static code analysis
DESCRIPTION
Find your bugs before someone else does!TRANSCRIPT
www.b-i.com
b-i branding. technology. integration.
Source Code:Find your bugs before someone else does!
by Thomas Hofer
confidential and proprietary ©blue-infinity branding.technology.integration
About me…
Thomas HoferConsultant (blue-infinity, Geneva)
Skills:- Static analysis- Solution architecture- Software Engineering (Java – Rails – PHP)
confidential and proprietary ©blue-infinity branding.technology.integration
OutlineSimple means to improve your code quality!
1. Introduction> Motivation> Static Source Code Analyzers
2. Recommendations> Our criteria> Selected tools
3. Additional Information
confidential and proprietary ©blue-infinity branding.technology.integration
Reasons for this research
CERN is a prized target> Renowned> Internet Exchange Point
However: Any website could be targeted!
Potentially undesirable consequences of an attack:> Loss of confidentiality> Damaged reputation> Loss of data
confidential and proprietary ©blue-infinity branding.technology.integration
Security: when to care about it?
- Creating / Managing> Documents> Web Pages> Hardware
- Services
- Development> Software> Web Applications
confidential and proprietary ©blue-infinity branding.technology.integration
Development and Security
- Training (before)
- Code review (right after)
- Vulnerability scanning (after)
confidential and proprietary ©blue-infinity branding.technology.integration
Development and Security
- Training (before)
- Static source code analysis (during and after)
- Code review (right after)
- Vulnerability scanning (after)
confidential and proprietary ©blue-infinity branding.technology.integration
Development and Security
- Training (before)
- Code review (right after)
- Vulnerability scanning (after)
confidential and proprietary ©blue-infinity branding.technology.integration
Security and me…
- What can YOU do about it…> … without sacrificing your deadlines?
- Static Analysis> The earlier a bug is caught, the cheaper it is to fix!
confidential and proprietary ©blue-infinity branding.technology.integration
Static source code analysisA static source code analyzer:
- Reads your source code but…> Won’t execute or compile it (usually)!
- Looks for possible errors regarding> Security> Reliability> Functionality
confidential and proprietary ©blue-infinity branding.technology.integration
What can they do?
A static source code analyzer can:
- Look for known and common errors- Sometimes suggest fixes or improvements
- Offer help in finding bugs- Find many kinds of bugs, not only security related
confidential and proprietary ©blue-infinity branding.technology.integration
What can they not do?
A static source code analyzer cannot:
- ‘Automagically’ fix bugs
- Find all bugs (i.e. false negatives)
- Find only bugs (i.e. false positives)
confidential and proprietary ©blue-infinity branding.technology.integration
Our criteria / requirements
- Quick results
- Very low ‘false alarms’ rate
- Ease of use
- At least some results…
confidential and proprietary ©blue-infinity branding.technology.integration
Overview of selected tools
- Perl> Perl::Critic> RATS
- Java> FindBugs> CodePro
Analyser- PHP
> Pixy> RATS
- C / C++> Flawfinder> RATS> Coverity
- Python> RATS> pychecker> pylint
confidential and proprietary ©blue-infinity branding.technology.integration
Flawfinder
- C / C++
- Freeware / Unix
- Calls to commonly misused functions…
http://cern.ch/security/recommendations/en/codetools/flawfinder.shtml
confidential and proprietary ©blue-infinity branding.technology.integration
FindBugs
- Java
- Freeware / Eclipse plugin
- Very flexible, ability to define custom rules…
http://cern.ch/security/recommendations/en/codetools/findbugs.shtml
confidential and proprietary ©blue-infinity branding.technology.integration
confidential and proprietary ©blue-infinity branding.technology.integration
CodePro Analytix
- Java
- Freeware / Google Web Toolkit
- As flexible as FindBugs, also ability to define your own rules
http://code.google.com/javadevtools/codepro/doc/index.html
confidential and proprietary ©blue-infinity branding.technology.integration
Perl::Critic
- Perl
- Freeware / Unix – Perl module
- Best Practices: style and security
- Demo
http://cern.ch/security/recommendations/en/codetools/perl_critic.shtml
confidential and proprietary ©blue-infinity branding.technology.integration
Pixy
- PHP
- Freeware / Unix
- XSS & SQLi
http://cern.ch/security/recommendations/en/codetools/pixy.shtml
confidential and proprietary ©blue-infinity branding.technology.integration
RATS
- C / C++ / Perl, (and, partially) Python, PHP
- Freeware
- Calls to commonly misused functions
http://cern.ch/security/recommendations/en/codetools/rats.shtml
confidential and proprietary ©blue-infinity branding.technology.integration
What else?
‘Ok, now that I have used this tool, I should be safe…’
Tools are not enough!
- Even the best tool will miss the most sophisticated errors
- Sensitive projects should be reviewed ‘manually’ by experts
confidential and proprietary ©blue-infinity branding.technology.integration
A Fool with a Tool is still a Fool!
- ‘A fool with a tool is still a fool!’, D. Wheeler
- The code excerpt below was found in RealPlayer, in 2005. (CVE-2005-0455)
char tmp [256]; /* Flawfinder : ignore */strcpy (tmp , pScreenSize ); /* Flawfinder : ignore */
confidential and proprietary ©blue-infinity branding.technology.integration
Further information
http://cern.ch/security/recommendations/en/code_tools.shtml
> Presentation of the tools
> Installation, configuration and usage advice
> Explanation of some common errors
> Advice for developing securer software
confidential and proprietary ©blue-infinity branding.technology.integration
Thank you!
To contact me:[email protected]