Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

No liftoff, touchdown, or heartbeat shall miss because of a software failure

Presented at Embedded World 2019, Walter Capitani, director of product management, discusses static code analysis technology and the applications in safety-critical development. Topics covered include coding standards, development processes and methodologies, and ideas for the future.

  • Identifiez-vous pour voir les commentaires

  • Soyez le premier à aimer ceci

No liftoff, touchdown, or heartbeat shall miss because of a software failure

  1. 1. 1© 2019 Rogue Wave Software, Inc. All Rights Reserved. 1 No liftoff, touchdown, or heartbeat shall miss because of a software failure – how do we do it? Walter Capitani Director, Product Management
  2. 2. 2© 2019 Rogue Wave Software, Inc. All Rights Reserved. 2 Presenter Walter Capitani Director, Product Management Rogue Wave Software walter.capitani@roguewave.com Twitter: @walter_capitani
  3. 3. 3© 2019 Rogue Wave Software, Inc. All Rights Reserved. 3 The problem • How can we build reliable and secure safety-critical software and achieve standards compliance? – Use tools that can automate compliance, quality, and security checking such as static code analysis – Are all static code analysis tools built the same? – How can we leverage modern DevOps tools and concepts to make this easier?
  4. 4. 4© 2019 Rogue Wave Software, Inc. All Rights Reserved. 4 • Hundreds of checkers for C, C++, C# and Java • Support for numerous standards • Customizable: – Turn checkers on or off – Change the severity of identified defects – Add custom checkers Introducing: Klocwork 2019 • MISRA, DISA, CWE, CERT, etc. • Dead code • Unreachable code Calculated values that are never used • Unused function parameters • And many more… Coding Standards & Maintainability • Memory and resource leaks • Concurrency violations • Infinite loops • Dereferencing NULL pointers • Usage of uninitialized data • Resource management • Memory allocation errors • And many more… Reliability • Buffer overflow • Un-validated user input • SQL injection • Path injection • File injection • Cross-site scripting • Information leakage • Vulnerable coding practices • And many more… Security
  5. 5. 5© 2019 Rogue Wave Software, Inc. All Rights Reserved. 5 Click here to watch the video
  6. 6. 6© 2019 Rogue Wave Software, Inc. All Rights Reserved. 6 Significantly reduces the cost of reliable, secure software • Complements existing testing approaches • Automated and repeatable analysis Enforce key industry standards • DISA STIG, CWE, MISRA • CERT, SAMATE • OWASP, DO-178B, FDA validation • ...and more Klocwork 2019 and compliance
  7. 7. 7© 2019 Rogue Wave Software, Inc. All Rights Reserved. 7 How do we do it?
  8. 8. 8© 2019 Rogue Wave Software, Inc. All Rights Reserved. 8 Klocwork analyzes your source code • The Klocwork algorithm includes multiple analysis technologies: – Syntax Analysis – Data Flow Analysis – Symbolic Logic Analysis • Requires source code – The most accurate tools must be able to compile the code – No changes to your existing build flow • Different types of analysis – Intra-procedural (simplest analysis) – Inter-procedural – Inter-file
  9. 9. 9© 2019 Rogue Wave Software, Inc. All Rights Reserved. 9 Build Process Interpretation • Understand how the source code is: – Compiled – Linked – Automated code generation – Custom build steps
  10. 10. 10© 2019 Rogue Wave Software, Inc. All Rights Reserved. 10 Klocwork Technologies
  11. 11. 11© 2019 Rogue Wave Software, Inc. All Rights Reserved. 11 Syntax Analysis • Creates a lossless transformation of the source code • Generates the ‘Abstract Syntax Tree’ • Can be used to find Coding Style Issues and Simple Defects – Simple security defects (e.g. use of banned encryption API) – Simple coding style issues (e.g. no dynamic memory allocation) This function allocates memory Name = “malloc”, Source Code Abstract Syntax Tree
  12. 12. 12© 2019 Rogue Wave Software, Inc. All Rights Reserved. 12 Example defect if(i = j) j++; if(i == j) j++; Defect: Assignment operator used in conditional statement Assignment operator replaced with intended comparison operator Vulnerable Code Fixed Code
  13. 13. 13© 2019 Rogue Wave Software, Inc. All Rights Reserved. 13 This seems to work well, but… • These defects are contained in a single program statement • They are not dependent on values from external functions • Syntax Analysis can only find a limited set of defects To find more interesting defects you need to perform more sophisticated analysis
  14. 14. 14© 2019 Rogue Wave Software, Inc. All Rights Reserved. 14 Data Flow Analysis • Monitoring of the lifecycle of data objects: – Creation – Assignment – Usage – Deletion • Must be monitored across all paths in the Control Flow Graph – Function calls – Compilation units • Can find program crashes across functions and files
  15. 15. 15© 2019 Rogue Wave Software, Inc. All Rights Reserved. 15 Data Flow Analysis - example • This function a()will cause the program to crash at line 3 • This function g() will cause the program to crash if position is outside the valid range – how do we know if this will happen? 1 void a(){ 2 int buffer[32]; // valid range of 0..31 1 buffer[35] = 5; // buffer access outside valid range (35) 4 return; 5 } 1 void g(int position, int value){ 2 int buffer[32]; // valid range of 0..31 3 buffer[position] = value; 4 return; 5 } 3 buffer[35] = 5; // buffer access outside valid range (35) Defect: Array bounds violation
  16. 16. 16© 2019 Rogue Wave Software, Inc. All Rights Reserved. 16 Data Flow Analysis - example • Data Flow Analysis tracks what potential values are actually used when function f() calls function g() 1 void g(int position, int value){ 2 int buffer[32]; // valid range of 0..31 3 buffer[position] = value; 4 return; 5 } 1 void f(){ 2 g(10,55); // calls function g with position=10, value=55 3 return; 4 } No defect: values within valid range Vulnerable Code
  17. 17. 17© 2019 Rogue Wave Software, Inc. All Rights Reserved. 17 1 void h(){ 2 g(35,25); // calls function g with position=35, value=25 3 return; 1 } Data Flow Analysis - example • Data Flow Analysis tracks what potential values are actually used when function h() calls function g() 1 void g(int position, int value){ 2 int buffer[32]; // valid range of 0..31 1 buffer[position] = value; 4 return; 5 } 3 buffer[position] = value; // buffer access outside valid range (35) Defect: Array bounds violation (program crash) Vulnerable Code 2 g(35,25); // calls function g with position=35, value=25
  18. 18. 18© 2019 Rogue Wave Software, Inc. All Rights Reserved. 18 1 void h(){ 2 g(35,25); // calls function g with position=35, value=25 3 return; 1 } Data Flow Analysis - example • Data Flow Analysis tracks what potential values are actually used when function h() calls function g() 1 void g(int position, int value){ 2 int buffer[32]; // valid range of 0..31 3 if (position < 0 || position >31 0) // Check position is valid 4 return; 5 buffer[position] = value; 6 return; 7 } No defect Fixed Code 2 g(35,25); // calls function g with position=35, value=25 3 if (position < 0 || position >31 0) // Check position is valid 4 return;
  19. 19. 19© 2019 Rogue Wave Software, Inc. All Rights Reserved. 19 This also seems to work well, but… • Data Flow Analysis alone can only understand actual numeric values (or ranges of values) • What if there are no numeric values at all? How do we determine valid data flow paths? To find more interesting defects you need to augment data flow analysis with Symbolic Logic
  20. 20. 20© 2019 Rogue Wave Software, Inc. All Rights Reserved. 20 Symbolic Logic • Define functional behavior between symbols • Don’t necessarily know what the values will be at runtime • Used to infer software behavior 1 void f(int i, int j){ 2 int buffer[32]; // valid range of 0..31 3 i = j; 4 5 /* set the value of k */ 6 if (i == j) 7 k = get_tainted_data(); // Since i equals j, k is tainted 8 else 9 k = 0; 10 11 /* read the value of k */ 12 if (i != j) // Since i = j, k will not be used 13 buffer[k] = 0; 14 return; 15 } 3 i = j; 7 k = get_tainted_data(); // Since i equals j, k is tainted 12 if (i != j) // Since i == j, k will not be used
  21. 21. 21© 2019 Rogue Wave Software, Inc. All Rights Reserved. 21 Symbolic Logic • Symbolic logic determines that since i = j, there is no use of tainted data at line 13 • Otherwise a tool must “guess” at the defect • If we change line 12, then a defect appears! 1 void f(int i, int j){ 2 int buffer[32]; // valid range of 0..31 3 i = j; 4 5 /* set the value of k */ 6 if (i == j) 7 k = get_tainted_data(); // Since i equals j, k is tainted 8 else 9 k = 0; 10 11 /* read the value of k */ 12 if (i != j) // Since i = j, k will not be used 13 buffer[k] = 0; 14 return; 15 } 12 if (i == j) // Since i == j, k will be used Defect: Unvalidated input in array index (program crash) Vulnerable Code
  22. 22. 22© 2019 Rogue Wave Software, Inc. All Rights Reserved. 22 How can Continuous Integration make it even better?
  23. 23. 23© 2019 Rogue Wave Software, Inc. All Rights Reserved. 23 What is continuous integration (CI)? • In software engineering, CI is the practice of merging all developer working copies to a shared mainline several times a day. Grady Booch first named and proposed CI in his 1991 method, although he did not advocate integrating several times a day. • Continuous integration – the practice of frequently integrating one's new or changed code with the existing code repository – should occur frequently enough that no intervening window remains between commit and build, and such that no errors can arise without developers noticing them and correcting them immediately.
  24. 24. 24© 2019 Rogue Wave Software, Inc. All Rights Reserved. 24 Example CI process
  25. 25. 25© 2019 Rogue Wave Software, Inc. All Rights Reserved. 25 Continuous integration and static code analysis – better together
  26. 26. 26© 2019 Rogue Wave Software, Inc. All Rights Reserved. 26 Example CI process with SCA
  27. 27. 27© 2019 Rogue Wave Software, Inc. All Rights Reserved. 27 Enhanced SCA process with CI • For some developers, compiling their code on the desktop is not possible, so desktop analysis is not an option • In addition, integration issues may still be detected after check in, even when using desktop analysis Edit & Save Analyze & Fix Compile & Test Check In Developer 1 Edit & Save Analyze & Fix Compile & Test Check In Developer 2 Time Integrate Check In Compile & Test k In New possible issues found here!
  28. 28. 28© 2019 Rogue Wave Software, Inc. All Rights Reserved. 28 Continuous static code analysis
  29. 29. 29© 2019 Rogue Wave Software, Inc. All Rights Reserved. 29 The future: Continuous static code analysis … • Continuous static code analysis (CSCA) brings all the benefits of centralised server- side, deep, inter-procedural control- and data-flow analysis to a near-desktop feedback timescale! • Central management of development systems fits well with DevOps movement • Enables continuous reporting and continuous compliance Advantages • Near desktop speed feedback loop • Server accuracy, centralised configuration • Visibility of the current status
  30. 30. 30© 2019 Rogue Wave Software, Inc. All Rights Reserved. 30 Klocwork is designed for CI Automated Fast(er) Scalable Relevant To reduce feedback time, only the affected code should be analyzed By requiring minimal resources and deploying across multiple agents By reporting only the information that is required for the given context (example: only the diffs since the last build / build X) Supporting the most important CI build management systems
  31. 31. 31© 2019 Rogue Wave Software, Inc. All Rights Reserved. 31 Click here to watch the video

×