Contenu connexe Similaire à No liftoff, touchdown, or heartbeat shall miss because of a software failure (20) Plus de Rogue Wave Software (20) No liftoff, touchdown, or heartbeat shall miss because of a software failure1. 1© 2019 Rogue Wave Software, Inc. All Rights Reserved. 1
No liftoff, touchdown, or
heartbeat shall miss
because of a software
failure – how do we do it?
Walter Capitani
Director, Product Management
2. 2© 2019 Rogue Wave Software, Inc. All Rights Reserved. 2
Presenter
Walter Capitani
Director, Product Management
Rogue Wave Software
walter.capitani@roguewave.com
Twitter: @walter_capitani
3. 3© 2019 Rogue Wave Software, Inc. All Rights Reserved. 3
The problem
• How can we build reliable
and secure safety-critical
software and achieve
standards compliance?
– Use tools that can automate
compliance, quality, and
security checking such as
static code analysis
– Are all static code analysis
tools built the same?
– How can we leverage modern
DevOps tools and concepts to
make this easier?
4. 4© 2019 Rogue Wave Software, Inc. All Rights Reserved. 4
• Hundreds of checkers for C, C++, C# and Java
• Support for numerous standards
• Customizable:
– Turn checkers on or off
– Change the severity of identified defects
– Add custom checkers
Introducing: Klocwork 2019
• MISRA, DISA, CWE, CERT,
etc.
• Dead code
• Unreachable code Calculated
values that are never used
• Unused function parameters
• And many more…
Coding Standards
& Maintainability
• Memory and resource leaks
• Concurrency violations
• Infinite loops
• Dereferencing NULL pointers
• Usage of uninitialized data
• Resource management
• Memory allocation errors
• And many more…
Reliability
• Buffer overflow
• Un-validated user input
• SQL injection
• Path injection
• File injection
• Cross-site scripting
• Information leakage
• Vulnerable coding practices
• And many more…
Security
5. 5© 2019 Rogue Wave Software, Inc. All Rights Reserved. 5
Click here to watch
the video
6. 6© 2019 Rogue Wave Software, Inc. All Rights Reserved. 6
Significantly reduces the cost of reliable, secure software
• Complements existing testing approaches
• Automated and repeatable analysis
Enforce key industry standards
• DISA STIG, CWE, MISRA
• CERT, SAMATE
• OWASP, DO-178B, FDA validation
• ...and more
Klocwork 2019 and compliance
7. 7© 2019 Rogue Wave Software, Inc. All Rights Reserved. 7
How do we do it?
8. 8© 2019 Rogue Wave Software, Inc. All Rights Reserved. 8
Klocwork analyzes your source code
• The Klocwork algorithm includes multiple analysis technologies:
– Syntax Analysis
– Data Flow Analysis
– Symbolic Logic Analysis
• Requires source code
– The most accurate tools must be able to compile the code
– No changes to your existing build flow
• Different types of analysis
– Intra-procedural (simplest analysis)
– Inter-procedural
– Inter-file
9. 9© 2019 Rogue Wave Software, Inc. All Rights Reserved. 9
Build Process Interpretation
• Understand how the
source code is:
– Compiled
– Linked
– Automated code
generation
– Custom build steps
10. 10© 2019 Rogue Wave Software, Inc. All Rights Reserved. 10
Klocwork Technologies
11. 11© 2019 Rogue Wave Software, Inc. All Rights Reserved. 11
Syntax Analysis
• Creates a lossless transformation of the source code
• Generates the ‘Abstract Syntax Tree’
• Can be used to find Coding Style Issues and Simple Defects
– Simple security defects (e.g. use of banned encryption API)
– Simple coding style issues (e.g. no dynamic memory allocation)
This function
allocates
memory
Name = “malloc”,
Source Code Abstract Syntax Tree
12. 12© 2019 Rogue Wave Software, Inc. All Rights Reserved. 12
Example defect
if(i = j) j++;
if(i == j) j++;
Defect: Assignment
operator used in
conditional statement
Assignment operator
replaced with intended
comparison operator
Vulnerable Code
Fixed Code
13. 13© 2019 Rogue Wave Software, Inc. All Rights Reserved. 13
This seems to work well, but…
• These defects are contained in a single program
statement
• They are not dependent on values from external
functions
• Syntax Analysis can only find a limited set of defects
To find more interesting defects
you need to perform
more sophisticated analysis
14. 14© 2019 Rogue Wave Software, Inc. All Rights Reserved. 14
Data Flow Analysis
• Monitoring of the lifecycle
of data objects:
– Creation
– Assignment
– Usage
– Deletion
• Must be monitored across all
paths in the Control Flow Graph
– Function calls
– Compilation units
• Can find program crashes across functions and files
15. 15© 2019 Rogue Wave Software, Inc. All Rights Reserved. 15
Data Flow Analysis - example
• This function a()will cause the program to crash at line 3
• This function g() will cause the program to crash if position is outside
the valid range – how do we know if this will happen?
1 void a(){
2 int buffer[32]; // valid range of 0..31
1 buffer[35] = 5; // buffer access outside valid range (35)
4 return;
5 }
1 void g(int position, int value){
2 int buffer[32]; // valid range of 0..31
3 buffer[position] = value;
4 return;
5 }
3 buffer[35] = 5; // buffer access outside valid range (35)
Defect: Array bounds
violation
16. 16© 2019 Rogue Wave Software, Inc. All Rights Reserved. 16
Data Flow Analysis - example
• Data Flow Analysis tracks what potential values are actually used when
function f() calls function g()
1 void g(int position, int value){
2 int buffer[32]; // valid range of 0..31
3 buffer[position] = value;
4 return;
5 }
1 void f(){
2 g(10,55); // calls function g with position=10, value=55
3 return;
4 }
No defect: values within
valid range
Vulnerable Code
17. 17© 2019 Rogue Wave Software, Inc. All Rights Reserved. 17
1 void h(){
2 g(35,25); // calls function g with position=35, value=25
3 return;
1 }
Data Flow Analysis - example
• Data Flow Analysis tracks what potential values are actually used when
function h() calls function g()
1 void g(int position, int value){
2 int buffer[32]; // valid range of 0..31
1 buffer[position] = value;
4 return;
5 }
3 buffer[position] = value; // buffer access outside valid range (35)
Defect: Array bounds
violation (program crash)
Vulnerable Code
2 g(35,25); // calls function g with position=35, value=25
18. 18© 2019 Rogue Wave Software, Inc. All Rights Reserved. 18
1 void h(){
2 g(35,25); // calls function g with position=35, value=25
3 return;
1 }
Data Flow Analysis - example
• Data Flow Analysis tracks what potential values are actually used when
function h() calls function g()
1 void g(int position, int value){
2 int buffer[32]; // valid range of 0..31
3 if (position < 0 || position >31 0) // Check position is valid
4 return;
5 buffer[position] = value;
6 return;
7 }
No defect
Fixed Code
2 g(35,25); // calls function g with position=35, value=25
3 if (position < 0 || position >31 0) // Check position is valid
4 return;
19. 19© 2019 Rogue Wave Software, Inc. All Rights Reserved. 19
This also seems to work well, but…
• Data Flow Analysis alone can only understand actual
numeric values (or ranges of values)
• What if there are no numeric values at all? How do we
determine valid data flow paths?
To find more interesting defects
you need to augment data flow analysis
with Symbolic Logic
20. 20© 2019 Rogue Wave Software, Inc. All Rights Reserved. 20
Symbolic Logic
• Define functional behavior between symbols
• Don’t necessarily know what the values will be at runtime
• Used to infer software behavior
1 void f(int i, int j){
2 int buffer[32]; // valid range of 0..31
3 i = j;
4
5 /* set the value of k */
6 if (i == j)
7 k = get_tainted_data(); // Since i equals j, k is tainted
8 else
9 k = 0;
10
11 /* read the value of k */
12 if (i != j) // Since i = j, k will not be used
13 buffer[k] = 0;
14 return;
15 }
3 i = j;
7 k = get_tainted_data(); // Since i equals j, k is tainted
12 if (i != j) // Since i == j, k will not be used
21. 21© 2019 Rogue Wave Software, Inc. All Rights Reserved. 21
Symbolic Logic
• Symbolic logic determines that since i = j, there is no use of tainted
data at line 13
• Otherwise a tool must “guess” at the defect
• If we change line 12, then a defect appears!
1 void f(int i, int j){
2 int buffer[32]; // valid range of 0..31
3 i = j;
4
5 /* set the value of k */
6 if (i == j)
7 k = get_tainted_data(); // Since i equals j, k is tainted
8 else
9 k = 0;
10
11 /* read the value of k */
12 if (i != j) // Since i = j, k will not be used
13 buffer[k] = 0;
14 return;
15 }
12 if (i == j) // Since i == j, k will be used
Defect: Unvalidated input in
array index (program crash)
Vulnerable Code
22. 22© 2019 Rogue Wave Software, Inc. All Rights Reserved. 22
How can Continuous
Integration make it even
better?
23. 23© 2019 Rogue Wave Software, Inc. All Rights Reserved. 23
What is continuous integration (CI)?
• In software engineering, CI is the practice of merging all developer
working copies to a shared mainline several times a day. Grady
Booch first named and proposed CI in his 1991 method, although he did
not advocate integrating several times a day.
• Continuous integration – the practice of frequently integrating
one's new or changed code with the existing code repository –
should occur frequently enough that no intervening window remains
between commit and build, and such that no errors can arise without
developers noticing them and correcting them immediately.
24. 24© 2019 Rogue Wave Software, Inc. All Rights Reserved. 24
Example CI process
25. 25© 2019 Rogue Wave Software, Inc. All Rights Reserved. 25
Continuous integration and
static code analysis
– better together
26. 26© 2019 Rogue Wave Software, Inc. All Rights Reserved. 26
Example CI process with SCA
27. 27© 2019 Rogue Wave Software, Inc. All Rights Reserved. 27
Enhanced SCA process with CI
• For some developers, compiling their code on the desktop is not possible,
so desktop analysis is not an option
• In addition, integration issues may still be detected after check in, even
when using desktop analysis
Edit &
Save
Analyze
& Fix
Compile
& Test
Check In
Developer 1
Edit &
Save
Analyze
& Fix
Compile
& Test
Check In
Developer 2
Time
Integrate
Check In
Compile
& Test
k In
New possible
issues found
here!
28. 28© 2019 Rogue Wave Software, Inc. All Rights Reserved. 28
Continuous static code
analysis
29. 29© 2019 Rogue Wave Software, Inc. All Rights Reserved. 29
The future: Continuous static code analysis …
• Continuous static code analysis (CSCA) brings all the benefits of centralised server-
side, deep, inter-procedural control- and data-flow analysis to a near-desktop
feedback timescale!
• Central management of development systems fits well with DevOps movement
• Enables continuous reporting and continuous compliance
Advantages
• Near desktop speed feedback loop
• Server accuracy, centralised configuration
• Visibility of the current status
30. 30© 2019 Rogue Wave Software, Inc. All Rights Reserved. 30
Klocwork is designed for CI
Automated
Fast(er)
Scalable
Relevant
To reduce feedback time, only
the affected code should be
analyzed
By requiring minimal resources
and deploying across multiple
agents
By reporting only the
information that is required for
the given context (example:
only the diffs since the last
build / build X)
Supporting the most important
CI build management systems
31. 31© 2019 Rogue Wave Software, Inc. All Rights Reserved. 31
Click here to watch
the video