Presentation is loading. Please wait.

Presentation is loading. Please wait.

Static Code Analysis By: Tim Biggin.

Similar presentations

Presentation on theme: "Static Code Analysis By: Tim Biggin."— Presentation transcript:

1 Static Code Analysis By: Tim Biggin

2 Overview What Static Code Analysis Does Why Should You Use It?
How is it Used? Types of Static Code Analysis Benefits of Static Code Analysis Drawbacks of Static Code Analysis Coding Standardization Integration Tips Comparing Tools and Examples

3 What Static Code Analysis Does
Definition: a method of detecting errors and defects located in the source code of a program without execution. Tools are used to analyze code and locate issues Can be used to make code conform to company style such as indents, spaces, tabs, and standards Produce metrics indicative of code quality (KLoC, file counts, “churn”) 2. thoroughly analyzes code, makes suggestions where code should be changed/modified based on rules defined by user 3. Errors detected quite diverse, ranging from coding defects to meeting coding standards such as MIRSA-C/C++ or CERT C/C++ 4. “churn” – the number of files changed between two builds

4 What Static Code Analysis Does
Tools are automated and analyze 100% of source code without compilation, test cases, or execution Detect errors in boundary conditions, security, logic, and others Advanced tools can be used to mathematically prove the absence of certain run-time errors Static analysis tools can be used to automate much of the code review process Provide a documented list of discovered issues (e.g. description/file/line number) after analysis 2. Other errors: concurrency violations, implementation defects

5 Why Should You Use it? It will increase the likelihood of detecting safety and quality problems earlier Static code analyzers detect errors early in the coding stage, where they are more cost effective to fix Useful during maintenance of legacy code, such as locating unchecked NULL pointers 1. Thus remedying security breaches before they become a problem 2. Minimize impact of errors 3. habit of checking for NULL pointers in the past, without it causes serious errors in code Image retrieved from:

6 Why Should You Use it? Can be more efficient than code reviews or pair programming and consume far less time and resources Help catch subtle issues such as overflows that may be missed by compilers or programmers, which could result in fatal errors Points out unclear code that may be confusing to programmers Can verify all possible execution paths that other methods fail to cover 2. overflows resultant from addition of two integers, out of range, will not throw exception, cause improper behavior 4. Other methods such as: code reviews, debugging, or test cases, fail to validate all likely paths of program 4. Cost of thorough test cases high, still can’t cover all code 4. Also locates memory allocation errors, under/over flows, bound array access, and inconsistent code fragments

7 Why Should You Use it? Static analysis can be applied directly to incomplete or incorrect code, without the need for compilation Likewise, it can be implemented long before the development of test cases As a result of early detection, static analysis can lead to reductions in time and costs and increases in revenue 1. unlike dynamic testing, can be applied directly to incomplete or incorrect code

8 How is it Used? Education Porting Locating Suspicious Code
Code Refactoring Detecting Coding Errors

9 Education It can help new employees adjust to company standards and style Check work done by a novice programmer in an organization Assist professors when grading multiple students’ work and point out areas that need improving 1. Aid in new employee training 1. company style such as indents and variable naming practices 2. Help them find and explain errors quicker 3. improve professor’s grading accuracy by locating issues 3. finding subtle errors students need to improve on

10 Porting Porting software is a major job, especially when it’s not originally planned Hard to know what issues you will encounter when changing platforms Static code analyzers can locate dangerous code fragments, telling you what to modify 2. not likely you will know how to locate dangerous code fragments

11 Locating Suspicious Code
Aids in locating backdoors in outsourced or third party code Locating these issues can prevent security breaches Can also help when using open-source libraries by determining which has the fewest bugs and safest to use 1. Backdoor: areas of suspicious code that don’t get executed under normal circumstances 2. Thus prevents attacks by hackers, who use similar tools

12 Code Refactoring Helps with code refactoring by pointing out areas that should be rewritten Locates large functions, overuse of global data, and complicated class hierarchies Addressing these issues early prevents them from causing structural issues later Pre-1. determine if code refactoring may be needed, it… 2. locate overly large functions, overuse of global variables, and complex class hierarchies leading to unsafe functions

13 Detecting Coding Errors
Can be run after code compilation which alerts programmers of possible issues Formal methods can be used to prove the absence of certain runtime errors (e.g. memory leaks) Develop cleaner more stable builds yielding a quality product 1. analyzers can be run after code compilation 2. prove the absence of bugs rather than just locate them Pre-3. Thus help build security and quality awareness leading to productivity gains

14 Types of Static Analysis
Code Reviews Locating Vulnerabilities Downsides Automated Tools Common Tools Formal Methods Tools Pre-1. static code analysis fairly broad, encompassing manual code reviews, style and error checking software, and more advanced formal methods-based analyzers 1. Common Tools (locate potential problems) 2. Formal Methods Tools (prove absence of certain errors)

15 Code Review Definition: reviewing source code in teams to reveal defects in other teammates’ code People are assigned to the positions of moderator, designer, coder and tester Easier to locate errors in others’ code Offers teams a better understanding of code after a review Detects similar issues as static analysis tools, such as meeting coding standards 3. code should be relatively clear from comments 3. team allows for better defect detection, usually easier to spot issues in someone else’s code than in your own

16 Locating Vulnerabilities
Detects backdoors, locates malicious functions and ensures removal of testing functions Locates malicious logging of personal data by examining logging functions Ensures proper methods of cryptography, unlike DES, MD5, or SHA1 Can trace data from source to destination, locating where a vulnerability is likely to occur 1. testing functions, such as those that interfere with/bypass authentication checks 1. identify malicious functions activated by certain parameters or those issuing unwanted system commands. 2. functions logging information such as passwords, credit card numbers, or SSN. 3. Identify custom encryption (functions like encrypt, encode, etc), as opposed to publicly trusted ones 4. should be done early in life cycle, most cost-effective and easiest to fix defects

17 Downsides Teams must be gathered at regular times to perform the review A checklist must be created prior to the review Must allow for scheduled breaks to ensure reviewers don’t grow tired and lose focus A re-review will most likely be required after issues have been corrected Reviews rely solely on the expertise of the reviewers Pre-1. Unlike the automated forms of static analysis, code reviews are far more time-expensive as… 2. Roles must be assigned to positions moderator, designer, coder and tester 3. shortening their attention spans

18 Automated Tools The majority of static code analysis falls under this category Tools have varying degrees of detection abilities Common tools allow for probable error detection, as well as meeting style and standards Advanced tools can be used to prove the absence of run-time errors 3. only help in locating errors and coding defects or in meeting standards 4. use formal methods

19 Common Tools Automate much of the code review process
These tools locate potential and actual errors, but do not guarantee the absence of issues Use methods of heuristics and statistics to locate errors Although they find errors, they may introduce false-positives and false-negatives False-positive: reliable code identified as erroneous 3. do not require execution of the code 3. tools can vary from variable initialization checks to data flow analysis

20 Common Tools False-negative: erroneous code is missed
Decrease the probability of false-negatives and increase the probability of false-positives

21 Formal Methods Tools Usually used in critical systems and medical software development where safety is vital Use mathematical concepts to find and prove the absence of run-time errors Tools use what is called abstract interpretation These rules can be used to prove absence of uninitialized variables, overflows/underflows, divide-by-zero and out-of-bounds pointers Pre-1. More advanced static code analysis tools use what is called formal methods in their analysis, which are… 1. Faults detected may occur conditionally, giving appearance of functioning normally, cause failure/fatal consequences 2. mathematical theorems for defining rules that analyze complex dynamic systems 2. determining the sign of a computation is example of abstract interpretation

22 Formal Methods Tools Locate possible run-time errors and attempt to prove they will fail Code is classified as proven, failed, unreachable, or unproven for each operation Example from Polyspace analysis on next slide Pre. Can locate conditional errors

23 Formal Methods Tools search for places where a run-time error may occur. It then classifies them as unproven and then attempts to show they will fail, are unreachable or are proven not to fail Results determined without executing code, writing test cases or adding instrumentation to source code or debugging code Image retrieved from:

24 Formal Methods Tools Reduces possibility of false-negatives
Simplifies debugging process by locating source of run-time errors Can be vital for improving the quality of embedded, high-integrity, or critical systems software Save time and money by eliminating defects when they are most cost effective 2. simplifies…run-time error, eliminating wasted time searching for it 2.Tells whether code will or will not cause a fault 3. Such as medical, avionic and automotive software 4. can help organization attain a high quality process, encouraging good safety and quality practices

25 Benefits of Static Code Analysis
Main benefit: reduces cost of fixing defects by detecting them early in the life cycle Early bug detection cuts time spent in development and maintenance Allows for the product to come to the market sooner and stay longer Easily detects effects of the “copy and paste method” saving time from trying to manually locate all copies 1. costs tens time more to fix defect in testing stage compared to coding stage Pre-2. reductions in development costs, higher revenue, and decreased business risk thus… 3. All of these help to increase company reputation and market position.

26 Benefits of Static Code Analysis
Tools offer full code coverage testing Discovers defects in rarely used code other methods miss Tools are not dependent on compiler or project environment Locates defects in exception handling and logging 2. defects in exception handing and logging systems, nearly impossible to locate by other means

27 Drawbacks of Static Code Analysis
Added probability of false negatives and positives False-negatives create a false sense of security and allow bugs into the release False-positives can delay the release and create unneeded work Common static analysis tools cannot detect conditional errors Pre-1. Although these tools offer great advantages in development, they also have numerous drawbacks. 1. For simple tools 4. such as divide-by-zero, resulting from complex computations, only flags them as possible, tools don’t know under what condition it may occur

28 Drawbacks of Static Code Analysis
Integration of tools into development cycle Tools change the way people work Must become part of the organization’s culture Require investments in education and time to learn/use the tools Very hard to integrate on legacy code Time and budget restrictions 1. requires careful integration into build process, offers great utilities for analyzing, also require manual tuning 4. in order for employees to learn the tools and get used to using them 5. Tools designed more for new projects 6. or subject to client development methods/contractual obligations, thus can’t use

29 Coding Standardization
CERT: Computer Emergency Readiness Team Researched internet weaknesses, frequent programming errors Created coding standards to combat these Accumulated findings into CERT C/C++ Secure Code Standard MIRSA: Motor Industry Software Reliability Association Developed guidelines for critical systems Dealt with automotive industry, including aerospace Guidelines cover C and C++ Many tools have upgraded to meet both of these 1. founded by the U.S. government to research ..^.. and educate developers in secure coding standards 1. found that most vulnerability originates from ordinary programming errors 2. created guidelines for C, but recently have developed guidelines for C++ as well.

30 Integration Tips Analysis of legacy code can reveal thousands of issues Have a plan to deal with uncovered issues May choose to hide issues form developers until they can be reviewed and remedied Focus on preventing new issues Do frequent build analyses to ensure issues are being handled by developers 1. probably existed for some time, haven’t adversely affected software 5. if incorporated dealing with issues into regular routines, no problems should be found

31 Integration Tips Create subject matter experts (SMEs)
Learn and service tools Educate developers Identifying false-positives Assigned to each product Should be experts on their tool Integrate tools into daily work of developers Pre. advisable to create several subject matter experts 3. be in charge of answering questions, such as … 4. every product or divided up in larger products Bottom. get devs used to analyzing code prior to check-ins and fixing any found issues

32 Comparing Tools Don’t base decision on number of rules, all may not pertain to your system Don’t decide based on number of system specific rules Compare number of errors detected on a set of projects Features: quality and security checking, standards, cost, licenses, integration process, etc Single or multiple language tool 1. rules pertaining to others are irrelevant to you, only bog down process of integration and complicate setup 1. analyzer designed for windows application finds more errors with fewer rules than cross-platform analyzer implementing more 2. Each tool divides rules in different ways, detect same amount of errors; may also be different quality levels Pre-4. Focus on what features are best for your company/organization such as…

33 Comparing Tools Usability of tool E.g. Visual Studio vs. PVS-Studio
Duplicate warnings filters Saving results Hide and reveal errors Filtering on keywords Both have equal detection of errors End. Comparing two analyzers should be about what tool is best for users and the project

34 Tool Examples IntelliJ IDEA IDE Features Finds probable bugs
Locates dead code IntelliJ IDEA is a standalone IDE with a built-in static code analyzer Finds probable bugs (e.g. null pointer exceptions) Errors are highlighted in the code as written making it easier to use without interrupting coding process Images retrieved from:

35 Tool Examples Detects performance issues
Improves code structure and maintainability Conforms code to guidelines and standards Conforms to specifications (EJB, JSP, JSF, etc.) Improving Code Structure and Maintainability Helps control the use of dependencies by offering suggestions and looks for duplicate code Conforms code to guidelines and standards Locates inconsistencies with coding guidelines and standards from JavaDoc to corporate standards Images retrieved from:

36 Run Example Visual Studio Static Code Analysis
Right-Click on the project in Solution Explorer  Properties  Code Analysis Select Microsoft All Rules rule set in the dropdown box  File  Save

37 Run Example

38 Run Example To run analysis: Right-click on the project in the Solution Explorer  Run Code Analysis, or, Analyze Menu  Run Code Analysis for (project) Violations will be shown as Warnings in the Error List window 2. Default displayed as warnings, can be changed, show that in a bit 2. Each error has detailed information, the code file it was found in, and which line it occurred on 2. Violations can be fixed or suppressed

39 Run Example Configuration
Right-click on the project in Solution Explorer  Properties  Code Analysis Configuration lists potential configurations including: Debug, Release and All Configurations Platform lists different platforms which the code can be compiled on, such as x86 and x64 Each combination can have its own code analysis configuration. Enable Code Analysis on Build checkbox: analysis will occur whenever the code is compiled. Suppress results from generated code checkbox 5. Run manually or done in build process

40 Run Example Rule Sets dropdown menu
After choosing a rule set, Open gives a detailed description of the rules in the set Groups or individual rules can be check/unchecked Change Action: Error, Warning, None Create custom rule sets: File  Save As. Will be added to menu 1. has over 200 rules broken into different groups, further broken down into rule sets targeting specific coding issues

41 Conclusion Static analysis can be a valuable tool in error detection in the process of software development Have various uses within organizations Numerous types, advantages, and features Great for enforcing code standards Although integration may be challenging, they provide substantial cost and time savings Comes down to which tool is the best fit for you

42 References [1] Abraham, J. (2012, June 6). Using formal methods for sophisticated static code analysis. Retrieved June 25, 2012, from EE Times: embedded/ /Using-formal-methods-for-sophisticated-static-code-analysis [2] Carmack, J. (2011, December 27). In-Depth: Static Code Analysis. Retrieved June 25, 2012, from Gamasutra: _Static_Code_ Analysis.php [3] Gousset, M. (2010, April 27). Static Code Analysis Configuration. Retrieved June 27, 2012, from Visual Studio Magazine: 2010/04/27/static-code-analysis-configuration.aspx [4] Gousset, M. (2010, March 25). Static Code Analysis in VS2010. Retrieved June 25, 2012, from Visual Studio Magazine: 2010/03/25/working-with-static-code-analysis.aspx [5] JetBrains, Inc. (n.d.). Static Code Analysis. Retrieved June 25, 2012, from JetBrains: [6] Jones, P., Jetley, R., & Abraham, J. (2010, February 9). A Formal Methods-based verification approach to medical device software analysis. Retrieved June 27, 2012, from EE Times: [7] Karpov, A. (2010, December 27). Cases When a Static Code Analyzer may Help You. Retrieved June 25, 2012, from The Code Project: Articles/ /Cases-When-a-Static-Code-Analyzer-may-Help-You

43 References [8] Karpov, A. (2012, March 12). Static code analysis. Retrieved June 25, 2012, from [9] Karpov, A., & Ryzhkov, E. (2011, March 31). Difficulties of comparing code analyzers, or don't forget about usability. Retrieved June 28, 20120, from viva65: en/a/0071/ [10] Pitchford, M. (2011, March 1). Think static analysis cures all ills? Think again. Retrieved June 25, 2012, from EE Times: embedded/ /Think-static-analysis-cures-all-ills--Think-again- [11] Shetti, V. (2010, August). Why Static Analysis? Retrieved June 25, 2012, from Palizine: [12] Sidner, S. (2010, April 24). When Quality, Security Count. Retrieved June 25, 2012, from Dr. Dobb's: tools/ [13] Vink, G. (2010). Static Code Analysis (SCA) Standardization Efforts & Integration in the Software Development Flow. Retrieved June 25, 2012, from Tasking: .com/resources/Static-Code-Analysis-WhitePaper.pdf [14] Yocum, C. (2011, May 14). An introduction to static code analysis: What, why and how. Retrieved June 25, 2012, from The Register: static_code_analysis_101/

Download ppt "Static Code Analysis By: Tim Biggin."

Similar presentations

Ads by Google