Lightning talk #10 – CWE – Software Weaknesses – Codesonar
Static source code analysis tools
Source code analysis tools are designed to analyze source code and/or compiled versions of code to help find security flaws.
Software weaknesses – detected by codesonar
As you can see, Codesonar detects a lot of errors, at compile time.
If we’re looking closely, we can see that a lot of errors refer to ‘Use of ….<command>’. These commands are known as unsafe, mainly because it’s easy to use them incorrectly. When you try to use them, the IDE will most likely throw a warning notifying the developer that they are unsafe, and that they should use a different (safer) function.
Next, another set of errors refer to macros. If you avoid macros or if you pay more attention when using them, you should be fine.
Other errors will cause compile-time errors (No matching #endif, #if, Unbalanced paranthesis), which is nice, because these errors will not show up at runtime.
Next, we have a few important errors: Buffer overrun or underrun, Cast alters value, Double Close/Free/Lock/Unlock, Locked Twice, Null pointer dereference…these errors can be hard to catch, but you know what to look for when checking your code for errors.
How to get rid of half of issues
Based on the errors, we can see that we can get rid of half of the issues by doing the following:
- Avoid macros
- Run build and clear the errors
- Avoid using unsafe commands
- Careful with mutex lock / unlock
- Careful with double delete
- Avoid overflow / underflow and be careful with type casts
- Avoid ancient features (goto, setjmp, longjmp)
- Pay attention to the code (uninitialized vars, unreachable code, unused value, ignored return value)
How to get rid of the other half of the issues
The other errors can be limited by doing the following:
- Careful with locking order
- Careful when using pointers
- Check pointers before dereferencing them
- Think about concurrency problems (data race, deadlocks)
- Stick to the coding standards
- Check for memory leaks
- Check function return values (even for string format)