Static analysis to the rescue
It turns out that static source analyzers have solutions for that as
well. Analyzing one source line at a time is not sufficient. What is
really needed is analysis between the interaction of any two source
lines that have anything in common (like path of execution, access to
the same data, etc.).
Static source analyzers can do exactly that, no matter how far two
source lines of code are physically distant from each other. They do it
by internally building data structures based largely on compiler
optimization techniques, like forward and backward data flow analysis,
and control flow graphs. This may sound like a load of technical
gibberish, but the good news is that static analyzers can spot
interdependencies that even experienced programmers would not detect.
 |
| Figure
2: Static source analyzer integrated into the application builder.
Every time a developer builds an application, current defects are
immediately reported and can be quickly addressed and fixed. Source:
Green Hills Software. |
Furthermore, while trying to employ thousands of programmers to
manually read through and verify source code will likely lead to
mutiny, static analyzers will happily analyze a system or application
of any size, with the same scrutiny and rigor.
Legacy code that is almost never used (and is potentially riddled
with security holes) is not spared from the inspection; static
analyzers dip and peak into every nook and cranny until the entire base
is completely scrubbed.
No Silver Bullet, but. . .
Ok, so static analyzers are great. Let's just run them on every system,
fix all the problems they find, and we're done, right?
Well, not quite. While static analyzers find the classes of problems
that are likely to cause ways to break into a system, there is a class
of problems that is beyond what static analyzers can do today and
possibly ever.
Just as we don't have programs that are intelligent enough to
autonomously design a complete system from scratch, we don't have
static analyzers that are intelligent enough to understand a system the
way a human can. Humans, luckily for us programmers, are not obsolete.
Some cynics might view static source analyzers as yet another weapon
in the hacker arsenal. Those are probably the same cynics who thought
that source line debuggers were a bad idea when they came out decades
ago (it would be unthinkable today to embark on a project of any
significant size without source line debuggers).
It is easy to see why this cynical view is very short sighted.
First, static source analysis works only when the source code is
available, and hackers will generally have access to source code only
for things that are developed from open source. Last time I checked,
most systems used today are proprietary, especially for the highly
secure environments. So, obtaining the source code is not that easy.
Second, hackers need to find only one vulnerability to break in, so
to them it is only a matter of time before they find one " with or
without a static analyzer. The more complex the system is, the easier
it is to find one.
System designers, on the other hand, need to detect and fix as many
vulnerabilities as possible (hopefully all). The more complex the
system is, the harder it will be to detect all vulnerabilities.
Therefore, it is the designers that truly benefit from static analysis,
since it is not just a time saver, but a way to design more secure
systems.
Finally, static analyzers do a lot of grunt work that is simply too
cost prohibitive for humans to perform. In the ultimate twist of irony,
we have been enabled to create more complex systems due to advances in
hardware speed and capacity along with the help of more efficient
software tools and debuggers. Now, static analyzers, as a new breed of
software tools, are helping us overcome the burden of ever expanding
complexity.
If static analyzers seemed like a luxury item a few years ago, and
are a strong recommendation today, in the very near future they will be
a required methodology by which software gets implemented and tested.
To read Part 1, go to "Hackers
favorite tricks."
As a Director of Engineering at Green Hills Software, Nikola Valerjev
is responsible for managing teams that plan, design, and develop new
products, including the DoubleCheck static source analyzer.
He also manages teams that evaluate new and existing solutions from the
user perspective. Mr. Valerjev holds a Bachelor of Science and a Master
of Engineering degree in computer science from Cornell University. He
has been with Green Hills Software since 1997.
