Using static analysis to detect coding errors in open source security-critical server applications
Dave Kleidermacher, Green Hills Software
embedded.com (March 05, 2014)
Editor’s Note: Excerpted from their book Embedded Systems Security, the authors go through an analysis of three popular, security-critical open source applications - Apache, OpenSSL, and sendmail – and demonstrate how static analysis of the underlying C code can be used to find bugs that are often overlook doing a manual inspection.
Many would argue that the code quality of some popular open source applications is expected to be relatively high. As one person put it, “By sharing source code, open source developers make software more robust. Programs get used and tested in a wider variety of contexts than one programmer could generate, and bugs get uncovered that otherwise would not be found.”[1]
Unfortunately, in a complex software application (such as Apache), it is simply not feasible for all flaws to be found by manual inspection. To help demonstrate the types of coding errors that can be efficiently detected and prevented using static source code analysis, we consider a case study of three popular, security-critical open source applications - Apache, OpenSSL, and sendmail - that were analyzed using Green Hills Software’s DoubleCheck static source code analyzer.
Apache is an open source hypertext transfer protocol (HTTP) server, the most popular in the world, powering a majority of the websites on the Internet. Given the ubiquity of Apache and the world’s dependence on the Internet, the reliability and security of Apache represent an important concern for all of us. A serious flaw in Apache could cause widespread inconvenience, financial loss, or worse. The Apache web server consists of approximately 200,000 lines of code, 80,000 individual executable statements, and 2,000 functions.
Related Semiconductor IP
- AES GCM IP Core
- High Speed Ethernet Quad 10G to 100G PCS
- High Speed Ethernet Gen-2 Quad 100G PCS IP
- High Speed Ethernet 4/2/1-Lane 100G PCS
- High Speed Ethernet 2/4/8-Lane 200G/400G PCS
Related White Papers
- Practical Applications of Statistical Static Timing Analysis
- Paving the way for the next generation of audio codec for True Wireless Stereo (TWS) applications - PART 5 : Cutting time to market in a safe and timely manner
- Allowing server-class storage in embedded applications
- SoCs: Supporting Socketization -> Verifying cores catches coding errors
Latest White Papers
- New Realities Demand a New Approach to System Verification and Validation
- How silicon and circuit optimizations help FPGAs offer lower size, power and cost in video bridging applications
- Sustainable Hardware Specialization
- PCIe IP With Enhanced Security For The Automotive Market
- Top 5 Reasons why CPU is the Best Processor for AI Inference