Static code analysis finds avoidable errors

At the Source

Virtue out of Necessity

If you want to get used to a thorough and clean programming style, going with Splint is undoubtedly a good idea – you will be in good company. Developers who also want to investigate every false positive thoroughly will find RATS a helpful companion.

In all cases, the results are important: enforcing quality assurance; rethinking and relearning from the constant, unyielding criticism of the check tools; and ensuring low-security-risk software. OpenBSD shows that static code analysis, reviews, and coding standards can make secure programming a reality, as evidenced by just two remotely exploitable security vulnerabilities in 20 years.

Infos

  1. Anderson, James P. Computer Security Technology Planning Study. Bedford (MA): Deputy for Command and Management Systems HQ Electronic Systems Division (AFSC), Technical Report ESD-TR-73-51, Vol. II, October 1972, https://csrc.nist.gov/csrc/media/publications/conference-paper/1998/10/08/proceedings-of-the-21st-nissc-1998/documents/early-cs-papers/ande72.pdf
  2. "NT Web Technology Vulnerabilities" by rain.forest.puppy, Phrack Magazine , volume 8, issue 54, December 25, 1998, article 8, http://phrack.org/issues/54/8.html#article
  3. "Embedded Coding Standard" by Barr Group: https://barrgroup.com/Embedded-Systems/Books/Embedded-C-Coding-Standard/Introduction
  4. Uncrustify: http://uncrustify.sourceforge.net
  5. JSLint: http://www.jslint.com
  6. JavaScript tutorials: https://wiki.selfhtml.org/wiki/JavaScript/Tutorials/Einstieg/Einbindung_in_HTML
  7. JavaScript strings: https://www.w3schools.com/js/js_strings.asp
  8. CC BY-SA 3.0: https://creativecommons.org/licenses/by-sa/3.0/
  9. Splint: http://splint.org
  10. Hoare, C.A.R. An axiomatic basis for computer programming. Communications of the ACM , 1969;12(10):576-583, https://web.archive.org/web/20160304013345/http://www.spatial.maine.edu/~worboys/processes/hoare%20axiomatic.pdf
  11. RATS: https://github.com/andrew-d/rough-auditing-tool-for-security
  12. Coverity Static Application Security Testing (SAST): https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html
  13. Coverity Scan: https://scan.coverity.com

The Author

Dr. Tobias Eggendorfer is a professor of IT security and a freelance IT consultant (http://www.eggendorfer.info). When he teaches IT forensics, his students moan from time to time, because long-forgotten knowledge from basic lectures suddenly becomes important again, which is exactly what makes IT forensics and security so exciting.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Analysis tour with Binary Ninja
    Binary analysis is an advanced technique used to work through cyberattacks and malware infestations and is also known as reverse engineering. We show you how to statically analyze binary programs with Binary Ninja, an interactive binary analysis platform.
  • Kernel and driver development for the Linux kernel
    The /proc filesystem facilitates the exchange of current data between the system and user. To access the data, you simply read and write to a file. This mechanism is the first step for understanding kernel programming. ü
  • From debugging to exploiting
    Kernel and compiler security techniques, together with sound programming practices, fend off memory corruption exploits.
  • Tuning I/O Patterns in Python

    In the third article of this three-part series, we look at simple write examples in Python and track the output with strace to see how it affects I/O patterns and performance.

  • Measuring the performance of code
    We look at how to determine the performance of a segment of code.
comments powered by Disqus