Code Reviews and Inspections

Code scanners. Two new security related tools were announced this week, both relating to code scanning: RATS and flawfinder. Both tools perform tests on source code in an attempt to find common coding problems that can lead to security vulnerabilities. Such problems are limited to function calls for both RATS and flawfinder. Any functions specified in a flawfinder database are known as hits and will cause any references to them in the source to be examined to be flagged. Flawfinder and RATS join another application its4, which was noted by LWN.net late last year.

According to David Wheeler, author of the Secure Programming for Linux and Unix HOWTO, flawfinder is Python based and was developed in response to issues surrounding Cigital's use of the term open source with its its4 product. Additionally, both flawfinder and RATS developers have agreed to work together.

The developers [of flawfinder and RATS] didn't know about each other's efforts until just before their releases, but they have agreed to coordinate in some way to create a "best of breed" source code scanner.

These scanners are very useful for finding function calls that are often the cause of security problems. Unfortunately, RATS wouldn't compile even though the required Expat library was installed under /usr/lib. Flawfinder worked out of the box, as did its4. Each produced varying results on the same piece of code.

While such tools are helpful, they shouldn't be considered cures for security illnesses in any software. They should be used in conjunction with memory checkers to catch potential buffer overflows. And, of course, nothing beats following some simple programming guidelines.

Automatic Code Analysis and Fault Detection

Static Analysis Tools for C Code

The Leading Commercial Tools

Coverity
Leading edge tool based on Dawson Engler's methodology for source code analysis of large code bases. An extended version of the tool supports user-defined properties in the Metal language. Fast, thorough, few false positives, but can be very expensive.
KlocWork
Support for static error detection, with added project management and project visualization capabilities. Fast, almost as thorough as Coverity, and less expensive. A capability for user-defined checks is pending.
PolySpace
Marketed by a French company co-founded by students of Patrick Cousot (pioneer in the area of abstract interpretation). Polyspace claims it can intercept 100% of the runtime errors in C programs. (See cverifier.htm.) Customers are in the airline industry and the European space program. Can be thorough, but also very slow, and does not scale beyond a few thousand lines of code. Does not support full ANSI-C language (e.g., it places restrictions on the use of gotos).
Purify (Rational)
This tool is focused primarily on the detection of memory leaks, and not on general source code analysis. It is used fairly broadly.
The Lint family, e.g. PC-Lint/FlexeLint (Gimpel), Lint Plus (Cleanscape)
Generic source code analysis, value tracking, some types of array indexing errors. Suffers from high, sometimes very high, false positive rates, but the output can be customized with flags and code annotations.
PREfix and PREfast (Microsoft)
Effective, but Microsoft proprietary, tools. PREfix was developed by Jon Pincus; MicroSoft acquired the tool when it bought Pincus' company. PREfast is a lighter weight tool, developed within Microsoft as a faster alternative to PREfix (though it is not based on PREfix itself). Both these tools are reported to be very effective in intercepting defects early, and come with filtering methods for the output to reduce the false positive ratio. PREfast allows for new defect patterns to be defined via plugins. Less than 10% of the code of PREfix is said to concern with analysis per se, most applies to the filtering and presentation of output, to reduce the number of false positives.
CodeSonar (Grammatech)
A new member of the CodeSurfer family (see below). Not evaluated yet.
Safer C (Oakwood Computing)
Based on L. Halton's 1995 book on Safer C, now out of print, covering code analysis and enforcement of coding guidelines.

Academic and Research tools

ESC (Compaq/HP)
Extended static checker for Java and for Modula3. developed by Greg Nelson and colleagues, which is based on a mix of theorem proving and static analysis. It's thorough and effective, but also slow, and needs considerable knowledge to run. This tool does not target C, and therefore does not properly belong in this listing, but we include it as one of the landmark research tools in this domain.
LC-Lint
The descendent of the early research Unix version of lint, which was written by Steve Johnson in 1979. This tool needs lots of annotations to work well, and often produces overwhelming amounts of output.
Vault (MicroSoft)
An experimental system, in development at MicroSoft by Rob DeLine and Manuel Fahndrich. It is based on formal annotations placed in the code.
Astree (CNRS, France)
Astree is a static program analyzer for structured C programs, but without support for dynamic memory allocation and recursion (as used, for instance for embedded systems and in safety critical systems). The tool name is an acronym for Analyseur statique de logiciels temps-reel embarques (static analyzer for real-time embedded software). Among those working on this tool are Patrick and Radhia Cousot.
CGS (C Global Surveyor, NASA ARC)
A tool in development at NASA Ames Research Center by Guillaume Brat and Arnaud Venet, based on abstract interpretation techniques, inspired by Patrick Cousot. The tool is designed to be a specialized tool for flight software applications.
C-Kit (Bell Labs).
A research toolkit developed at Bell Labs, with algorithms for pointer alias analysis, program slicing, etc. for ANSI C. Written in SML. Can produce parsetree and symbol table information, but, as yet, not call flow graphs or function call graphs. The principal researchers involved in this work (Nevin Heintze, Jon Riecke, Dave MacQueen) are no longer at Bell Labs and development has stopped.
Uno (Bell Labs)
Lightweight tool for static analysis. The tool is targeted at a small set of common programming defects (Uninitialized data, Nil-pointer dereferencing, and Out-of-bound array indexing, with the three initial letters giving the tool its name). It also handles a range of simple, user-defined properties.
Orion (Bell Labs)
Work in progress on an extension of Uno for C++, based on gcc.

Other tools (Code Browsers; Development Environments)

Programming Style or Guidelines Checkers
CodeSurfer
Supports data dependence analysis, program slicing for C, interprocedural flow analysis. The company was co-founded by Tom Reps. Very well done GUI. Mostly research applications.
Semantic Designs
Offers front-ends for many different languages, Supports some flow analysis. Geared towards code transformations or re-engineering. Targets large code bases.

Links

Copyright © 1996-2007 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

Standard disclaimer: The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: February 28, 2008