Static Analysis for Safety and Security Critical Software

Cyber Security Chicago

Mark Hermeling | mhermeling@grammatech.com | @markhermeling | @ grammatech

3 © GrammaTech, Inc. All rights reserved.

GrammaTech Vision

GrammaTech helps measure, identify,

understand and resolve software vulnerabilities,

reducing risk and saving time and cost

4 © GrammaTech, Inc. All rights reserved.

5 © GrammaTech, Inc. All rights reserved.

Static Analysis Is Like Magic

Analyzes all execution paths

Finds bugs

Prioritizes bugs

Extensive explanations of bugs

6 © GrammaTech, Inc. All rights reserved.

Not All Static Analysis Is Equal

Coding guidelines and standards

Deep, semantic bugs

Boundary is not always sharp

7 © GrammaTech, Inc. All rights reserved.

Example: strcpy

8 © GrammaTech, Inc. All rights reserved.

Prioritizes Bugs

9 © GrammaTech, Inc. All rights reserved.

Example: Copy-Paste

10 © GrammaTech, Inc. All rights reserved.

Example: Taint

11 © GrammaTech, Inc. All rights reserved.

Static Analysis Is Like Magic

Analyzes all execution paths

Finds bugs

Prioritizes bugs

Extensive explanations of bug

12 © GrammaTech, Inc. All rights reserved.

Classifying Static Analysis Tools

What type of problems does a tool look for

Evaluate recall

Evaluate usability

13 © GrammaTech, Inc. All rights reserved.

The Flip Side Of The Coin

There is an inverse relation

between recall and precision.

Safety and Security requires

the highest recall, finding the

most amount of defects in your

code.

Recall

Precision

Performance

Perf

orm

an

ce

Slow

Fast

14 © GrammaTech, Inc. All rights reserved.

Static Analysis In Your Process

During developer builds

static analysis provides

quick feedback, much like a

compiler error.

15 © GrammaTech, Inc. All rights reserved.

Static Analysis In Your Process

A commit is only accepted if

it passes static and

dynamic tests. Static

analysis results feed into

the code review.

16 © GrammaTech, Inc. All rights reserved.

Static Analysis In Your Process

Deep static analysis is part

of the regression testing

cycle. This includes taint

checking as well as

concurrency checks.

17 © GrammaTech, Inc. All rights reserved.

Static Analysis In Your Process

An independent security

team reviews outstanding

risks as a white or black

box

18 © GrammaTech, Inc. All rights reserved.

Static Analysis In Your Process

Independent security

review

During coding

At commit

During test

[Certification ]

19 © GrammaTech, Inc. All rights reserved.

Take Away

You need to do static analysis

You need to do the right static analysis

At the right place in your process

20 © GrammaTech, Inc. All rights reserved.

Introducing CodeSonar

The deepest static analysis for safety and security critical software– Finds more defects

– Mathematical foundation, support for binary analysis

Developer-friendly interface– Clear explanations with path information

– Whole program navigation and visualization

Highly customizable– Workflows, checkers, search, compare

21 © GrammaTech, Inc. All rights reserved.

Booth 330

mhermeling@grammatech.com

@markhermeling | @grammatech