At present there are a lot of tools intended for automating search of program vulnerabilities. This article describes some of them.
Static code analysis is software analysis which deals with the source code of programs and is implemented without real execution of the program being examined.
Software often contains various vulnerabilities because of errors in program code. Errors made while developing programs cause program failure and consequently the program cannot work normally: data alteration and contamination often occur as well as program halt or even system halt. Most of the vulnerabilities relate to incorrect processing of input data or not rather strict check of these data.
To detect vulnerabilities different tools are used, for example, static analyzers of source program code, which are reviewed in this article.
When a requirement of correct work of a program at all possible input data is violated, the so called security vulnerabilities may occur. Security vulnerabilities may result in that one program may be used to overcome security limitations of the whole system.
Classification of security vulnerabilities depending on program errors:
Of course, there exist other types of security vulnerabilities.
To detect security vulnerabilities in programs the following tools are used:
Static analyzers point out those sections in a program where an error may occur. These suspicious sections of the code may both contain an error and be useless at all.
Some of the existing static analyzers are reviewed in this article. Let's discuss each of them in detail.
BOON tool, being based on deep semantic analysis, automates the process of scanning source C texts to detect vulnerable sections which can cause buffer overflow. It detects possible defects supposing that some values are part of an implicit type with a concrete buffer's size.
CQual is a tool to detect errors in C programs. The program introduces additional type qualifiers defined by the user to C language. The programmer comments his program with corresponding qualifiers and cqual searches errors. Incorrect annotations indicate possible errors. Cqual can be used to detect possible format string vulnerability.
MOPS (MOdel checking Programs for Security) is a tool to search security vulnerabilities in C programs. It is intended for dynamic patch to make a C program correspond to a static model. MOPS uses a software auditing model which is meant to find out if the program observes a set of rules defined to create safe programs.
To detect buffer overflow errors and format string errors the following static analyzers are used:
All these tools are similar and use only lexical analysis and simple syntax analysis. That's why the results provided by these programs may contain even 100% of false messages.
Bunch is a tool of analysis and visualization of C programs building a graph of dependencies which help the auditor to examine the modular structure of the program.
UNO is a simple analyzer of source code. It was developed to detect such errors as unassigned variables, zero pointers and excess of array limits. UNO allows you to perform simple analysis of execution thread and data threads, both intra- and interprocedure analysis, specify the user properties. But this tool cannot be used for analysis of real applications, doesn't support many standard libraries and doesn't allow you to analyze however serious programs at the present stage of development.
FlexeLint (PC-Lint) - this analyzer is intended for analyzing source code to detect different type errors. The program performs semantic analysis of source code, analysis of data and execution threads.
When the work is done, messages of several types are shown:
Viva64 tool which helps a specialist to detect in the source code of C/C++ programs potentially unsafe sections relating to porting from 32-bit systems on 64-bit ones. Viva64 integrates into Microsoft Visual Studio 2005/2008 what provides convenient work with this tool. The analyzer helps to write correct and optimized code for 64-bit systems.
Parasoft C++test is a specialized tool for Windows allowing you to automate analysis of C++ code quality. C++test package analyzes the project and generates the code intended for checking items of the project. C++test package performs very important work of analyzing C++ classes. When the project is loaded it is necessary to set testing methods. The software analyzes each argument of a method and returns types of corresponding values. Argument values are assigned by default in case of data of simple types; you can define testing data for types and classes defined by the user. You can redefine C++test arguments used by default and assign values received as the result of the test. We should mention also that C++test can test incomplete code. The software generates stub-code for any method and function which doesn't exist yet. It supports imitation of external devices and input data defined by the user. The both functions allow you to perform retesting. When testing parameters are defined for all the methods, C++test package is ready to launch the executed code. The package generates test-code calling Visual C++ compiler to create it. You can implement tests on method, class, file and project levels.
Coverity tools are used to detect and correct security and quality defects in applications of critical purpose. Coverity company's technology removes barriers in writing and introducing complex software by automating the process of searching and correcting critical program errors and security vulnerabilities during development. Coverity company's tool can process tens of millions of code strings with a minimum positive error providing full trace coverage.
Klocwork company's products are intended for automatic static code analysis, detection and prevention of software defects and security problems. Tools of this company are used to detect basic reasons of software quality and security vulnerabilities, to control and prevent these defects during the whole development process.
Frama-C is an open, integrated set of tools for analyzing C source code. The set includes ACSL (ANSI/ISO C Specification Language) - a special language allowing you to describe specifications of C functions in detail, for example, define the range of acceptable input values of a function and the range of normal output values.
This toolkit helps to:
CodeSurfer is a tool for program analysis, the main aim of which is not to search security vulnerability errors. Its main advantages are:
CodeSurfer can be used to detect errors in source code, to make source code clearer, and to reengineer programs. Within the framework of CodeSurfer a prototype of a tool to detect security vulnerabilities has been developed, but the developed tool is used only by the developers of the organization.
FXCop provides means of automatic testing of .NET-integrations to find out if they meet Microsoft .NET Framework Design Guidelines rules. The compiled code is tested with the help of reflection mechanism, MSIL parsing and analysis of the call graph. As the result FxCop can detect more than 200 defects (or errors) in the following spheres:
FxCop supports the possibility of creating your own rules with the help of special SDK. FxCop can work both in the graphical interface and in the command line.
JavaChecker is a static analyzer of Java programs based on TermWare technology.
This tool allows you to detect such code defects as:
The set of tests can be controlled by using control comments.
JavaChecker can be called from ANT script.
Simian is a small tool developed for effective search of code repetitions. It lacks graphical interface but it can be launched in the command line or called programmatically. The results are printed in text mode and can be represented in one of the embedded formats (for example, XML). Although its poor interface and limited possibilities of result print demand some learning, it helps to keep integrity and efficiency of the product. Simian can be used to search repeating code both in small and large projects.
Repeating code makes a project less supportable and updatable. You may use Simian for quick search of doubling code sections in many files simultaneously. As Simian can be launched in the command line it can be included into the building process to receive warning messages and stop the process if some code sections are repeated.
So, in this article we've discussed source code static analyzers which serve as auxiliary tools for a programmer. All the tools are different and help to detect various types of security vulnerabilities in programs. We could conclude that static analyzers must be precise and sensitive. But unfortunately, static debugging means cannot guarantee 100% safety.
There is no fragment in program code where you cannot make mistakes. You may actually make them in very simple fragments. While programmers have worked out the habit of testing algorithms, data exchange mechanisms and interfaces, it's much worse concerning security testing. It is often implemented on the leftover principle. A programmer is thinking: "I just write a couple of ...