Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analyzing Open Source Code February, 2009 David Maxwell Open Source Strategist For Southern California Linux Expo.

Published byAugustine Ellis Modified over 8 years ago

Similar presentations

Presentation on theme: "Analyzing Open Source Code February, 2009 David Maxwell Open Source Strategist For Southern California Linux Expo."— Presentation transcript:

1 Analyzing Open Source Code February, 2009 David Maxwell Open Source Strategist For Southern California Linux Expo

2 2 Agenda Background on the Scan Open Source Report 2008 Self-Builds Rung 3 Architectural Analysis + Architecture Library Summary

3 3 Background on the Scan 1/2 Coverity Prevent is a static code analysis tool that does –Path Simulation –Data Flow Analysis –False Path Pruning By understanding the control flow of code, and the data flow, contradictions can be identified –Memory freed, then used as if not freed –Lock request issued, while already holding same lock, or a contrary lock –Function can return an edge-case value (negative, or NULL) and calling function uses return value unsafely, without checking first –Multiplication performed, but inputs lead to arithmetic overflow

4 4 char buf[8]; if (a)‏ b = new char [5];if (a && b)‏ buf[8] = a;delete [] b; *b = ‘x’; END *a = *b; a!a a && b !(a && b)‏ A False Path

5 5 Background on the Scan 2/2 Under contract for US Dept. Homeland Security –Cyber Security Open Source Hardening Project Analyze Open Source codebases –Static Analysis finds Quality and Security issues –Provide access to the Open Source developers –Developers fix identified issues Codebases become more resistant to attack, more stable, more reliable –Over 8,500 defects fixed, since project launch, March 2006

6 6 Open Source Hardening How: scan.coverity.com ● Website and Service launched March 2006 ● Open-source developers register their project ● Coverity automatically downloads and runs Prevent over it ● Developers get logins to the same defect manager interface customers use Coverity runs it as a service for the open source developers

7 7 Who is David Maxwell ? Coverity's Open Source Strategist Hired to maintain and coordinate Coverity's efforts on behalf of D.H.S. Open Source developer on NetBSD operating system ● Software and network security specialist ● NetBSD Security Officer 2001-2006 ● Over 24 year background in programming, network design, and operating systems

8 8 How is Open Source relevant to Homeland Security ?

9 9

10 10 Report on Open Source Software 2008 Original Scan/Coverity research Based on the analysis of –Over 55 million lines of code –From more than 250 open source projects –Representing 14,238 individual project analysis runs –Totaling nearly 10 billion lines of code analyzed All analysis performed with the same tools and configuration –Scan Benchmark 2006 Let's Reconsider some common beliefs about good coding practices...

11 11 Function Length What makes a function ‘long’? –A single, sequential set of operations Are those operations common elsewhere in the code? –A large switch statement Protocol decoding is a common example –A function with many different code paths Conditional execution – lots of if() statements Average function lengths in the Scan database ranged from –Low of 14 lines –High of 345 lines –The longest average is almost 25x the shortest average

12 12 Defect Density/Function Length

13 13 Defect Count or Defect Density Defect Counts –Absolute number of defects identified in a particular piece of code 314 defects in a particular codebase Defect Density will be referred to many times during this session –Number of defects per 1,000 lines of code 1.0 = 1 defect in 1,000 lines of code 0.5 = 1 defect in 2,000 lines of code

14 14 Overall Project Progress

15 15 Frequency of Defects 0.21%49Use Before Test (negative)‏ 0.31%72Buffer Overrun (dynamically allocated)‏ 0.62%144Type and Allocation Size Mismatch 3.72%859Unsafe use of Returned Negative 5.50%1,268Uninitialized Values Read 5.85%1,349Unsafe use of Returned NULL 6.46%1,491Use After Free 6.14%1,417Buffer Overrun (statically allocated)‏ 8.09%1,867Use Before Test (NULL)‏ 9.76%2,252Unintentional Ignored Expressions 25.73%5,852Resource Leak 27.95%6,448NULL Pointer Dereference Percentage# of DefectsDefect Type

16 16 Cyclomatic Complexity/Lines of Code

17 17 Additional References Gartner –Jim Duggan & Mark Driver Forrester Research –Jeffrey Hammond IDC –Melinda Ballou Voke –Theresa Lanowitz

18 18 Summary Findings Open source benefits from static analysis –Overall defect density dropped 16% over the past two years Prevalence of individual defect types –There is a clear distinction between common and uncommon defect types across open source projects –Defect frequency may directly relate to frequency of types of operations False positives identified to date are a reasonably small percentage of results –Currently below 14%

19 19 DHS Contract Expiry Three year contract is over

20 20 DHS Contract Expiry Three year contract is over Scan will continue, and continue to grow... –Sponsored by Coverity, and partners Starting with the following 3 initiatives:

21 21 Self-Builds Coverity's Analysis requires code be compiled –Coverity has been managing builds for all Open Source projects in the Scan Changing version control systems Changing library dependencies Changing compiler dependencies Changing Environment dependencies Creates a bottleneck on Scan staff time Released to current Scan projects in Nov 2008 –Projects can now do their own builds, and submit them for analysis

22 22 Self-Builds Coverity's Analysis requires code be compiled –Coverity has been managing builds for all Open Source projects in the Scan Changing version control systems Changing library dependencies Changing compiler dependencies Changing Environment dependencies Creates a bottleneck on Scan staff time Released to current Scan projects in Nov 2008 –Projects can now do their own builds, and submit them for analysis Will be opened to new projects in the near future Coverity's Analysis requires code be compiled –Coverity has been managing builds for all Open Source projects in the Scan Changing version control systems Changing library dependencies Changing compiler dependencies Changing Environment dependencies Creates a bottleneck on Scan staff time Released to current Scan projects in Nov 2008 –Projects can now do their own builds, and submit them for analysis Coverity's Analysis requires code be compiled –Coverity has been managing builds for all Open Source projects in the Scan Changing version control systems Changing library dependencies Changing compiler dependencies Changing Environment dependencies Creates a bottleneck on Scan staff time Released to current Scan projects in Nov 2008 –Projects can now do their own builds, and submit them for analysis

23 23 Rung 3 Conceptual Scan Ladder –Open Source projects progress as they resolve defects Supports common analysis configuration on a given Rung –Allows comparison and statistical analysis Rung 2 was announced January 2008

24 24 Rung 3 Conceptual Scan Ladder –Open Source projects progress as they resolve defects Supports common analysis configuration on a given Rung –Allows comparison and statistical analysis Rung 2 was announced January 2008 Rung 3 to be announced soon –New Prevent version 4.2 –More Security checkers –Concurrency checkers –Boolean Satisfiability for False Path Pruning

25 25 Architectural Analysis Separate data, about high level architecture of code, not low level code defects Collected by the same analysis mechanisms

26 26 Architectural Analysis

27 27 Architectural Analysis

28 28 Architectural Analysis Will be available to Scan projects –Starting with Rung 3

29 29 Q & A Questions?

30 30

Download ppt "Analyzing Open Source Code February, 2009 David Maxwell Open Source Strategist For Southern California Linux Expo."

Similar presentations

Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
DB-03: A Tour of the OpenEdge™ RDBMS Storage Architecture Richard Banville Technical Fellow.

DB-03: A Tour of the OpenEdge™ RDBMS Storage Architecture Richard Banville Technical Fellow.
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Static code check – Klocwork

Static code check – Klocwork
RUGRAT: Runtime Test Case Generation using Dynamic Compilers Ben Breech NASA Goddard Space Flight Center Lori Pollock John Cavazos University of Delaware.

RUGRAT: Runtime Test Case Generation using Dynamic Compilers Ben Breech NASA Goddard Space Flight Center Lori Pollock John Cavazos University of Delaware.
C and Data Structures Baojian Hua

C and Data Structures Baojian Hua
Memory Layout C and Data Structures Baojian Hua

Memory Layout C and Data Structures Baojian Hua
Conceptual Architecture of PostgreSQL PopSQL Andrew Heard, Daniel Basilio, Eril Berkok, Julia Canella, Mark Fischer, Misiu Godfrey.

Conceptual Architecture of PostgreSQL PopSQL Andrew Heard, Daniel Basilio, Eril Berkok, Julia Canella, Mark Fischer, Misiu Godfrey.
Introduction and simple using of Oracle Logistics Information System Yaxian Yao

Introduction and simple using of Oracle Logistics Information System Yaxian Yao
A Framework for Automated Web Application Security Evaluation

A Framework for Automated Web Application Security Evaluation
University of Maryland Bug Driven Bug Finding Chadd Williams.

University of Maryland Bug Driven Bug Finding Chadd Williams.
Natalia Yastrebova 02.08.2010. What is Coverity? Each developer should answer to some very simple, yet difficult to answer questions: How do I find new.

Natalia Yastrebova What is Coverity? Each developer should answer to some very simple, yet difficult to answer questions: How do I find new.
5.1 Advanced Operating Systems Operating Systems Bugs Linux's code has been significantly growing during last years. Is this code bugs free? Obviously.

5.1 Advanced Operating Systems Operating Systems Bugs Linux's code has been significantly growing during last years. Is this code bugs free? Obviously.
Use of Coverity & Valgrind in Geant4 Gabriele Cosmo.

Use of Coverity & Valgrind in Geant4 Gabriele Cosmo.
Embedded Software Programming and Implementation Guidelines Software Engineering for Embedded System Ch.7 Robert Oshana and Mark Kraeling Presented by.

Embedded Software Programming and Implementation Guidelines Software Engineering for Embedded System Ch.7 Robert Oshana and Mark Kraeling Presented by.
Axel Naumann. Outline  Static Code Analysis  Coverity  Reporting Tools, Report Quality  Demo: Examples 2010-01-20Axel Naumann Application Area Meeting2.

Axel Naumann. Outline  Static Code Analysis  Coverity  Reporting Tools, Report Quality  "Demo": Examples Axel Naumann Application Area Meeting2.
* Third party brands and names are the property of their respective owners. Performance Tuning Linux* Applications LinuxWorld Conference & Expo Gary Carleton.

* Third party brands and names are the property of their respective owners. Performance Tuning Linux* Applications LinuxWorld Conference & Expo Gary Carleton.
Computer Programming 2 Why do we study Java….. Java is Simple It has none of the following: operator overloading, header files, pre- processor, pointer.

Computer Programming 2 Why do we study Java….. Java is Simple It has none of the following: operator overloading, header files, pre- processor, pointer.

Similar presentations

Ads by Google