Static Security Analysis

Static Security Analysis

Static Security Analysis


– Static analyzer of a code is similar to spell checker!

– A clean detected by an static analysis doesn’t guarantee that this code is perfect;

– It just indicates that it is free of certain kinds of common problems

– Security problems can result from

—the same kind of simple mistakes that lead a good speller to occasionally make a typo

—lack of understanding about what secure programming needs.

Capabilities of Static Analysis

Static analysis tools apply checks thoroughly and consistently, without any of the bias that a programmer might have

—about which pieces of code are “interesting” from a security perspective or

—which pieces of code are easy to exercise through dynamic testing.

By examining the source code, static analysis tools can often point to the root cause of a security problem, not just one of its symptoms.

This is important for making sure that vulnerabilities are fixed properly

Static analysis can find errors early in development, even before the program is run for the first time.

—reduces the cost of fixing the error

—the quick feedback cycle can help programmer

A programmer has the opportunity to correct mistakes he or she wasn’t previously aware could even happen.

static analysis tool act as a means of knowledge transfer.

When a new attack is discovered, static analysis tools make it easy to recheck a large body of code

—Some security defects exist in software for years before they are discovered, which makes the ability to review legacy code for newly discovered types of defects invaluable.

Limitations of Static Analysis

false positive is a problem reported in a program when no problem actually exists.

false negative: a problem exists in the program, but the tool does not report it.

The most common complaint against static analysis tools is too many false positives, AKA false alarms. (too much noise)

—False positives are certainly undesirable, but from a security perspective, false negatives are much worse.

For a static analysis tool to catch a defect, the defect must be visible in the code.

—It is often hard to derive the design vulnerabilities only form the implementation.

Categories of Static Analysis Tools

Static analysis is used more widely than many people realize, partially because there are many kinds of static analysis tools


—- Type checking

—- Style checking

—- Program understanding

—- Program verification

—- Property checking

—- Bug finding

—- Security review

Type Checking

The most widely used form of static analysis

Most programmers are familiar with

The rules of the type checking are typically defined by the programming language and enforced by the compiler

So, programmer gets little say in when the analysis is performed or how the analysis works.

Type checking removes entire categories of programming mistakes

Type checking suffers from false positives and false negatives just like all other static analysis techniques

Interestingly, programmers rarely complain about a type checker’s limitations

Type Checking False Positive Examples



Style Checking

Style Checkers generally enforce a pickier and more superficial set of rules than a type checker.

Pure style checkers enforce rules related to whitespace, naming, deprecated functions, commenting, program structure, ….

Because many programmers are attached to their own version of good style, most style checkers are quite flexible about the set of rules they enforce.

The errors produced by style checkers often affect the readability and the maintainability of the code but do not indicate that a particular error will occur

Over time, some compilers have implemented optional style checks

Many open source and commercial style checkers are available. a famous one is lint

ادامه مطلب و دانلود مقاله


Secure Programming with Static Analysis, Brian Chess, Jacob West, 2008, Chapters 2, 3 ,4.