What is Static Code Analysis

Static code analysis (SCA) or Source code analysis is the process of analyzing the source code without executing or running it. Static Analysis can detect possible vulnerabilities in the source code by analyzing a set of code against a set (or multiple sets) of coding rules.

Here are some benefits of Static Code Analysis,

  1. Faster project execution
  2. Better source code at check-in
  3. Less costly development cycles
  4. shorter time-to-market.

Syntax Analysis

Syntax Analysis Creates a lossless transformation of the source code by generating the “Abstract Syntax Tree”.

Syntax Analysis can be used to find Coding Style Issues and Simple Defects

  • Simple security defects (e.g. use of banned encryption API)
  • Simple coding style issues (e.g. no dynamic memory allocation)

 

Syntax Analysis - example

Vulnerable Code

Fixed Code

This seems to work well, but

  • These defects are contained in a single program statement
  • They are not dependent on values from external functions
  • Syntax Analysis can only find a limited set of defects

To find more interesting defects you need to perform more sophisticated analysis

Data Flow Analysis

Data Flow Analysis Can find program crashes across functions and files. Monitoring the lifecycle of data objects like Creation, Assignment, Usage, Deletion and Must be monitored across all paths in the Control Flow Graph such as Function calls, Compilation units, Etc.,

Data Flow Analysis – example

This function a()will cause the program to crash

  1. void a(){
  2. int buffer[32]; // valid range of 0..31
  3. buffer[35] = 5; // buffer access outside valid range (35)
  4. return;
  5. }

 

This function g() will cause the program to crash if position is outside the valid range – how do we know if this will happen?

  1. void g(int position, int value){
  2. int buffer[32]; // valid range of 0..31
  3. buffer[position] = value;
  4. return;
  5. }

 

Data Flow Analysis tracks what potential values are actually used when function f() calls function g()

  1. void f(){
  2. g(10,55); // calls function g with position=10, value=55
  3. return;
  4. }

Complex Issue need trace back ( Sample report of Klocwork – Static Code Analyzer)

This also seems to work well, but…

  • Data Flow Analysis alone can only understand actual numeric values (or ranges of values)
  • What if there are no numeric values at all? How do we determine valid data flow paths?

To find more interesting defects you need to augment data flow analysis with Symbolic Logic

Symbolic Logic Analysis

  • Define functional behavior between symbols
  • Don’t necessarily know what the values will be at runtime
  • Used to infer software behavior

For Example,

  1. void f(int i, int j){
  2.   int buffer[32]; // valid range of 0..31
  3.   i = j;
  4.    /* set the value of k /
  5.   if (i == j)
  6.     k = gettainteddata();  // Since i equals j, k is tainted
  7.   else
  8.     k = 0;
  9.    / read the value of k /
  10.   if (i != j)               //  Since i = j, k will not be used
  11.     buffer[k] = 0;
  12.   return;
  13. }

 

Vulnerable Code

  1. void f(int i, int j){
  2.   int buffer[32]; // valid range of 0..31
  3.   i = j;
  4.    / set the value of k /
  5.   if (i == j)
  6.     k = gettainteddata();  // Since i equals j, k is tainted
  7.   else
  8.     k = 0;
  9.    / read the value of k */
  10.   if (i != j)               //  Since i = j, k will not be used
  11.     buffer[k] = 0;
  12.   return;
  13. }

Defect: Unvalidated input in array index (program crash)

Complex Issue need trace back ( Sample Klocwork Report – Static Code Analyser)

Unvalidated integer value 'size' is received from 'atoi' at line 1474 and can be used to access an array through call to 'rcschangetext' at line 1707.

Klocwork – Static Code Analyser

Klocwork is an ISO, IEC certified static source code analysis tool from Perforce and widely adopted by more than 2,200 customers worldwide, allows developers to identify code defects, at developer’s desktop, while they are coding.

Klocwork static application security testing (SAST) for C, C++, Java and C# can identify software security, quality, and reliability issues and it can help organisations to enforce compliance with industry standards.

Klocwork can perform Dataflow Analysis, Syntax Analysis and Symbolic Logic Analysis to analyse the source code for vulnerabilities. Register here for Klocwork Trail, https://meteonic.com/contact-us or send a mail to support@meteonic.com

 Click here to get E-books and Latest Blogs