Static code analysis finds avoidable errors

At the Source

Virtue out of Necessity

If you want to get used to a thorough and clean programming style, going with Splint is undoubtedly a good idea – you will be in good company. Developers who also want to investigate every false positive thoroughly will find RATS a helpful companion.

In all cases, the results are important: enforcing quality assurance; rethinking and relearning from the constant, unyielding criticism of the check tools; and ensuring low-security-risk software. OpenBSD shows that static code analysis, reviews, and coding standards can make secure programming a reality, as evidenced by just two remotely exploitable security vulnerabilities in 20 years.

Infos

  1. Anderson, James P. Computer Security Technology Planning Study. Bedford (MA): Deputy for Command and Management Systems HQ Electronic Systems Division (AFSC), Technical Report ESD-TR-73-51, Vol. II, October 1972, https://csrc.nist.gov/csrc/media/publications/conference-paper/1998/10/08/proceedings-of-the-21st-nissc-1998/documents/early-cs-papers/ande72.pdf
  2. "NT Web Technology Vulnerabilities" by rain.forest.puppy, Phrack Magazine , volume 8, issue 54, December 25, 1998, article 8, http://phrack.org/issues/54/8.html#article
  3. "Embedded Coding Standard" by Barr Group: https://barrgroup.com/Embedded-Systems/Books/Embedded-C-Coding-Standard/Introduction
  4. Uncrustify: http://uncrustify.sourceforge.net
  5. JSLint: http://www.jslint.com
  6. JavaScript tutorials: https://wiki.selfhtml.org/wiki/JavaScript/Tutorials/Einstieg/Einbindung_in_HTML
  7. JavaScript strings: https://www.w3schools.com/js/js_strings.asp
  8. CC BY-SA 3.0: https://creativecommons.org/licenses/by-sa/3.0/
  9. Splint: http://splint.org
  10. Hoare, C.A.R. An axiomatic basis for computer programming. Communications of the ACM , 1969;12(10):576-583, https://web.archive.org/web/20160304013345/http://www.spatial.maine.edu/~worboys/processes/hoare%20axiomatic.pdf
  11. RATS: https://github.com/andrew-d/rough-auditing-tool-for-security
  12. Coverity Static Application Security Testing (SAST): https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html
  13. Coverity Scan: https://scan.coverity.com

The Author

Dr. Tobias Eggendorfer is a professor of IT security and a freelance IT consultant (http://www.eggendorfer.info). When he teaches IT forensics, his students moan from time to time, because long-forgotten knowledge from basic lectures suddenly becomes important again, which is exactly what makes IT forensics and security so exciting.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • From debugging to exploiting
    Kernel and compiler security techniques, together with sound programming practices, fend off memory corruption exploits.
  • Kernel and driver development for the Linux kernel
    The /proc filesystem facilitates the exchange of current data between the system and user. To access the data, you simply read and write to a file. This mechanism is the first step for understanding kernel programming. ü
  • Tuning I/O Patterns in Python

    In the third article of this three-part series, we look at simple write examples in Python and track the output with strace to see how it affects I/O patterns and performance.

  • New features in PHP 7.3
    The new PHP 7.3 simplifies string handling, supports PCRE version 2, adds LDAP controls, improves logging, and deprecates some features, functions, and syntax elements.
  • Tuning I/O Patterns in C

    The language you choose to use affects I/O patterns and performance. We track a simple write I/O pattern with C and look at how to improve performance.

comments powered by Disqus