Upload File

static code analysis - umsl...

  • Home
  • Documents
  • Static Code Analysis - UMSL Blogsblogs.umsl.edu/infosec/files/2016/01/INFSYS6868_StaticAnalysis...What is Static Code Analysis? Advantages and ... Cppcheck unlike other analysis tools
16
Static Code Analysis By: Nathan Want, Nikolay Filipets, Sasa Basara

Upload: truongkiet

Post on 06-May-2018

241 views

Category:

Documents


4 download

Report

TRANSCRIPT

Page 1: Static Code Analysis - UMSL Blogsblogs.umsl.edu/infosec/files/2016/01/INFSYS6868_StaticAnalysis...What is Static Code Analysis? Advantages and ... Cppcheck unlike other analysis tools

Static Code Analysis

By: Nathan Want, Nikolay Filipets, Sasa Basara

Page 2: Static Code Analysis - UMSL Blogsblogs.umsl.edu/infosec/files/2016/01/INFSYS6868_StaticAnalysis...What is Static Code Analysis? Advantages and ... Cppcheck unlike other analysis tools

Overview

▸ Method▸ Tools▸ Applications (dl-fidigi & Mantra broswer) ▸ Errors & Resolutions

Page 3: Static Code Analysis - UMSL Blogsblogs.umsl.edu/infosec/files/2016/01/INFSYS6868_StaticAnalysis...What is Static Code Analysis? Advantages and ... Cppcheck unlike other analysis tools

Static code analsyis is preformed without running the program. The analysis is preformed on the source code and is generally referred to as white box testing.

What is Static Code Analysis?

Page 4: Static Code Analysis - UMSL Blogsblogs.umsl.edu/infosec/files/2016/01/INFSYS6868_StaticAnalysis...What is Static Code Analysis? Advantages and ... Cppcheck unlike other analysis tools

Advantages andDisvantages

• Weakness found at exact location

• Quicker turn around for fixes

• Tools can scan entire code base

• False positives and false negatives

• Provide a false sense of secuirty

• Vulnerabilities in runtime environment not found

Advantages

Disadvantages

Page 5: Static Code Analysis - UMSL Blogsblogs.umsl.edu/infosec/files/2016/01/INFSYS6868_StaticAnalysis...What is Static Code Analysis? Advantages and ... Cppcheck unlike other analysis tools

Cppcheck

Cppcheck primarily detects the types of bugs that compliers normally do not detect. The goal is to detect only real errors in the code and reduce the false positives. Cppcheck unlike other analysis tools does not detect syntax errors in the code.

Page 6: Static Code Analysis - UMSL Blogsblogs.umsl.edu/infosec/files/2016/01/INFSYS6868_StaticAnalysis...What is Static Code Analysis? Advantages and ... Cppcheck unlike other analysis tools

Screen shot example of our analysis (of dl-fidigi) using cppchecker

Page 7: Static Code Analysis - UMSL Blogsblogs.umsl.edu/infosec/files/2016/01/INFSYS6868_StaticAnalysis...What is Static Code Analysis? Advantages and ... Cppcheck unlike other analysis tools

dl-fidigi

dl-fldigi is an adapted version of the excellent free FLdigi soundcard decoding software. It takes the audio from your radio, decodes the balloon's signal, and then sends the telemetry it's found over the internet to a server running habitat, which plots the payloads position on to the SpaceNear map.

Page 8: Static Code Analysis - UMSL Blogsblogs.umsl.edu/infosec/files/2016/01/INFSYS6868_StaticAnalysis...What is Static Code Analysis? Advantages and ... Cppcheck unlike other analysis tools

dl-fidigi

Static Analysis results using Cppcheck:

Page 9: Static Code Analysis - UMSL Blogsblogs.umsl.edu/infosec/files/2016/01/INFSYS6868_StaticAnalysis...What is Static Code Analysis? Advantages and ... Cppcheck unlike other analysis tools

Index missing conditional statement

Solution:

Make sure index does not exceed 13th element in ‘if’ statement.

Page 10: Static Code Analysis - UMSL Blogsblogs.umsl.edu/infosec/files/2016/01/INFSYS6868_StaticAnalysis...What is Static Code Analysis? Advantages and ... Cppcheck unlike other analysis tools

Solution:

Do not enter loop if j== s.size

Loop missing conditional

Page 11: Static Code Analysis - UMSL Blogsblogs.umsl.edu/infosec/files/2016/01/INFSYS6868_StaticAnalysis...What is Static Code Analysis? Advantages and ... Cppcheck unlike other analysis tools

Solution:

%5 should be %4

Incorret value

Page 12: Static Code Analysis - UMSL Blogsblogs.umsl.edu/infosec/files/2016/01/INFSYS6868_StaticAnalysis...What is Static Code Analysis? Advantages and ... Cppcheck unlike other analysis tools

Mantra broswer

Mantra is a web browser developed by OWASP. It is a free browser that comes with a powerful set of security tools. A few notable features of Mantra are: FireCat/KromCAT menu structure, proxy tools, FTP, SSH, REST and SQLite clients, and URL increment/decrement buttons to quickly change URLS.

Page 13: Static Code Analysis - UMSL Blogsblogs.umsl.edu/infosec/files/2016/01/INFSYS6868_StaticAnalysis...What is Static Code Analysis? Advantages and ... Cppcheck unlike other analysis tools

Mantra broswer

Static Analysis results using Cppcheck:

Page 14: Static Code Analysis - UMSL Blogsblogs.umsl.edu/infosec/files/2016/01/INFSYS6868_StaticAnalysis...What is Static Code Analysis? Advantages and ... Cppcheck unlike other analysis tools

Memory freed twice

Solution:

nGetterText was deleted previosuly.Only delete mGetterText once

Page 15: Static Code Analysis - UMSL Blogsblogs.umsl.edu/infosec/files/2016/01/INFSYS6868_StaticAnalysis...What is Static Code Analysis? Advantages and ... Cppcheck unlike other analysis tools

Array out of bounds

Solution:

Insert additonal condition to check if I is less than 32 before exuction of the statement

Page 16: Static Code Analysis - UMSL Blogsblogs.umsl.edu/infosec/files/2016/01/INFSYS6868_StaticAnalysis...What is Static Code Analysis? Advantages and ... Cppcheck unlike other analysis tools

Questions?


Static Analysis Static Analysis, Internal Forces, Stresses: Normal and Shear 1

Static analysis tools

Making Static Code Analysis More Efficient - River Publishers · 2017-08-09 · and CppCheck (freeware). Three sets of test samples for quality of the SCA assessment were selected

Secure Programming Lecture 2: · PDF fileSecure Programming Lecture 2: Landscape David ... Scanning of the libXfont sources with the cppcheck static

Static Time Analysis

Static Analysis & Tools Static Analysis

Static Analysis: Natural Frequency Analysis

Analysis The Current State of (Free) Static - schd.wsschd.ws/hosted_files/cppcon2015/c4/CurrentStateOfStaticAnalysis.pdf · The Current State of ... clang and cppcheck say they are

Evaluating the performance of open source static analysis ...cs.ru.nl/...4436555...source_static_analysis_tools.pdf · analysis tools (Clang, Infer, Cppcheck, Splint and, Frama-C)

Anna-Jayne Metcalfe @annajayne anna@ · PDF fileFree Static Analysis – CppCheck . Dynamic Analysis ... http:

Static Analysis

Cppcheck and PVS-Studio compared

Static Analysis: Load Factor Analysis

Configuring a professional open source development environment … · 2019-05-10 · Check the source code using the CPPCheck and CPPLint tools which means creating static code analysis

CERTIF: a testing methodology and a test bench to …...Static analysis tools Static analysis tools Static analysis tools Dynamic analysis tool (tests harnesses) Dynamic analysis tool

IXV Static Analysis - Spazio IT · PDF file“Cppcheck is a static analysis tool for C/C++ code Unlike C/C++ compilers and many other analysis tools it ... guide.html). October 2017

static force analysis

On the Value of Static Analysis for Fault Detection in ... the Value of Static Analysis for Fault Detection in Software ... static analysis tools ... performs static analysis of source

Static Pushover Analysis

Testing Tools and Jenkins - European Southern Observatory · PDF fileTesting Tools and Jenkins ... Running static analysis with Cppcheck. ... genhtml -o coverage_html

Przemysław Gawroński D-10, p. 234gawronski/pp_is_2020/... · 2020-05-21 · cppcheck - Tool for static C/C++ code analysis. Cppcheck is a command-line tool that tries to detect

Analysis and Design of Dynamic Behaviour for Embedded ...735222/FULLTEXT01.pdf · Analysis and Design of Dynamic Behaviour for Embedded Systems Using Policy ... analysis with CPPcheck

Static Code Analysis and Cppcheck

Static Timing Analysis

Static Analysis Comparison

Static Code Analysis - UMSL Blogs · 2016-01-13 · Cppcheck Cppcheck primarily detects the types of bugs that compliers normally do not detect. The goal is to detect only real errors

Common Errors in C/C++ Code and Static Analysiskdudka.fedorapeople.org/devconf12-static-analysis.pdf · 2012-02-17 · cppcheck uses its own parser and preprocessor reports only erorrs

Spazio IT IXV OBSW STATIC ANALYSIS - · PDF fileSpazio IT IXV OBSW Source Code STATIC ... –CppCheck ( - open ... c.com/wp.html) - to verify properties in a deductive manner

Static Code Analysis

Threat - inf.ed.ac.uk · PDF fileScanning of the libXfont sources with the cppcheck static analyzer included a report: [lib/libXfont/src/bitmap/bdfread.c:341]: (warning)

Software Static Analysis

Improving BIND 9 Code Quality - Internet Systems Consortium · Tools • Static code analyzers • scan-build • cppcheck • Clang-tidy • Runtime Analyzers • Address Sanitizer

Markus Mohrhard 2018-10-26 - The Document Foundation · 2018-11-06 · cppcheck Static analysis Open source tool Runs on a TDF server weekly Mail to developer list + website Many

for the ATLAS experiment at CERN Continuous Software ...wssspe.researchcomputing.org.uk/wp-content/uploads/... · cppcheck and the Synopsys Static Analysis Tool (Coverity)

Chapter 4 Static Structural Analysis - etu.edu.trmguler.etu.edu.tr/WB-Mech_120_Ch04_Static.pdf · Chapter 4 Static Structural Analysis. ... – For a static analysis, the end time