1. 1 Splint: A Static Memory Leakage tool Presented By: Krishna Balasubramanian

2. 2 Lint Original static code analyzer of C code Tool that flagged suspicious and non-portable constructs Lint first appeared in the seventh version (V7) of UNIX OS in 1979 Term now applied generically to tools that flag suspicious usage in software written in any computer language Many improvements made to Lint : Secure Programming Lint (Splint)

3. 3 Background - Splint Open source evolved version of Lint. Developed by: Secure Programming Group at the University of Virginia, C S dept. Successor to LCLint. Incorporates original LCL checker developed by Yang Meng Tan.

4. 4 Overview Statically checks C programs for security vulnerabilities & programming mistakes. Uses annotation in source code; creates more powerful checks. Flexible approach. Annotation done based on project at hand. Programmers select points to annotate. More number of annotations leads to better bug detection.

5. 5 Environment Built on Unix Based System. Compiles on Unix, Linux, Solaris and Windows Binaries available for every platform Installation manual available for every platform.

6. 6 Some Problems detected by Splint:  Dereferencing a possibly null pointer  Type mismatches, with greater precision and flexibility than provided by C compilers  Memory management errors including uses of dangling references and memory leaks  Buffer overflow vulnerabilities  Violations of customized naming conventions  Modifications and global variable uses that are inconsistent with specified interfaces

7. 7 Annotating code 1. Ex1 : Null Dereferences  Common cause of failure  Null annotation indicates pointer value may be NULL  Splint indicates error for firstChar1 :- pointer dereferenced declared with Null annotation  No error detected for firstChar2 as true branch of s=NULL returns Null.cRunning Splint char firstChar1 (/*@null@*/ char *s) {3 return *s;} char firstChar2 (/*@null@*/ char *s) {if (s == NULL) return ‘\0’; 9 return *s;} > splint null.c Splint 3.0.1 null.c: (in function firstChar1) null.c:3:11: Dereference of possibly null pointer s: *s null.c:1:35: Storage s may become null Finished checking --- 1 code warning found

8. 8 Annotating code 2. Ex2: Boolean Types  Checks test expression in an if, while, or for statement or an operand of an &&, || or !operator for Boolean.  Warning produced if type of test expression is not Boolean bool.cRunning Splint # include "bool.h" int f (int i, char *s, bool b1, bool b2) { 6 if (i = 3) 7 return b1; 8 if (!i || s) 9 return i; 10 if (s) 11 return 7; 12 if (b1 == b2) 13 return 3; 14 return 2; }  splint bool.c +predboolptr –booltype bool  bool.c:6: Test expression for if is assignment expression: i = 3  bool.c:6: Test expression for if not bool, type int: i = 3  bool.c:7: Return value type bool does not match declared type int: b1  bool.c:8: Operand of ! is non-boolean (int): !i  bool.c:8: Right operand of || is non-boolean (char *): !i || s  bool.c:10: Test expression for if not bool, type char *: s  bool.c:12: Use of == with bool variables (risks inconsistency because of multiple true values): b1 == b2  Finished checking --- 7 code warnings found

9. 9 Download and Use Free software Different binaries available at: http://www.splint.org/ Using Splint – A Manual: http://lclint.cs.virginia.edu/manual/manual.html Download Visual Studio: www.cis.udel.edu

10. 10 Questions?