https://crocs.fi.muni.cz @CRoCS_MUNI
Łukasz Chmielewski lukchmiel@gmail.com
Centre for Research on Cryptography and Security, Masaryk University
PA193 - Secure coding principles and
practices
Static analysis of source code
Slides for comments (Thank you!)
https://drive.google.com/file/d/1--mAb7dMKd0mB6rnyToevKbmKJF8aZTQ/view?usp=sharing
https://crocs.fi.muni.cz @CRoCS_MUNI
PROBLEM
2 | PA193 - Static analysis of software
https://crocs.fi.muni.cz @CRoCS_MUNI
What is wrong with this code?
3 | PA193 - Static analysis of software
network_receive(uchar* in_packet, short &in_packet_len); // TLV
uchar* in = in_packet + 3;
short length = make_short(in_packet + 1);
uchar* out_packet = malloc(1 + 2 + length);
uchar* out = out_packet + 3;
memcpy(out, in, length);
network_transmit(out_packet);
https://crocs.fi.muni.cz @CRoCS_MUNI
network_receive(uchar* in_packet, short &in_packet_len); // TLV
uchar* in = in_packet + 3; short length = make_short(inpacket + 1);
uchar* out_packet = malloc(1 + 2 + length);
uchar* out = out_packet + 3;
memcpy(out, in, length);
network_transmit(out_packet);
OpenSSL Heartbleed – “packet repeater”
| PA193 - Static analysis of software
Payload [length B]length [2B]Type [1B]
unsigned char* in
Payload (length B)length [2B]Type [1B]
unsigned char* out
Payload [length B]
4
https://crocs.fi.muni.cz @CRoCS_MUNI
network_receive(uchar* in_packet, short &in_packet_len); // TLV
uchar* in = in_packet + 3;
uchar* out_packet = malloc(1 + 2 + length);
uchar* out = out_packet + 3;
memcpy(out, in, length);
network_transmit(out_packet);
Problem?
| PA193 - Static analysis of software
Payload [1B]Type [1B]
unsigned char* in
Payload (65535B)0xFFFF [2B]Type [1B]
unsigned char* out
… Heap memory …
Payload [1B] Heap memory (keys, passwords…)
0x0001 [2B]0xFFFF [2B]
Problem! https://heartbleed.com
in_packet_len != length + 3
5
https://crocs.fi.muni.cz @CRoCS_MUNI
How serious the bug was?
• \
• http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-
trusted-websites-vulnerable-to-heartbleed-bug.html
| PA193 - Static analysis of software
17% SSL web servers (OpenSSL 1.0.1)
Twitter, GitHub, Yahoo, Tumblr, Steam, DropBox, DuckDuckGo…
https://seznam.cz, https://fi.muni.cz …
6
https://crocs.fi.muni.cz @CRoCS_MUNI7 | PA193 - Secure coding
https://crocs.fi.muni.cz @CRoCS_MUNI
STATIC AND DYNAMIC ANALYSIS
10 | PA193 - Static analysis of software
https://crocs.fi.muni.cz @CRoCS_MUNI
How to find bugs in code?
• Manual analysis of code
– code review, security code review
• Manual “dynamic” testing
– running program, observe expected output
• Automated analysis of code without execution
– static analysis (pattern matching, symbolic execution)
• Automated analysis of code with execution
– dynamic analysis (running code)
• Automated testing of inputs (fuzzing)
11 | PA193 - Static analysis of software
https://crocs.fi.muni.cz @CRoCS_MUNI
Approaches for automated code review
• Formal methods (mathematical verification)
– requires mathematical model and assertions
– often requires modeling the system as finite state machine
• verification of every state and transition
• (outside the scope of this course, consider IA169)
• Code metrics
– help to identify potential hotspots (complex code)
– e.g., Cyclomatic complexity (number of linearly indep. paths)
• Review and inspection
– tries to find suspicious patterns
– automated version of human code review
12 | PA193 - Static analysis of software
https://crocs.fi.muni.cz @CRoCS_MUNI
Microsoft’s Secure Development Lifecycle
13 | PA193 - Static analysis of software
Taken from http://www.microsoft.com/security/sdl/process/implementation.aspx
https://crocs.fi.muni.cz @CRoCS_MUNI
Static vs. dynamic analysis
• Static analysis
– examine program’s code without executing it
– can examine both source code and compiled code
• source code is easier to understand (more metadata)
– can be applied on unfinished code
– manual code audit is kind of static analysis
• Dynamic analysis
– code is executed (compiled or interpreted)
– input values are supplied, internal memory is examined…
15 | PA193 - Static analysis of software
https://crocs.fi.muni.cz @CRoCS_MUNI
Types of static analysis
• Type checking – performed by compiler
• Style checking – performed by automated tools
• Program formal verification
– annotations & verification of specified properties
• Bug finding / hunting
– between style checking and verification
– more advanced static analysis
– aim to infer real problem, not only pattern match
• Security Review
– previous possibilities with additional support for review
17 | PA193 - Static analysis of software
https://crocs.fi.muni.cz @CRoCS_MUNI
Type checking
• Type checking – performed by compiler
– errors against language rules prevents compilation
– warnings usually issued when problematic type manipulation occur
– false positives possible (short=int=short), but don’t ignore!
• Security problems due to wrong types
– string format vulnerabilities
– type overflow → buffer overflow
– data loss (bigger type to smaller type)
• More on type checking later with compiler warnings
19 | PA193 - Static analysis of software
https://crocs.fi.muni.cz @CRoCS_MUNI
Style checking
• Style checking – performed by automated tools
– set of required code rules
• Separate tools
– MS style checker
– Unix: lint tool (http://www.unix.com/man-page/FreeBSD/1/lint)
– Checkstyle
– PMD (http://pmd.sourceforge.net/)
– Google C++ style checker: C++lint
• https://github.com/darcyliu/google-styleguide/blob/master/cppguide.xml
• https://github.com/google/styleguide/blob/gh-pages/cpplint/cpplint.py
• Compiler warnings gcc –Wall gcc -Wextra
20 | PA193 - Static analysis of software
https://crocs.fi.muni.cz @CRoCS_MUNI
Bug finding
• No language errors != secure program
– finding bugs, even when language permits it
• Examples:
– Buffer overflow possible?
– User input formatted into system() call?
– Hard-coded secrets?
• Tool must keep false positives low
– do not report as a bug something which isn’t
– there is simply too many potential problems
• Tools: FindBugs, PREfast, Coverity...
22 | PA193 - Static analysis of software
https://crocs.fi.muni.cz @CRoCS_MUNI
Security analysis and review
• Usage of analysis tool to perform security review
– Usually multiple tools are used during the process
• Difference between compiler (e.g., gcc) and additional tool (e.g.,
cppcheck):
– Compiler must never report error that isn’t (lang. standard)
– Compiler must report low # of false warning (as heavily used by normal
“uneducated” developers)
– Tool executed for automatic reporting should have low # of false warnings
(otherwise untrusted)
– Tool executed during manual code review / pentest can have higher # of false
warnings (as filtered by expert)
23 | PA193 - Static analysis of software
https://crocs.fi.muni.cz @CRoCS_MUNI
BEFORE DIGGING TO CONCRETE
TOOLS…
24 | PA193 - Static analysis of software
https://crocs.fi.muni.cz @CRoCS_MUNI
Static analysis limitations
• Overall program architecture is not understood
– sensitivity of program path
– impact of errors on other parts
• Application semantics is not understood
– Is string returned to the user? Can string also contain passwords?
• Social context is not understood
– Who is using the system? High entropy keys encrypted under short guessable
password?
25 | PA193 - Static analysis of software
https://crocs.fi.muni.cz @CRoCS_MUNI
Problem of false positives/negatives
• False positives
– errors reported by a tool that are not real errors
– too conservative analysis
– inaccurate model used for analysis
– annoying, more code needs to be checked, less readable output, developers
tend to have as an excuse (for not fixing other problems reported by tool)
• False negatives
– real errors NOT reported by a tool
– missed problems, e.g., missing rules for detection
26 | PA193 - Static analysis of software
https://crocs.fi.muni.cz @CRoCS_MUNI
False positives – limits of static analysis
• When foo() is called, always writes outside buffer
• Should you fix it even when foo() is not called?
27 | PA193 - Static analysis of software
void foo()
{
char a[10];
a[20] = 0;
}
d:\StaticAnalysis>cppcheck example.cpp
Checking example.cpp...
[example.cpp:4]: (error) Array 'a[10]' accessed at index 20, which
is out of bounds.
https://crocs.fi.muni.cz @CRoCS_MUNI
False positives – limits of static analysis
• For x + y != 2 false positive
• But analyzer cannot be sure about x & y values
28 | PA193 - Static analysis of software
int x = 0;
int y = 3;
void foo()
{
char a[10];
if (x + y == 2) {
a[20] = 0;
}
} d:\StaticAnalysis>cppcheck example.cpp
Checking example.cpp...
[example.cpp:7]: (error) Array 'a[10]' accessed at index 20, which
is out of bounds.
problematic assignment
put inside condition
https://crocs.fi.muni.cz @CRoCS_MUNI
False positives – limits of static analysis
• No problem detected – constants are evaluated in compile
time and condition is now completely removed
29 | PA193 - Static analysis of software
const int x = 0;
const int y = 3;
void foo()
{
char a[10];
if (x + y == 2) {
a[20] = 0;
}
}
const added (same as for #define)
d:\StaticAnalysis>cppcheck --debug example.cpp
Checking example.cpp...
##file example.cpp
1:
2:
3:
4: void foo ( )
5: {
6: char a@3 [ 10 ] ;
7:
8:
9:
10: }
d:\StaticAnalysis>cppcheck example.cpp
Checking example.cpp...
https://crocs.fi.muni.cz @CRoCS_MUNI
False positives – limits of static analysis
• Whole program is not executed and evaluated
30 | PA193 - Static analysis of software
void foo2(int x, int y) {
char a[10];
if (x + y == 2) {
a[20] = 0;
}
}
int main() {
foo2(0, 3);
return 0;
}
d:\StaticAnalysis>cppcheck --debug example.cpp
Checking example.cpp...
##file example.cpp
1: void foo2 ( int x@1 , int y@2 ) {
2: char a@3 [ 10 ] ;
3: if ( x@1 + y@2 == 2 ) {
4: a@3 [ 20 ] = 0 ;
5: }
6: }
7: int main ( ) {
8: foo2 ( 0 , 3 ) ;
9: return 0 ;
10:}
[example.cpp:4]: (error) Array 'a[10]' accessed at index 20,
which is out of bounds.
https://crocs.fi.muni.cz @CRoCS_MUNI
BUILD-IN COMPILER ANALYSIS
32 | PA193 - Static analysis of software
https://crocs.fi.muni.cz @CRoCS_MUNI
Warnings – how compiler signals potential troubles
• MSVC /W n
– /W 0 disables all warnings
– /W 1 & /W 2 basic warnings
– /W 3 recommended for production purposes for legacy code (default)
– /W 4 recommended for all new compilations
– /Wall == /W4 + extra
• GCC -Wall, -Wextra
• Treat warnings as errors
– GCC –Werror, MSVC /WX
– forces you to fix all warnings, but slightly obscure nature of problem
34 | PA193 - Static analysis of software
https://crocs.fi.muni.cz @CRoCS_MUNI
warning C4018: '>=' : signed/unsigned mismatch
• What will be the output of following code?
– string "x > y"
– but also compiler warning C4018
35 | PA193 - Static analysis of software
#include <iostream>
using namespace std;
int main(void) {
int x = -100;
unsigned int y = 100;
if (x > y) { cout << "x > y"; }
else { cout << "y >= x"; }
return 0;
}
int → unsigned int
-100 → 0xffffff9c
https://crocs.fi.muni.cz @CRoCS_MUNI
Recommendations for MSVC CL
• Compile with higher warnings /W4
• Control and fix especially integer-related warnings
– warning C4018: '>=' : signed/unsigned mismatch
• comparing signed and unsigned values, signed value must be converted to
unsigned
– C4244, C4389 – possible loss of data because of truncation or
signed&unsigned variables operation
• If existing code is inspected, look for
– #pragma warning (disable, Cxxxx) where xxxx is above
– (developers may disable to suppress false warnings, missing all real ones)
• Use compiler /RTC flag
36 | PA193 - Static analysis of software
https://crocs.fi.muni.cz @CRoCS_MUNI
Recommendations for GCC
• GCC –Wconversion
– warn about potentially problematic conversions
– fixed → floating point, signed → unsigned, ...
• GCC –Wsign-compare
– signed → unsigned producing incorrect result
– warning: comparison between signed and unsigned integer expressions [-
Wsign-compare]
– http://stackoverflow.com/questions/16834588/wsign-compare-warning-in-g provides example of real
problem
• Runtime integer error checks using –ftrapv
– trap function called when signed overflow in addition, subs, mult. occur
– but significant performance penalty (continuous overflow checking) 
37 | PA193 - Static analysis of software
https://crocs.fi.muni.cz @CRoCS_MUNI
GCC -ftrapv
38 | PA193 - Static analysis of software
/* compile with gcc -ftrapv <filename> */
#include <signal.h>
#include <stdio.h>
#include <limits.h>
void signalHandler(int sig) {
printf("Type overflow detected\n");
}
int main() {
signal(SIGABRT, &signalHandler);
int largeInt = INT_MAX;
int normalInt = 42;
int overflowInt = largeInt + normalInt; /* should cause overflow */
/* if compiling with -ftrapv, we shouldn't get here */
return 0;
}
http://stackoverflow.com/questions/5005379/c-avoiding-overflows-when-working-with-big-numbers
https://crocs.fi.muni.cz @CRoCS_MUNI
STATIC ANALYSIS TOOLS
39 | PA193 - Static analysis of software
https://crocs.fi.muni.cz @CRoCS_MUNI
Both free and commercial tools
• Commercial tools
– Coverity (now under Synopsys), Veracode (CA Technologies)
– Microsoft PREfast (included in Visual Studio)
– PC-Lint (Gimpel Software), Klocwork Insight (Perforce)
• Free tools
– CppCheck http://cppcheck.sourceforge.net/
– Clang static analyzer https://clang-analyzer.llvm.org/
– csmock (multiple static analysers including clang, gcc, cppcheck, shellcheck, pylint, Bandit, Smatch,
Coverity)
– SpotBugs https://github.com/spotbugs/spotbugs (for Java programs, originally named FindBugs)
– PMD https://pmd.github.io/
– ShellCheck https://www.shellcheck.net/
– Flawfinder https://www.dwheeler.com/flawfinder/, Splint http://www.splint.org/
– Rough Auditing Tool for Security (RATS) http://code.google.com/p/rough-auditing-tool-for-security/
– ...
41 | PA193 - Static analysis of software
https://crocs.fi.muni.cz @CRoCS_MUNI
Cppcheck
• A tool for static C/C++ code analysis
– Open-source freeware, https://cppcheck.sourceforge.net/
– Online demo https://cppcheck.sourceforge.net/demo/
• Last version 2.7 (2022-02-05)
• Used to find bugs in open-source projects (Linux kernel... )
• Command line & GUI version
• Standalone version, plugin into IDEs, version control...
– Code::Blocks, Codelite, Eclipse, Jenkins...
– Tortoise SVN, Visual Studio …
• Cross platform (Windows, Linux)
– sudo apt-get install cppcheck
46 | PA193 - Static analysis of software
https://crocs.fi.muni.cz @CRoCS_MUNI
Cppcheck – what is checked?
• Bound checking for array overruns
• Suspicious patterns for class
• Exceptions safety
• Memory leaks
• Obsolete functions
• sizeof() related problems
• String format problems...
• See full list
http://sourceforge.net/apps/mediawiki/cppcheck/index.php?title=Main_Page#Checks
47 | PA193 - Static analysis of software
https://crocs.fi.muni.cz @CRoCS_MUNI
Cppcheck – categories of problems
• error – when bugs are found
• warning - suggestions about defensive programming to prevent bugs
• style - stylistic issues related to code cleanup (unused functions, redundant
code, constness...)
• performance - suggestions for making the code faster.
• portability - portability warnings. 64-bit portability. code might work different on
different compilers. etc.
• information - Informational messages about checking problems
48 | PA193 - Static analysis of software
https://crocs.fi.muni.cz @CRoCS_MUNI
Cppcheck – complex custom rules
• Based on execution of user-supplied C++ code
– possible more complex analysis
1. Use cppcheck.exe --debug file.cpp
– outputs simplified code including Cppcheck’s internal variable unique ID
2. Write C++ code fragment performing analysis
3. Recompile Cppcheck with new rule and execute
• Read more details
– http://sourceforge.net/projects/cppcheck/files/Articles/
– http://www.cs.kent.edu/~rothstei/fall_14/sec_notes/writing-rules-3.pdf
53 | PA193 - Static analysis of software
https://crocs.fi.muni.cz @CRoCS_MUNI
PREfast - Microsoft static analysis tool
56 | PA193 - Static analysis of software
https://crocs.fi.muni.cz @CRoCS_MUNI
PREfast – example bufferOverflow
58 | PA193 - Static analysis of software
https://crocs.fi.muni.cz @CRoCS_MUNI
PREfast – what can be detected
• Potential buffer overflows
• Memory leaks, uninitialized variables
• Excessive stack usage
• Resources – release of locks...
• Incorrect usage of selected functions
• List of all code analysis warnings http://msdn.microsoft.com/en-
us/library/a5b9aa09.aspx
59 | PA193 - Static analysis of software
https://crocs.fi.muni.cz @CRoCS_MUNI
PREfast settings
• http://msdn.microsoft.com/en-us/library/ms182025.aspx
| PA193 - Static analysis of software60
https://crocs.fi.muni.cz @CRoCS_MUNI
Coverity (free for open-source)
• Commercial static & dynamic analyzer
• Free for C/C++ & Java open-source projects
• https://scan.coverity.com/
• Process
– Register at scan.coverity.com (GitHub account usage possible)
– Download Coverity build tool for your platform
• Quality and Security Advisor
– Build your project with cov-build
• cov-build --dir cov-int <build command>
– Zip and submit build for analysis (works on binary, not source)
• Can be integrated with Travis CI (continuous integration)
– https://scan.coverity.com/travis_ci
62 | PA193 - Static analysis of software
https://crocs.fi.muni.cz @CRoCS_MUNI63 | PA193 - Static analysis of software
++
https://crocs.fi.muni.cz @CRoCS_MUNI
Code scanning with GitHub + Actions + Codacy
64 | PA193 - Static analysis of software
+ +
https://crocs.fi.muni.cz @CRoCS_MUNI
SpotBugs
• Static analysis of Java programs (continuation of FindBugs)
• Extended coverage for OWASP Top 10 and CWE
• Current version 4.5.3 (2022-01-05)
– https://github.com/spotbugs/spotbugs
– Command-line, GUI, plugins into variety of tools
– Support for custom rules
• FindSecurityBugs 1.11.0. (2020-10-29)
– Additional detection rules for SpotBugs
– https://h3xstream.github.io/find-sec-bugs/bugs.htm
65 | PA193 - Static analysis of software
https://crocs.fi.muni.cz @CRoCS_MUNI
PMD Source Code Analyzer
• https://pmd.github.io/
• Static analyser, mainly focused on Java, but other languages as well
• Current version 6.43.0 (2022-02-26)
• Additional features like copy-paste detector
67 | PA193 - Static analysis of software
https://crocs.fi.muni.cz @CRoCS_MUNI
How to reason about available tooling
• Understand problems
– Previous ones, likely to repeat, patterns…, read bug dissection reports
• Understand principles of solution
– What tool is used to detect problem, how was tool configured…
• Find suitable tooling for your environment
– Language, operating system…
• Integrate, automate (CI)
– Run tests and analysis tools frequently and automatically
• Understand limitations (what is not detected)
68 | PA193 - Static analysis of software
https://crocs.fi.muni.cz @CRoCS_MUNI
How many false positives are too many?
• “Because its analysis is sometimes imprecise, FindBugs can report
false warnings, which are warnings that do not indicate real errors. In
practice, the rate of false warnings reported by FindBugs is less than
50%.”
FindBugs™ Fact Sheet
69 | PA193 - Static analysis of software
https://crocs.fi.muni.cz @CRoCS_MUNI
STATIC ANALYSIS IS NOT PANACEA
70 | PA193 - Static analysis of software
https://crocs.fi.muni.cz @CRoCS_MUNI71 | PA193 - Static analysis of software
// Note: GCC and MSVC uses different memory alignment
// Try "12345678DevilEvecosia" as a password for gcc build
// Try "1234567812345678Devil I am. Ha Ha" as a password for MSVC debug build
void demoBufferOverflowData() {
int unused_variable = 30;
#define NORMAL_USER 'n'
#define ADMIN_USER 'a'
int userRights = NORMAL_USER;
#define USER_INPUT_MAX_LENGTH 8
char userName[USER_INPUT_MAX_LENGTH];
char passwd[USER_INPUT_MAX_LENGTH];
// print some info about variables
printf("%-20s: %p\n", "userName", userName);
printf("%-20s: %p\n", "passwd", passwd);
printf("%-20s: %p\n", "unused_variable", &unused_variable);
printf("%-20s: %p\n", "userRights", &userRights);
printf("\n");
// Get user name
memset(userName, 1, USER_INPUT_MAX_LENGTH);
memset(passwd, 2, USER_INPUT_MAX_LENGTH);
printf("login as: ");
fflush(stdout);
gets(userName);
// Get password
printf("%s@vulnerable.machine.com: ", userName);
fflush(stdout);
gets(passwd);
// Check user rights (set to NORMAL_USER and not changed in code)
if (userRights == NORMAL_USER) {
printf("\nWelcome, normal user '%s', your rights are limited.\n\n", userName);
fflush(stdout);
}
if (userRights == ADMIN_USER) {
printf("\nWelcome, all mighty admin user '%s'!\n", userName);
fflush(stdout);
}
// How to FIX:
//memset(userName, 0, USER_INPUT_MAX_LENGTH);
//fgets(userName, USER_INPUT_MAX_LENGTH - 1, stdin);
//memset(passwd, 0, USER_INPUT_MAX_LENGTH);
//fgets(passwd, USER_INPUT_MAX_LENGTH - 1, stdin);
}
Cppcheck --enable=all
d:\StaticAnalysis>cppcheck --enable=all bufferOverflow.cpp
Checking bufferOverflow.cpp...
[bufferOverflow.cpp:26]: (style) Obsolete function 'gets' called. It is recommended to use
the function 'fgets' instead.
[bufferOverflow.cpp:31]: (style) Obsolete function 'gets' called. It is recommended to use
the function 'fgets' instead.
MSVC /W4
1> BufferOverflow.cpp
1>bufferoverflow.cpp(32): warning C4996: 'gets': This function or variable may be unsafe.
Consider using gets_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS.
1> c:\program files (x86)\microsoft visual studio 11.0\vc\include\stdio.h(261) : see declaration of 'gets'
1>bufferoverflow.cpp(37): warning C4996: 'gets': This function or variable may be unsafe.
Consider using gets_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS.
1> c:\program files (x86)\microsoft visual studio 11.0\vc\include\stdio.h(261) : see declaration of 'gets'
1>bufferoverflow.cpp(78): warning C4996: 'strncpy': This function or variable may be unsafe.
Consider using strncpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS.
1> c:\program files (x86)\microsoft visual studio 11.0\vc\include\string.h(191) : see declaration of 'strncpy'
1>bufferoverflow.cpp(81): warning C4996: 'sprintf': This function or variable may be unsafe.
Consider using sprintf_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS.
1> c:\program files (x86)\microsoft visual studio 11.0\vc\include\stdio.h(357) : see declaration of 'sprintf'
MSVC /analyze (PREfast)
1> BufferOverflow.cpp
bufferoverflow.cpp(32): warning : C6386: Buffer overrun while writing to 'userName':
the writable size is '8' bytes, but '4294967295' bytes might be written.
bufferoverflow.cpp(37): warning : C6386: Buffer overrun while writing to 'passwd':
the writable size is '8' bytes, but '4294967295' bytes might be written.
https://crocs.fi.muni.cz @CRoCS_MUNI
Type overflow – example with dynalloc
72 | PA193 - Static analysis of software
typedef struct _some_structure {
float someData[1000];
} some_structure;
void demoDataTypeOverflow(int totalItemsCount, some_structure* pItem,
int itemPosition) {
// See http://blogs.msdn.com/oldnewthing/archive/2004/01/29/64389.aspx
some_structure* data_copy = NULL;
int bytesToAllocation = totalItemsCount * sizeof(some_structure);
printf("Bytes to allocation: %d\n", bytesToAllocation);
data_copy = (some_structure*) malloc(bytesToAllocation);
if (itemPosition >= 0 && itemPosition < totalItemsCount) {
memcpy(&(data_copy[itemPosition]), pItem, sizeof(some_structure));
}
else {
printf("Out of bound assignment");
return;
}
free(data_copy);
}
Cppcheck --enable=all
d:\StaticAnalysis>cppcheck --enable=all typeOverflow.cpp
Checking typeOverflow.cpp...
[typeOverflow.cpp:17]: (error) Memory leak: data_copy
MSVC /W4
1> typeOverflow.cpp nothing ☺
MSVC /analyze (PREfast)
1> typeOverflow.cpp
bufferoverflow.cpp(13): warning : C6011:
Dereferencing NULL pointer 'data_copy'.
https://crocs.fi.muni.cz @CRoCS_MUNI
What potential bug was not found?
73 | PA193 - Static analysis of software
typedef struct _some_structure {
float someData[1000];
} some_structure;
void demoDataTypeOverflow(int totalItemsCount, some_structure* pItem,
int itemPosition) {
// See http://blogs.msdn.com/oldnewthing/archive/2004/01/29/64389.aspx
some_structure* data_copy = NULL;
int bytesToAllocation = totalItemsCount * sizeof(some_structure);
printf("Bytes to allocation: %d\n", bytesToAllocation);
data_copy = (some_structure*) malloc(bytesToAllocation);
if (itemPosition >= 0 && itemPosition < totalItemsCount) {
memcpy(&(data_copy[itemPosition]), pItem, sizeof(some_structure));
}
else {
printf("Out of bound assignment");
return;
}
free(data_copy);
}
https://crocs.fi.muni.cz @CRoCS_MUNI
Test suites – vulnerable code, benchmark
• SAMATE Juliet Test Suite
– huge test suite which contains at least 45000 C/C++ test cases
– http://samate.nist.gov/SRD/testsuite.php
• Static analysis test suite for C programs
– https://web.archive.org/web/20110623134953/http://mathind.csd.auth.gr/static
_analysis_test_suite/
• Suitable for testing new methods, but NOT for comparison of
existing commercial products
– Public suites, products already optimized for it
74 | PA193 - Static analysis of software
https://crocs.fi.muni.cz @CRoCS_MUNI
SUMMARY
75 | PA193 - Static analysis of software
https://crocs.fi.muni.cz @CRoCS_MUNI
Summary
• Static analysis is VERY important tool for writing secure software
– Significant portion of analysis done already by compiler (errors, warnings)
– Can run on unfinished code
• Multiple tools exist (both free and commercial)
– Predefined set of rules, custom rules can be also written
– Differ in capability, supported languages, target audience, maturity…
– Experiment with available tools and find the right for your scenario
• Static analysis cannot find all problems
– Problem of false positives/negatives
– No substitution for extensive testing and defensive programming
76 | PA193 - Static analysis of software
https://crocs.fi.muni.cz @CRoCS_MUNI
Mandatory reading
• Coverity open-source reports 2013/2014/2017/2020
– Report of analysis for open-source projects
– https://na-sjf.marketo.com/rs/appsec/images/2013-Coverity-Scan-Report.pdf
– https://na-sjf.marketo.com/rs/157-LQW-289/images/2014-Coverity-Scan-Report.pdf
– https://www.synopsys.com/content/dam/synopsys/sig-assets/reports/SCAN-Report-2017.pdf
– https://ttpsc.com/wp3/wp-content/uploads/2020/10/2020-ossra-report.pdf
– https://www.synopsys.com/content/dam/synopsys/sig-assets/reports/rep-
ossra-2021.pdf
• How open-source and closed-source compare w.r.t. number of defects?
• How open-source vs. closed-source address OWASP Top 10?
• What are typical issues in C/C++ code?
• How situation changed between 2013 and 2021?
77 | PA193 - Static analysis of software
https://crocs.fi.muni.cz @CRoCS_MUNI78 | PA193 - Secure coding
Questions