some file called suppress base, and in the next run you’ll get 0 warnings.
Incremental analysis. If you modify some files in your project, you want only them to be checked as the compiler recompiles them. We have scenery for that. We call it incremental analysis.
We have successfully created and continue developing PVS-Studio analyzer for C/C++ languages. Over the time, it became clear that many of the diagnostics that we have implemented are not related to a specific programming language, so we decided to apply our experience to another programming language, namely C#. In this article, we are talking about the analysis of Code Contracts project by Microsoft done by our C# analyzer
How Data Flow analysis works in a static code analyzerAndrey Karpov
Data flow analysis is a technology for source code analysis, widely used in various development tools: compilers, linters, IDE. We'll talk about it exemplifying with design of a static analyzer. The talk covers classification and various kinds of data flow analysis, neighbouring technologies supporting each other, obstacles arising during development, surprises from C++ language when one tries to analyze the code. In this talk, some errors, detected in real projects using this technology, are shown in detail.
Checking the Cross-Platform Framework Cocos2d-xAndrey Karpov
Cocos2d is an open source software framework. It can be used to build games, apps and other cross-platform GUI based interactive programs. Cocos2d contains many branches with the best known being Cocos2d-Swift, Cocos2d-x, Cocos2d-html5 and Cocos2d-XNA.
In this article, we are going to discuss results of the check of Cocos2d-x, the framework for C++, done by PVS-Studio 5.18. The project is pretty high-quality, but there are still some issues to consider. The source code was downloaded from GitHub.
PVS-Studio for Linux Went on a Tour Around DisneyPVS-Studio
Recently we released a Linux version of PVS-Studio analyzer, which we had used before to check a number of open-source projects such as Chromium, GCC, LLVM (Clang), and others. Now this list includes several projects developed by Walt Disney Animation Studios for the community of virtual-reality developers. Let's see what bugs and defects the analyzer found in these projects.
This time it was the microcosm that brought us a few interesting bugs. We have checked the open-source project μManager with our analyzer PVS-Studio. This project is a software package for automated microscope image acquisition.
The X-Ray Engine is a game engine, used in the S.T.A.L.K.E.R. game series. Its code was made public in September 16 2014, and since then, STALKER fans continue its development. A large project size, and a huge number of bugs in the games, gives us a wonderful chance to show what PVS-Studio is capable of.
A new version of Firebird DBMS was released not so long ago. This release was one of the most significant in the project's history, as it marked substantial revision of the architecture, addition of multithreading support, and performance improvements. Such a significant update was a good occasion for us to scan Firebird one more time with PVS-Studio static code analyzer.
A new version of Firebird DBMS was released not so long ago. This release was one of the most significant in the project's history, as it marked substantial revision of the architecture, addition of multithreading support, and performance improvements. Such a significant update was a good occasion for us to scan Firebird one more time with PVS-Studio static code analyzer.
Checking the code of Valgrind dynamic analyzer by a static analyzerPVS-Studio
This statement would be incorrect, as well as the reverse idea. The tools of static and dynamic analysis complement each other, they do not compete with each other. Both of these methods have strengths and weaknesses. Some errors cannot be detected by dynamic analyzers, some - by static ones. That's why I suggest treating this post as another demonstration of the abilities of PVS-Studio, not the comparison of two methodologies.
Analysis of Haiku Operating System (BeOS Family) by PVS-Studio. Part 2PVS-Studio
This is the second and last part of the large article about analysis of the Haiku operating system. In the first article, we discussed a variety of possible errors all of which one way or another deal with conditions. In this article, we will discuss the remaining analyzer warnings I have selected for you. The bug examples are grouped into several categories.
KDE (abbreviation for K Desktop Environment) is a desktop environment primarily for Linux and other
UNIX-like operating systems. To put it simple, it's the thing which is responsible for the entire graphic
design. The environment is based on the cross-platform user interface development toolkit Qt. The
development is done by several hundreds of programmers throughout the world devoted to the idea of
free software. KDE offers a complete set of user environment applications that allows one to interact
with the operating system within the framework of a modern graphic interface. So let's see what KDE
has under the hood.
Checking the World of Warcraft CMaNGOS open source serverPVS-Studio
In this article, I would like to share the results of our analysis of the open source implementation of the World of Warcraft server, CMaNGOS, as done by the PVS-Studio static analyzer.
A Slipshod Check of the Visual C++ 2013 Library (update 3)Andrey Karpov
Someone suggested to me recently that I check the libraries from Visual Studio 2013. I haven't found
anything of much interest, just a few small errors and slip-ups. They wouldn't make an interesting,
attractive article, but I've still decided to describe all those defects. I just hope it will help make the
libraries a bit better and stimulate the authors to carry out a more thorough analysis. I don't have the
project files necessary to build the libraries, so my analysis had to be superficial and I could have missed
a lot.
Presentation of features already voted into C++20 Standard Draft in Toronto, Albuquerque, and Jacksonville ISO C++ Committee Meetings as well as the overview of other really promising proposals that have high chances to arrive in C++20.
In most of our articles about project checks, we mention that bugs are found by the PVS-Studio static code analyzer. In certain cases – when dealing with projects of a complex structure – it is this particular analyzer that is needed. However, many developers will also appreciate its lightweight version, the CppCat analyzer. In this connection, we decided to use CppCat this time, when checking the TortoiseGit project.
Rechecking TortoiseSVN with the PVS-Studio Code AnalyzerAndrey Karpov
We gave the TortoiseSVN developers a free registration key for some time so that they could check their project. While they haven't utilized it yet, I've decided to download the TortoiseSVN source codes and check it myself. My interest is obvious: I want to make another article to advertise PVS-Studio.
We already checked the TortoiseSVN project long ago. It was done at the same time as PVS-Studio 4.00 was released, which for the first time included diagnostic rules for general analysis.
Similar to Detection of errors and potential vulnerabilities in C and C++ code using the PVS-Studio analyzer (20)
Здесь вы найдёте 60 вредных советов для программистов и пояснение, почему они вредные. Всё будет одновременно в шутку и серьёзно. Как бы глупо ни смотрелся вредный совет, он не выдуман, а подсмотрен в реальном мире программирования.
In this article, you're going to find 60 terrible coding tips — and explanations of why they are terrible. It's a fun and serious piece at the same time. No matter how terrible these tips look, they aren't fiction, they are real: we saw them all in the real programming world.
Ошибки, которые сложно заметить на code review, но которые находятся статичес...Andrey Karpov
Есть ошибки, которые легко прячутся от программистов на обзорах кода. Чаще всего они связаны с опечатками или недостаточным знанием тонких нюансах языка/библиотеки. Давайте посмотрим интересные примеры таких ошибок и как их можно выявить с помощью статического анализа. При этом анализаторы не конкурируют с обзорами кода или, например, юнит-тестами. Они отлично дополняют другие методологии борьбы с ошибками.
When should you start using PVS-Studio? What can PVS-Studio detect? Supported standards: MISRA, CWE, CERT, OWASP, AUTOSAR. What about analysis options? What about legacy code?
Двойное освобождение ресурсов. Недостижимый код. Некорректные операции сдвига. Неправильная работа с типами. Опечатки и copy-paste. Проблемы безопасности. Путаница с приоритетом операций.
Make Your and Other Programmer’s Life Easier with Static Analysis (Unreal Eng...Andrey Karpov
What is static analysis and what is it for? How does static analysis work? (Unreal Engine 4). How to introduce static analysis in your project: best practices.
Does static analysis need machine learning?Andrey Karpov
Introduction to static analysis. Existing solutions and approaches they implement. Problems and pitfalls when creating an analyzer. When learning «manually». When learning on a real large code base. Most promising approaches.
Typical errors in code on the example of C++, C#, and JavaAndrey Karpov
Objectives of this webinar
How we detected error patterns
Patterns themselves and how to avoid them:
3.1 Copy-paste and last line effect
3.2 if (A) {...} else if (A)
3.3 Errors in checks
3.4 Array index out of bounds
3.5 Operator precedence
3.6 Typos that are hard to spot
How to use static analysis properly
Conclusion
Q&A
How to Fix Hundreds of Bugs in Legacy Code and Not Die (Unreal Engine 4)Andrey Karpov
How to fight bugs in legacy code?
Should you do it at all?
What to do if there are hundreds or even thousands of errors?(that’s usually the case)
How to avoid spending a plethora of man-hours on this?
And still, how did you work with Unreal Engine?
C++ Code as Seen by a Hypercritical ReviewerAndrey Karpov
We all do code reviews. Who doesn't admit this – does it twice as often. C++ code reviewers look like a sapper. .. except that they can make a mistake more than once. But sometimes the consequences are painful . Brave code review world.
Static Code Analysis for Projects, Built on Unreal EngineAndrey Karpov
Why Do You Need Static Analysis? Detect errors early in the program development process. Get recommendations on code formatting. Check your spelling. Calculate various software metrics.
Are С and C++ Alive? Even More, IBM RPG Is! C and C++ Are Not Just for Old Systems. Are С and C++ Alive? Summary for C, C++. Embedded: C and С++ Are on the Rise.
Zero, one, two, Freddy's coming for youAndrey Karpov
This post continues the series of articles, which can well be called "horrors for developers". This time it will also touch upon a typical pattern of typos related to the usage of numbers 0, 1, 2. The language you're writing in doesn't really matter: it can be C, C++, C#, or Java. If you're using constants 0, 1, 2 or variables' names contain these numbers, most likely, Freddy will come to visit you at night. Go on, read and don't say we didn't warn you.
PVS-Studio Is Now in Chocolatey: Checking Chocolatey under Azure DevOpsAndrey Karpov
We continue making the use of PVS-Studio more convenient. Our analyzer is now available in Chocolatey, the package manager for Windows. We believe this will make it easier to deploy PVS-Studio, particularly in cloud services. So right off the bat, we also checked the source code of the same Chocolatey. Azure DevOps took on the role of the CI system.
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
A Comprehensive Look at Generative AI in Retail App Testing.pdfkalichargn70th171
Traditional software testing methods are being challenged in retail, where customer expectations and technological advancements continually shape the landscape. Enter generative AI—a transformative subset of artificial intelligence technologies poised to revolutionize software testing.
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxrickgrimesss22
Discover the essential features to incorporate in your Winzo clone app to boost business growth, enhance user engagement, and drive revenue. Learn how to create a compelling gaming experience that stands out in the competitive market.
Experience our free, in-depth three-part Tendenci Platform Corporate Membership Management workshop series! In Session 1 on May 14th, 2024, we began with an Introduction and Setup, mastering the configuration of your Corporate Membership Module settings to establish membership types, applications, and more. Then, on May 16th, 2024, in Session 2, we focused on binding individual members to a Corporate Membership and Corporate Reps, teaching you how to add individual members and assign Corporate Representatives to manage dues, renewals, and associated members. Finally, on May 28th, 2024, in Session 3, we covered questions and concerns, addressing any queries or issues you may have.
For more Tendenci AMS events, check out www.tendenci.com/events
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar
The European Union Agency for Law Enforcement Cooperation (Europol) has suffered an alleged data breach after a notorious threat actor claimed to have exfiltrated data from its systems. Infamous data leaker IntelBroker posted on the even more infamous BreachForums hacking forum, saying that Europol suffered a data breach this month.
The alleged breach affected Europol agencies CCSE, EC3, Europol Platform for Experts, Law Enforcement Forum, and SIRIUS. Infiltration of these entities can disrupt ongoing investigations and compromise sensitive intelligence shared among international law enforcement agencies.
However, this is neither the first nor the last activity of IntekBroker. We have compiled for you what happened in the last few days. To track such hacker activities on dark web sources like hacker forums, private Telegram channels, and other hidden platforms where cyber threats often originate, you can check SOCRadar’s Dark Web News.
Stay Informed on Threat Actors’ Activity on the Dark Web with SOCRadar!
Cyaniclab : Software Development Agency Portfolio.pdfCyanic lab
CyanicLab, an offshore custom software development company based in Sweden,India, Finland, is your go-to partner for startup development and innovative web design solutions. Our expert team specializes in crafting cutting-edge software tailored to meet the unique needs of startups and established enterprises alike. From conceptualization to execution, we offer comprehensive services including web and mobile app development, UI/UX design, and ongoing software maintenance. Ready to elevate your business? Contact CyanicLab today and let us propel your vision to success with our top-notch IT solutions.
In software engineering, the right architecture is essential for robust, scalable platforms. Wix has undergone a pivotal shift from event sourcing to a CRUD-based model for its microservices. This talk will chart the course of this pivotal journey.
Event sourcing, which records state changes as immutable events, provided robust auditing and "time travel" debugging for Wix Stores' microservices. Despite its benefits, the complexity it introduced in state management slowed development. Wix responded by adopting a simpler, unified CRUD model. This talk will explore the challenges of event sourcing and the advantages of Wix's new "CRUD on steroids" approach, which streamlines API integration and domain event management while preserving data integrity and system resilience.
Participants will gain valuable insights into Wix's strategies for ensuring atomicity in database updates and event production, as well as caching, materialization, and performance optimization techniques within a distributed system.
Join us to discover how Wix has mastered the art of balancing simplicity and extensibility, and learn how the re-adoption of the modest CRUD has turbocharged their development velocity, resilience, and scalability in a high-growth environment.
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
Listen to the keynote address and hear about the latest developments from Rachana Ananthakrishnan and Ian Foster who review the updates to the Globus Platform and Service, and the relevance of Globus to the scientific community as an automation platform to accelerate scientific discovery.
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns
Unlocking Business Potential: Tailored Technology Solutions by Prosigns
Discover how Prosigns, a leading technology solutions provider, partners with businesses to drive innovation and success. Our presentation showcases our comprehensive range of services, including custom software development, web and mobile app development, AI & ML solutions, blockchain integration, DevOps services, and Microsoft Dynamics 365 support.
Custom Software Development: Prosigns specializes in creating bespoke software solutions that cater to your unique business needs. Our team of experts works closely with you to understand your requirements and deliver tailor-made software that enhances efficiency and drives growth.
Web and Mobile App Development: From responsive websites to intuitive mobile applications, Prosigns develops cutting-edge solutions that engage users and deliver seamless experiences across devices.
AI & ML Solutions: Harnessing the power of Artificial Intelligence and Machine Learning, Prosigns provides smart solutions that automate processes, provide valuable insights, and drive informed decision-making.
Blockchain Integration: Prosigns offers comprehensive blockchain solutions, including development, integration, and consulting services, enabling businesses to leverage blockchain technology for enhanced security, transparency, and efficiency.
DevOps Services: Prosigns' DevOps services streamline development and operations processes, ensuring faster and more reliable software delivery through automation and continuous integration.
Microsoft Dynamics 365 Support: Prosigns provides comprehensive support and maintenance services for Microsoft Dynamics 365, ensuring your system is always up-to-date, secure, and running smoothly.
Learn how our collaborative approach and dedication to excellence help businesses achieve their goals and stay ahead in today's digital landscape. From concept to deployment, Prosigns is your trusted partner for transforming ideas into reality and unlocking the full potential of your business.
Join us on a journey of innovation and growth. Let's partner for success with Prosigns.
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...informapgpstrackings
Keep tabs on your field staff effortlessly with Informap Technology Centre LLC. Real-time tracking, task assignment, and smart features for efficient management. Request a live demo today!
For more details, visit us : https://informapuae.com/field-staff-tracking/
Developing Distributed High-performance Computing Capabilities of an Open Sci...Globus
COVID-19 had an unprecedented impact on scientific collaboration. The pandemic and its broad response from the scientific community has forged new relationships among public health practitioners, mathematical modelers, and scientific computing specialists, while revealing critical gaps in exploiting advanced computing systems to support urgent decision making. Informed by our team’s work in applying high-performance computing in support of public health decision makers during the COVID-19 pandemic, we present how Globus technologies are enabling the development of an open science platform for robust epidemic analysis, with the goal of collaborative, secure, distributed, on-demand, and fast time-to-solution analyses to support public health.
Into the Box Keynote Day 2: Unveiling amazing updates and announcements for modern CFML developers! Get ready for exciting releases and updates on Ortus tools and products. Stay tuned for cutting-edge innovations designed to boost your productivity.
top nidhi software solution freedownloadvrstrong314
This presentation emphasizes the importance of data security and legal compliance for Nidhi companies in India. It highlights how online Nidhi software solutions, like Vector Nidhi Software, offer advanced features tailored to these needs. Key aspects include encryption, access controls, and audit trails to ensure data security. The software complies with regulatory guidelines from the MCA and RBI and adheres to Nidhi Rules, 2014. With customizable, user-friendly interfaces and real-time features, these Nidhi software solutions enhance efficiency, support growth, and provide exceptional member services. The presentation concludes with contact information for further inquiries.
Detection of errors and potential vulnerabilities in C and C++ code using the PVS-Studio analyzer
1. Detection of errors and
potential vulnerabilities in C
and C++ code using the PVS-
Studio analyzer
Andrey Karpov, CTO
www.viva64.com
karpov@viva64.com
7. Error in the project
Multi-threaded Dynamic Queue
PVS-Studio: V505 The 'alloca' function is used
inside the loop. This can quickly overflow
stack. GridCtrl gridctrl.cpp 2332
7
COleDataSource* CGridCtrl::CopyTextFromGrid()
{
....
for (int row = Selection.GetMinRow();
row <= Selection.GetMaxRow(); row++)
{
....
sf.Write(T2A(str.GetBuffer(1)), str.GetLength());
....
}
....
}
9. Error in the project
Network Security Services (NSS)
9
SECStatus
SHA384_HashBuf(unsigned char *dest, const unsigned char *src,
PRUint32 src_length)
{
SHA512Context ctx;
unsigned int outLen;
SHA384_Begin(&ctx);
SHA512_Update(&ctx, src, src_length);
SHA512_End(&ctx, dest, &outLen, SHA384_LENGTH);
memset(&ctx, 0, sizeof ctx);
return SECSuccess;
} PVS-Studio: V597 CWE-14 The compiler could delete the
'memset' function call, which is used to flush 'ctx' object.
The RtlSecureZeroMemory() function should be used to
erase the private data. sha512.c 1423
10. char c;
printf("%s is already in *.base_fs format, just copying ....);
rewind(blk_alloc_file);
while ((c = fgetc(blk_alloc_file)) != EOF) {
fputc(c, base_fs_file);
}
10
Error in the Android project
11. char c;
printf("%s is already in *.base_fs format, just copying ....);
rewind(blk_alloc_file);
while ((c = fgetc(blk_alloc_file)) != EOF) {
fputc(c, base_fs_file);
}
PVS-Studio: V739 CWE-20 EOF should not be compared with a value of the 'char' type. The
'(c = fgetc(blk_alloc_file))' should be of the 'int' type. blk_alloc_to_base_fs.c 61
11
Error in the Android project
12. Code reviews are great, but they are not
enough
• MS DOS 1.0 : 4 000 lines of code
• Linux 1.0.0 kernel: 176 250 lines of code
• Linux 4.11.7 kernel in 100 times more: 18 373 471 lines
of code
• Photoshop 1.0 : 128 000 lines of code
• Photoshop CS 6 : 10 000 000 lines of code
12
13. Static analyzers have had tarnished reputation
in the past
• RATS, Cppcheck
• MISRA C, MISRA C++
13
15. Type inference
• Type information is needed to implement the majority of diagnostics
• Ability to infer a type from a typedef chain is needed
• Ability to substitute types (and constants) for templates’ analysis is
needed
typedef
15
17. Type inference
template<class T, size_t N> struct X
{
T A[N];
void Foo()
{
memset(A, 0, sizeof(T) * 10);
}
};
void Do()
{
X<int, 5> a;
a.Foo();
}
PVS-Studio: V512 CWE-119 Instantiate X < int, 5 >: A call of
the 'memset' function will lead to overflow of the buffer
'A'. test.cpp 127
17
18. Data-flow analysis
int cache_lookup_path(...., vnode_t dp, ....)
{
....
if (dp && (dp->v_flag & VISHARDLINK)) {
break;
}
if ((dp->v_flag & VROOT) ||
dp == ndp->ni_rootdir ||
dp->v_parent == NULLVP)
break;
....
}
Error in the
XNU kernel
PVS-Studio: V522 CWE-690 There might be dereferencing of a
potential null pointer 'dp'. vfs_cache.c 1449
18
23. Data-flow analysis
• CoreHard Spring 2018. Pavel Belikov. How Data Flow analysis works in
a static code analyzer
https://youtu.be/nrQUpGM9vYQ
23
24. Symbolic execution
void F(int X)
{
int A = X;
int B = X + 10;
int Q[5];
Q[B - A] = 1;
}
PVS-Studio: V557 CWE-787 Array overrun is possible. The 'B - A' index is pointing
beyond array bound. test.cpp 126
24
25. Symbolic execution
PVS-Studio: V547 CWE-571 Expression 'A < C' is always true. test.cpp 137
void F(int A, int B, int C)
{
if (A < B)
if (B < C)
if (A < C)
foo();
}
25
26. Pattern-based analysis
Error in the Linux Kernel
static ssize_t lp8788_show_eoc_time(struct device *dev,
struct device_attribute *attr, char *buf)
{
struct lp8788_charger *pchg = dev_get_drvdata(dev);
char *stime[] = { "400ms", "5min", "10min", "15min",
"20min", "25min", "30min" "No timeout" };
....
}
PVS-Studio: V653 A suspicious string consisting of two parts is used for
array initialization. It is possible that a comma is missing. Consider
inspecting this literal: "30min" "No timeout". lp8788-charger.c 657
26
27. Pattern-based analysis
Error in the
WebRTC project
void AsyncSocksProxySocket::SendAuth() {
....
char * sensitive = new char[len];
pass_.CopyTo(sensitive, true);
request.WriteString(sensitive); // Password
memset(sensitive, 0, len);
delete [] sensitive;
DirectSend(request.Data(), request.Length());
state_ = SS_AUTH;
}
PVS-Studio: V597 CWE-14 The compiler could delete the 'memset' function
call, which is used to flush 'sensitive' object. The RtlSecureZeroMemory()
function should be used to erase the private data. socketadapters.cc 677 27
29. Method annotations
• Static analysis isn’t magic, but a great work
• For example, in PVS-Studio 7140 functions (C и C++) are annotated
29
30. Method annotations
• WinAPI
• Standard C library
• Standard template library (STL)
• glibc (GNU C Library)
• Qt
• MFC
• zlib
• libpng
• OpenSSL
• and so on
30
33. Example of the fread function annotation
define MAX_AVISYNTH_SCRIPT_LENGTH 16384
void TavisynthPage::onLoad(void)
{
....
char script[MAX_AVISYNTH_SCRIPT_LENGTH];
size_t len = fread(script, 1, MAX_AVISYNTH_SCRIPT_LENGTH, f);
fclose(f);
script[len] = '0';
....
}
Error in the
ffdshow project
33
34. Example of the fread function annotation
define MAX_AVISYNTH_SCRIPT_LENGTH 16384
void TavisynthPage::onLoad(void)
{
....
char script[MAX_AVISYNTH_SCRIPT_LENGTH];
size_t len = fread(script, 1, MAX_AVISYNTH_SCRIPT_LENGTH, f);
fclose(f);
script[len] = '0';
....
}
Error in the
ffdshow project
PVS-Studio: V557 Array overrun is possible. The value of 'len' index
could reach 16384. cavisynth.cpp 129
34
36. Automatic functions annotation
Error in the Android project
bool ELFAttribute::merge(....) {
....
uint32_t subsection_length =
*reinterpret_cast<const uint32_t*>(subsection_data);
if (llvm::sys::IsLittleEndianHost !=
m_Config.targets().isLittleEndian())
bswap32(subsection_length);
....
}
PVS-Studio: V530 CWE-252 The return value of function 'bswap32' is required to be
utilized. ELFAttribute.cpp 84
36
37. Mixture of techniques
int Div(int X)
{
return 10 / X;
}
void Foo()
{
for (int i = 0; i < 5; ++i)
Div(i);
}
PVS-Studio: V609 CWE-628 Divide by zero. Denominator 'X' == 0.
The 'Div' function processes value '[0..4]'. Inspect the first
argument. Check lines: 106, 110. test.cpp 106
Automatic functions annotation
+
Control flow analysis
37
38. Time to talk about vulnerabilities
38
Error Vulnerability
42. Search of potential vulnerabilities
• Ordinary diagnostics
• V1010 – a diagnostic which will help detecting potential
vulnerabilities which can be classified as CWE-20: Improper Input
Validation
42
45. CVE-2014-1266static OSStatus
SSLVerifySignedServerKeyExchange(.....)
{
OSStatus err;
....
if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
goto fail;
goto fail;
if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
goto fail;
....
fail:
SSLFreeBuffer(&signedHashes);
SSLFreeBuffer(&hashCtx);
return err;
}
• V640 / CWE-483 The code's operational logic does not
correspond with its formatting. The statement is
indented to the right, but it is always executed. It is
possible that curly brackets are missing.
• V779 / CWE-561 Unreachable code detected. It is
possible that an error is present
45
47. CVE-2012-2122
V642 Saving the 'memcmp' function result inside the 'char' type variable is inappropriate.
The significant bits could be lost breaking the program's logic. password.c
typedef char my_bool;
my_bool
check_scramble(const char *scramble_arg, const char *message,
const uint8 *hash_stage2)
{
....
return memcmp(hash_stage2, hash_stage2_reassured, SHA1_HASH_SIZE);
}
47
48. Conclusion
• Analyzers now and 10 years ago are two very different beasts
• Introduction of static analysis is inevitable due to increasing sizes and
difficulty of projects
• Analyzers will help to detect many potential vulnerabilities and errors
at the earliest development stage
• Try PVS-Studio
48
49. Time for your questions!
Andrey Karpov, CTO
E-Mail: karpov@viva64.com
49