– Static analyzer of a code is similar to spell checker!
– A clean detected by an static analysis doesn’t guarantee that this code is perfect;
– It just indicates that it is free of certain kinds of common problems
– Security problems can result from
the same kind of simple mistakes that lead a good speller to occasionally make a typo
lack of understanding about what secure programming needs.
Capabilities of Static Analysis
Static analysis tools apply checks thoroughly and consistently, without any of the bias that a programmer might have
about which pieces of code are “interesting” from a security perspective or
which pieces of code are easy to exercise through dynamic testing.
By examining the source code, static analysis tools can often point to the root cause of a security problem, not just one of its symptoms.
This is important for making sure that vulnerabilities are ﬁxed properly
Static analysis can ﬁnd errors early in development, even before the program is run for the ﬁrst time.
reduces the cost of ﬁxing the error
the quick feedback cycle can help programmer
A programmer has the opportunity to correct mistakes he or she wasn’t previously aware could even happen.
static analysis tool act as a means of knowledge transfer.
When a new attack is discovered, static analysis tools make it easy to recheck a large body of code
Some security defects exist in software for years before they are discovered, which makes the ability to review legacy code for newly discovered types of defects invaluable.
Limitations of Static Analysis
false positive is a problem reported in a program when no problem actually exists.
false negative: a problem exists in the program, but the tool does not report it.
The most common complaint against static analysis tools is too many false positives, AKA false alarms. (too much noise)
False positives are certainly undesirable, but from a security perspective, false negatives are much worse.
For a static analysis tool to catch a defect, the defect must be visible in the code.
It is often hard to derive the design vulnerabilities only form the implementation.
Categories of Static Analysis Tools
Static analysis is used more widely than many people realize, partially because there are many kinds of static analysis tools
- Type checking
- Style checking
- Program understanding
- Program veriﬁcation
- Property checking
- Bug ﬁnding
- Security review
The most widely used form of static analysis
Most programmers are familiar with
The rules of the type checking are typically deﬁned by the programming language and enforced by the compiler
So, programmer gets little say in when the analysis is performed or how the analysis works.
Type checking removes entire categories of programming mistakes
Type checking suffers from false positives and false negatives just like all other static analysis techniques
Interestingly, programmers rarely complain about a type checker’s limitations
Type Checking False Positive Examples
Style Checkers generally enforce a pickier and more superficial set of rules than a type checker.
Pure style checkers enforce rules related to whitespace, naming, deprecated functions, commenting, program structure, ….
Because many programmers are attached to their own version of good style, most style checkers are quite flexible about the set of rules they enforce.
The errors produced by style checkers often affect the readability and the maintainability of the code but do not indicate that a particular error will occur
Over time, some compilers have implemented optional style checks
Many open source and commercial style checkers are available. a famous one is lint
Secure Programming with Static Analysis, Brian Chess, Jacob West, 2008, Chapters 2, 3 ,4.