Secure Programming with Static Analysis Brian Chess, Ph.D.

Slides:



Advertisements
Similar presentations
Javascript Code Quality Check Tools Javascript Code Quality Check Tools JavaScript was originally intended to do small tasks in webpages, but now JavaScript.
Advertisements

Verification and Validation
Testing and Quality Assurance
Regression Methodology Einat Ravid. Regression Testing - Definition  The selective retesting of a hardware system that has been modified to ensure that.
Chapter 4 Quality Assurance in Context
Software Construction
Implementing Rule Checking Early in the Design Cycle to Reduce Design Iterations and Verification Time Kent Moffat DesignAnalyst Product Manager Mentor.
Testing Without Executing the Code Pavlina Koleva Junior QA Engineer WinCore Telerik QA Academy Telerik QA Academy.
Cole Cecil. Peer Code Review 2 Why do a peer code review? Find defects earlier Find different kinds of defects Share knowledge among peers Maintainability.
HCSSAS Capabilities and Limitations of Static Error Detection in Software for Critical Systems S. Tucker Taft CTO, SofCheck, Inc., Burlington, MA, USA.
©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 19Slide 1 Verification and Validation l Assuring that a software system meets a user's.
Chapter 16 Programming and Languages: Telling the Computer What to Do.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 22 Slide 1 Verification and Validation.
SOFTWARE QUALITY ASSURANCE Maltepe University Faculty of Engineering SE 410.
1CMSC 345, Version 4/04 Verification and Validation Reference: Software Engineering, Ian Sommerville, 6th edition, Chapter 19.
CS527: (Advanced) Topics in Software Engineering Overview of Software Quality Assurance Tao Xie ©D. Marinov, T. Xie.
Introduction to Software Testing (Paul deGrandis) [Reading assignment: Chapter 15, pp and notes by Paul deGrandis]
©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 19Slide 1 Verification and Validation l Assuring that a software system meets a user's.
Verification and Validation Yonsei University 2 nd Semester, 2014 Sanghyun Park.
CSCE 548 Secure Software Development Risk-Based Security Testing.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 22 Slide 1 Verification and Validation.
Dr. Tom WayCSC Code Reviews & Inspections CSC 4700 Software Engineering.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 22 Slide 1 Verification and Validation Slightly adapted by Anders Børjesson.
CSCE 548 Code Review. CSCE Farkas2 Reading This lecture: – McGraw: Chapter 4 – Recommended: Best Practices for Peer Code Review,
15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.
Chapter 8 – Software Testing Lecture 1 1Chapter 8 Software testing The bearing of a child takes nine months, no matter how many women are assigned. Many.
1 Chapter 2 First Java Programs Fundamentals of Java: AP Computer Science Essentials, 4th Edition Lambert / Osborne.
Software Testing. What is Software Testing? Definition: 1.is an investigation conducted to provide stakeholders with information about the quality of.
Testing Methods Carl Smith National Certificate Year 2 – Unit 4.
C++ Programming Language Lecture 2 Problem Analysis and Solution Representation By Ghada Al-Mashaqbeh The Hashemite University Computer Engineering Department.
Refactoring1 Improving the structure of existing code.
Software Testing and Maintenance 1 Code Review  Introduction  How to Conduct Code Review  Practical Tips  Tool Support  Summary.
COM606 Software Process Engineering and on the Portal Introduction.
Static Analysis James Walden Northern Kentucky University.
Ch 22 Verification and Validation
Chapter 12: Software Inspection Omar Meqdadi SE 3860 Lecture 12 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.
Chapter 1: Fundamental of Testing Systems Testing & Evaluation (MNN1063)
Software Engineering. Acknowledgement Charles Moen Sharon White Bun Yue.
Threads and Singleton. Threads  The JVM allows multiple “threads of execution”  Essentially separate programs running concurrently in one memory space.
Introduction CSE 1310 – Introduction to Computers and Programming Vassilis Athitsos University of Texas at Arlington 1.
Grigore Rosu Founder, President and CEO Professor of Computer Science, University of Illinois
Lecture1 Instructor: Amal Hussain ALshardy. Introduce students to the basics of writing software programs including variables, types, arrays, control.
This chapter is extracted from Sommerville’s slides. Textbook chapter 22 1 Chapter 8 Validation and Verification 1.
©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 19Slide 1 Software inspections l Involve people examining the source representation with.
Verification vs. Validation Verification: "Are we building the product right?" The software should conform to its specification.The software should conform.
Findbugs Tin Bui-Huy September, Content What is bug? What is bug? What is Findbugs? What is Findbugs? How to use Findbugs? How to use Findbugs?
Laurea Triennale in Informatica – Corso di Ingegneria del Software I – A.A. 2006/2007 Andrea Polini XVII. Verification and Validation.
Chapter 2 Introduction to Static Analysis. Chapter Outline Capabilities and Limitations of Static Analysis  Type checking  Style checking  Program.
Verification and Validation. Topics covered l Verification and validation planning l Program Testing l Software inspections.
CSCE 548 Secure Software Development Risk-Based Security Testing
Types for Programs and Proofs
Software Verification and Validation
CSC 480 Software Engineering
Verification and Validation
Chapter 18 Maintaining Information Systems
Chapter 8 – Software Testing
10.3 Details of Recursion.
Programming Problem steps must be able to be fully & unambiguously described Problem types; Can be clearly described Cannot be clearly described (e.g.
Verification and Validation
runtime verification Brief Overview Grigore Rosu
State your reasons or how to keep proofs while optimizing code
Verification and Validation
CodePeer Update Arnaud Charlet CodePeer Update Arnaud Charlet
Verification and Validation Unit Testing
CodePeer Update Arnaud Charlet CodePeer Update Arnaud Charlet
Unit 1 Programming - Assignment 3
Chapter 7 Software Testing.
Chapter 9: Implementation
Chapter 15 Debugging.
Presentation transcript:

Secure Programming with Static Analysis Brian Chess, Ph.D.

Chapter 2 Static Analysis Static analysis is the process of analyzing code without executing There are many static analysis tools for detecting security problems They work for a programmer as spelling checker for writers: Detect certain kinds of problems but not all Running them won't guarantee perfect code

Static Analysis Capabilities and Limitations. Unbiased Checking Examining the code, not the program Early checking – knowledge transfter Examine newly discovered types of defects False positives v.s. false negatives Design defects may not be visible in code  Architectural risk analysis

Solving problems with Static Analysis Type Checking Style Checking Program Understanding Program Verification Property Checking Bug Finding Security Review

Type Checking Done mostly at compilation May produce false possitives and false negatives. Examples: Next 2 slides

Type Checking – False Possitive example

Type Checking – False Negative example

Style Checking These are more superficial than type checks They enforce rules related to naming, white space, deprecated functions, commenting, program structure …etc Such defects affect readability and maintainability of a program but does not cause an error PMD (pmd.sourceforge.net) and Parasoft ( style checker for Java,C.

Style Checking Example

Program Understanding Tools to help dealing with large code Simple Examples:Find, Replace, Rename variables, Splitting code..etc More advanced tools: Insight into how a program works Example: Reverse Engineer the design from implementation. Fujaba ( Fujaba allows moving back and forth between Java nad UML.

Fujaba

Program Verification and Property Checking 'Program verification' is checking code adherance to a set of specifications It is not practical to write complete specifications of all of a program 'Property checking' is checking a partial set of specifications 'Sound tools' are tools that claim to produce no false negatives. However, striving for soundness may result in producing false positives Example:

Property Checking Example

Property Checking False Possitive

Bug Finding It is finding behaviour not intended by the programmer "Bug Idioms" are rules in bug finding tools that come with the tool. FindBugs ( is a bug finder for Javawww.findbugs.org Example: Double Checking Lock

Bug Finding Example

Security Review These have techniques similar to the earlier techniques but focus on security issues They can be thought of as hybrid of property checkers and bug finders Property Checker: Secure Specifications to check Bug Finder: common insecure idioms However, security checking should be seen as part of security review. i.e. The tool would suggest review of security suspected fragments of code The good tools would minimize both false positives and negatives

Security Review Example

Assignment Chose one of the static analysis tools mentioned in this chapter and: Download it and install it Learn what it does and how to use it Present us a demo on it Demos are to be presented on Wednesday July 30, 2008

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.