Gaps in Static Analysis Tool Capabilities - OMG World-Class Services for World-Class Competitiveness...
Transcript of Gaps in Static Analysis Tool Capabilities - OMG World-Class Services for World-Class Competitiveness...
Providing World-Class Services forWorld-Class Competitiveness
1
Gaps in Static Analysis ToolCapabilities
Providing World-Class Services forWorld-Class Competitiveness
2
Gaps in Static Analysis tools as identifiedduring the evaluation of five (5)commercially available static analysis tools– Collaborative effort between CTC, Carnegie
Mellon CyLab
Topics– Perspective
– Desirable Characteristics
– Significant Capability Gaps
– A Way Forward
– Summary
Overview
Providing World-Class Services forWorld-Class Competitiveness
3
Perspective: Experience with theTools
Thoroughly examined and compared five (5)commercial static analysis tools– Subjected to a variety of tests involving both
synthetic and “real-world” code
Helping to develop a methodology forextracting assurance about software usingstatic analysis
Providing World-Class Services forWorld-Class Competitiveness
4
Perspective: Constraints
Assume two (2) third party analysts (possiblyexperienced)
Assume one month to complete the evaluationAssume projects may scale to millions of lines
of code (LOC)Assume no single tool covers requirementsNeed tools that can facilitate this type of
analysis– Worst possible evaluation scenario
• No knowledge of the code• Varying degrees of expertise• Different requirements than the developers
Providing World-Class Services forWorld-Class Competitiveness
5
Desirable Characteristics
Characteristics that still cut across all tools:– Low False Positive (FP) and False Negative (FN)
rates– Deep coverage of at least one flaw type– Wider coverage of major security flaw types– Easy to perform analysis– Support for major programming languages– Tunable
Providing World-Class Services forWorld-Class Competitiveness
6
Existing Features (the good)
Code understandingfacilities
Extensibility ApplicationProgramming Interfaces(API)
Interprocedural analysisReview/Audit SupportAPI modelingFlow analysisFlaw pre/post conditions
Security knowledge basesData export & importCode browsingTrend analysisScalabilityMulti-language analysisAnalysis without build
modificationFlaw Filtering
Providing World-Class Services forWorld-Class Competitiveness
7
Significant Gaps
Reliability– Is the tool's analysis
thorough enough?Transparency
– Can we tell what thetool is and isn't doing?
Flaw Detection– Can tool that can detect
flaws of a certain type?Interoperability
– Can we get multipletools to work together?
Providing World-Class Services forWorld-Class Competitiveness
8
Reliability
Really Hard problems:
– Handling in-line assembly
– Pointer arithmetic
– Code generated or loaded at run time
– Deep Data Flow (DF) – Control Flow (CR) – AffineRelations (AR) – Value Set (VS) – Context Sensitive(CS) analysis (all at once)
Providing World-Class Services forWorld-Class Competitiveness
9
Reliability
Heuristically solvable but difficult problems:– Binary analysis
– Inter-procedural logic
– Multi-lingual analysis
– Analysis in the face of loops and recursion
– Understanding data structures
– Understanding the run-time environment
Providing World-Class Services forWorld-Class Competitiveness
10
Transparency
Evidence that a flaw is genuine– Tool confidence– Formal proofs of correctness– Complete description of how and why the flaw was
flagged
Evidence that non-flagged code can be trustedBounds of uncertaintyKnowledge of what the tool doesn't detect
Providing World-Class Services forWorld-Class Competitiveness
11
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Improp
erRetu
rnValu
eUse
Format S
tring
Memor
y Leak
TOCTOU
Buffer O
verfl
ow
Command
Injection
Uninitia
lized
Variable
Use
NullPointer
Derefe
renc
e
Tainte
d Data
UseAfte
r Free
Found by exactly 5 tools
Found by exactly 4 tools
Found by exactly 3 tools
Found by exactly 2 tools
Found by exactly 1 tools
Flaw Detection
Providing World-Class Services forWorld-Class Competitiveness
12
Interoperability
Unparsable outputNo standard for
result correlationNo standard API for:
– New checkers– Data exchange– Review of results– Accessing program
models
Providing World-Class Services forWorld-Class Competitiveness
13
A Way Forward
MinimumRequirements forReview Assistance
Potential IncidentIdentification
Standard Result FormatStandard IR APIAnnotation & Assertion
Support– Source code and tool
output
Bridging the Gap
Providing World-Class Services forWorld-Class Competitiveness
14
Minimum Requirements for ReviewAssistance
Cross referenced browsable results with sourcecode
Providing pre/post conditionsProviding flow analysisSupporting value sets for variablesSupporting programming slicingHelping to visualize codeHelping to easily query codePresenting the body of evidence of a flaw
Providing World-Class Services forWorld-Class Competitiveness
15
Potential Incident Identification
Identify all constructs that could cause a particular typeof flaw
Helps to determine how often the programmers “got itright”
Helps in estimating how much the analysis covered andthe breadth of exposure
Providing World-Class Services forWorld-Class Competitiveness
16
Standard Result Format
Addresses:– Interoperability– Review assistance
Requires:– Std. source locations– Std. line counting– Std. flaw types– Std. characterizations
Provides:– Data exchange– Collaboration– External audit
Providing World-Class Services forWorld-Class Competitiveness
17
Standard IR API
Addresses:– Interoperability– Extensibility
Requires:– Vendor and Community buy in– Funding?
Provides:– Customization– Technology Transfer– Speeds tool development
Providing World-Class Services forWorld-Class Competitiveness
18
Annotation Support
Tool support for language annotations– Verifying assertions– Inferring design intent
Tool support for generating annotations– Verifiable assertions about the code– Provide annotations to assist code review
Providing World-Class Services forWorld-Class Competitiveness
19
Summary
Current state of software assurance demandsmuch but there are limited practical solutions
Static analysis tools offer a promise to help butmust first overcome issues of reliability,transparency, detection and interoperability
Common open data formats and APIs canenhance the tools and improve our ability touse them