Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
An Analysis Framework and Additive Software Analysis
Paul E. Black Software Quality Group Software and Systems Division
16 July 2016
Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation or endorsement by the National Institute of Standards and Technology (NIST), nor does it imply that the products are necessarily the best available for the purpose.
2
Outline
l A Framework for Software Assurance l Additive Software Analysis
3
4
Analyzer A
Reporter M
Checker Q
Analyzer F
Checker B
Tester T
5
Framework for Software
Testing and Assurance
Analyzer A
Reporter M
Checker Q
Analyzer F
Checker B
Tester T
Standards for Information Exchange
Functions of a Framework
l Aggregate tool outputs. l Allow software assurance checkers to
interoperate. l Pass program information between tools.
6
Benefits of a Framework
l Modular and distributed development. – Existing modules may be replaced by superior ones. – Facilitate synergy between groups of researchers.
l Enable development of “hybrid” tools. – A tool uses a static analyzer module to find problematic
code locations, then uses a constraint satisfier module and a symbolic execution engine to create inputs that trigger failures.
7
8
Framework for Software
Testing and Assurance
Analyzer A
Reporter M
Checker Q
Analyzer F
Checker B
Tester T
Standards for Information Exchange
Possibly Useful Information
l Location in code – File name, class file, method/function name,
line number, etc. l Variables visible at a location l Possible variable values at a location
– Intervals? enumerations? relations (e.g. x < y) l Data flows l Paths l Stack traces
9
Additional Information
l Origin of binary chunk in source code l Warnings of possible problems l Assertion, pre- & postcondition, invariant l Function signatures
10
XKCD cartoon used with permission. Permanent link is http://xkcd.com/927/
Much of This Already Exists
l LLVM l Clang l gcc l Rose compiler infrastructure l findbugs l Yasca l TOIF, SAFES l Code Dx
ADDITIVE SOFTWARE ANALYSIS
12
Each analyzer or checker added gives the programmer more information.
Case 1: More Information
13
SQL Injection
Program - Target of
Evaluation
Each analyzer or checker added gives the programmer more information.
Case 1: More Information
14
SQL Injection
Program - Target of
Evaluation
Deadlock
Results are correlated or compared to provide better information than either one alone.
Case 2: Confirmation
15
Program - Target of
Evaluation
Results are correlated or compared to provide better information than either one alone.
Case 2: Confirmation
16
Program - Target of
Evaluation
heuristic J
Results are correlated or compared to provide better information than either one alone.
Case 2: Confirmation
17
Program - Target of
Evaluation
heuristic J
heuristic K
Another example: tie static analysis with execution monitoring and constraint solving to get a hybrid analyzer.
Case 3: Synergy
18
extract program flow from binary
Program - Target of
Evaluation
analyze memory use w/ separation logic
Additive Software Analysis Benefits
l Checkers and analyzers work together. l Foster an “ecosystem” for tools. l Growing set of problematic and virtuous
programming patterns and idioms may be checked by tools.
19
Possibly Useful Information
l A descriptive taxonomy of checkers. – Inputs needed. – Languages/constructs handled. – Checking/analysis performed. – Outputs provided.
l A catalog of publically-vetted checkers and analyzers.
l A publicly accessible repository of checkers.
20
Framework and Additive Software Analysis Together Are Powerful
21
Analyzer A
Reporter M
Checker Q
Analyzer F
Checker B
Standards for Information Exchange