Recorded Webinar
00:00 Introduction Verifysoft
03:06 Introduction Static Analysis
06:19 Concurrency Analysis (Race Conditions, Datarace, Deadlock)
09:12 Compliance with Coding Guidelines
10:25 Checking for Maintainability (Metrics)
12:09 Security Analysis
(Static Application Security Testing (SAST), DevSecOps, O-Day and N-Day-Vulnerabilities)
16:20 CodeSonar
17:09 Software Composition Analysis (SCA)
Problems of Binary Files, Software Bill of Materials (SBOM)
19:02 Software Hardening (Security Attributes)
22:28 CodeSentry
23:18 Static Performance Analysis (Codee)
29:45 Energy Consumption Optimization
[Music] hello and welcome to our webinar the world of static analysis with my colleague um Mr Roy Lut um short introduction of ourselves and our company so the main person in the webinar will be Mr Roy Lut who is the director of static C analyzis tools at verify soft technology and myself I am um responsible for international sales at verify soft I will um just do a short introduction who we are and uh what we offer the company was founded 2003 in Offenburg in Germany um our own tools are testv CT C++ Cod coverage analyzer and testv CMT Plus+ quod complexity measurement tool we are also distributor for um some other tools for example IM magix 4D uh Cod secure Cod Sentry Cod D um later on a little bit more about this tools and we offer also some seminars we have more than 750 satisfied customers around the world in over 40 countries in on all continents and as you can see most of them are from safety critical areas like autom Automotive automation Aerospace Medical but we also have some other customers um smaller ones and just from other um sectors uh so this is about our tools which we offer our main tool is testv CT C++ Cod coverage analyzer uh which is a tool to measure Cod coverage it does it deal mcdc coverage which is very important for safety crit um areas it is compant to safety standards is working with all compilers all embeded Targets and um have some interesting features like for example justifications missing coverage can be justified it is easily integratable into your cicd pipeline and has configurable reports as you can see on an example furthermore we are distributor of other tools they don’t belong to us but we are distributor mostly in Germany it is codar which is Advanced static code analysis Cod Sentry which is software composition analysis it is Imagic Ford which is analyzing uh for example uh Legacy um code and um Cod D which is performance optimization tool yeah thanks Pina for the nice introduction welcome to the webinar the world of static analyzis today I would like to show you various possible applications of static analyzis of course without claiming to be exhaustive so this is uh the agenda for today’s presentation so du due to time constraints I don’t want to go too much into detail but uh we will rather jump straight into the topic for those of you who have not yet dealed with the topic of static analysis static analyzis is also used in soccer so the coach first considers uh sequence scenarios and strategies as well as possible mistakes in the lineup this is nothing other than static analyzis the D Dynamic analysis then takes place at runtime for instance during training or the the actual game software development is very similar static analyzis means taking a look at the source code without executing the application Dynamic analyzis on the other hand means running the program and evaluating the runtime Behavior but of course this then requires test cases manual static analyzis has existed as long as software development has existed so it is clear that a developer who writes a program has an idea uh how the program will behave at runtime so on this basis he or she can eliminate errors during during the writing process it was proven to be a good idea to have a second developer by your side to carry out a walkth through together as part of a review as it is easy to overlook your own errors so in recent times static analyzers tools that can perform checks automatically have become increasingly powerful and uh far surpass manual analyzes in terms of death and reliability so what are the strength of automated static analyzis these tools are very strong in detecting undefined behavior for instance uh by the use of syntactic analyzis so a compiler also has the AIL to do this but analyzes tools usually function in Greater dep uh they carry out semantic analysis that is uh check the meaningfulness of the syntactically correct code so uh be aware you can also program syntactically correct nonsense so I’m a really specialist in this so my life I have uh implemented a lot of nonsense so uh these automated static analyzis tools can carry out data flow analysis means to uncover uninitialized variables they perform control flow analysis to find inaccessible code also known as de code and very importantly the paradise discipline of static analyzis concurrency analyzis therefore I would like to expand on this area of application so here you can see pyo code for two typical concurrency problems on the left side you see a race condition more precisely a data race the two threads created here to posix threads which run both through a common function that increment increments a global variable sum now this expression here is not Atomic it is processed in several steps in term and if both threats run through this expression at the same time they will Rite to the same addresses and of course this invit leads to conflict how can this be avoided clearly blocking such critical sections with m texes in the solution that way only one threat at a time can run through such a section on the right hand side I have uh synchronized the critical sections Al by not very intelligently now I have two functions here the first function is run by thread a while the second one is run by thread B in each function we also have critical section we also have a critical section but uh this time synchronized with mutexes so the following situation may occur the first thread fetches the first mutex mutex zero here meanwhile the second thread fetches the second mutex mutex one here this blocks the first threat since mutex one is already held by the second thread and uh the second threat is no better off as as mtic zero is held by the first Strat so this means that both strats are blocked and are waiting for release that canot take place they are waiting for all eternity and if they have not died they are still waiting today these are two typical concurrency problems critically they do not necessarily have to appear in Dynamic testing they are non-deterministic we may not see any errors during the test runs and the deadlock may not occur there either according to Murphy’s Law this will certainly happen in productive operation however static analyzers can reliably detect such problems and therefore is indispensable for checking application that have implemented concurrency uh check for compliance with coding guidelines so another task that static analyzis tools can perform is checking for compliance with coding guidelines there are both proprietary and standardized rule sets like the my rules so I’ve listed a few rule sets here as examples uh for which if I if at to uh help ensure a certain software stability and quality here for example we have the aoar C++ rule set this is 60% identical to the missile C++ rule set so therefore it has been decided that the aoar C++ rule set will soon be merged into the misra C++ rule set so I’ve listed other rule sets here from lock at Martin to the National national uh uh astronautic space ageny while the last ones focused more on security so the the blue ones here uh listed here so these are focused more on security uh that is security against external attacks so another topic is uh checking for maintainability so I’m targeting Matrix here the uh so there are more than over 100 known Matrix so the simplest matric is the number of lines of code so I have too many lines if I have too many lines of code per function it is very difficult to understand the control flow and the logic in a reasonable amount of time so this increases maintenance costs and the risk of making mistakes when changing the code another metric is for example cyclomatic complexity according to watch and mape so this is based on the complexity of the control flow if the code of a function approaches the dreaded spaghetti code it becomes incomprehensible and uh maintenance costs increase other example would be Hall States implementation estimates which are also wellknown his and kgas are conglomerates of well-known metrics compiled by various car manufacturers so uh what is the area of application uh production critical applications with high functional functional safety requirements so uh but what are critical applications applications that could endanger human life or cause major economic damage if they do not function properly however so if there is a for instance uh coffee machine that does not work properly uh that can still dve Drive the manufacturer to run under the bottom line so wherever you want to make sure that the software works properly security analyzes so security is a topic that is becoming increasingly important that is protection against external attacks static analyzers can also help here in the past we were only familiar with def Ops or so called development Operations Security analyzis was always somewhat neglected in the life cycle and exra team had to take care of it however we quickly learned that this drove up costs if the security vulnerability is discovered this invita leads to a change in the source code which then needs to be retested if this becomes necessary at an unfavorable stage in the life cycle additional costs naturally arise this is why static application security testing is introduced at the start of the implementation phase and this is known as def SE Ops so when we talk about security vulnerabilities what are we talking about a few important ones are mentioned here so buffer overrun and underrun as well as format string problems allow attackers to inject inject malicious code into affected applications or hardcoded passwords can remain in the source code due to uh carelessness during testing the use of system is disguised in the source code this is often an attack from inside so diss satisfies employees often install a back door that way for further execution we need to Define two terms beforehand zero day vulnerability and nday vulnerability a zero day vulnerability is when a security problem has just been discovered and was not previously documented and published zero devner abilities are relativ harmless as potential attackers are not yet aware of them and vulnerabilities on the other hand are much more dangerous so these are problems that have already been documented and published they should immedi medely eliminated in applications so here I have try to explain how different static analyzis techniques can be applied so a typical application can consist of self-development self-developed Open Source and purchased commercial third party components the self-developed art of is of course available as source code and the errors and security reliabilities contains are homemade a zero source code analysis is recommended here the same applies to the integrated open source components as this source code is usually also accessible with regard to open source components it is also advisable to check for known security problems by researching the relevant vulnerability databases so if the open source component is only available as an already built by file the static Zer analyzis can also be carried out on the basis of the binary code commercial components components are usually only available as binary files so a static zero day binary code analyzis is recommended here first in the first approach however the end search which is certainly necessary can only be carried out once any open source component contained in the binary file have been identif ifed and this is done by the software composition analyzis SCA I will come back to this technology later finally once the complete application has been built security attribute analyzis should be carried out it will also come back I will also come back to this later so uh as Paulina has already mentioned so we uh are uh providing as a distributor the tool code uh code secure codona static analyis tool that addresses most of uh what I’ve mentioned uh so far so it’s able to uh perform bug hunting capturing and calculating of metrics checks for compliance to coding guidelines and standards such as mistra and Data Tracking so this is some kind of uh uh yeah penetra penetration test virtual penetration test and uh it’s able to provide security analysis software composition analysis so here I examine binary files for uh the open source components they contain in most cases the open source components contained in binary files are only known to a limited extent so uh you have to imagine that an open source component has integrated another open source component which in turn has dependencies on other open source components so this can go very deep it is similar to an iceberg so the largest part is hidden under the surface and if the last component in the chain has security problems so they will be in your application so that’s why identifying them is imminently important so how does software composition analyzes work the binary file to be examined is sent through a scanner which first searches superficially for any strings or symbols it contains so these results are then compared with those in a database for various known components if this does not lead to a result it is necessary to go into more dep an attempt is then made to delimit functions in order to create a call graph based on this pattern signatures can be created which in turn can be compared with those in the database as a result a list of the identified component is created called esom software build of materials equipped with the knowledge of the binaries open source components the tool can then access public vulnerability databases and identify any applicable and day SEC security vulnerability the check for software hardening uh also known as security attributes has actually nothing to do with the implementation rather it concerns the way the finished software was built uh that is the compiler settings so there are compiler settings that increase the difficulty for hackers to break into the program as an example you can see a stack frame of a function here the typical attack is is carried out in such a way that the area of the data to be read is overwritten with a executable ex executable malicious code uh for instance by exploiting a buffer overrun so ideally the return address of the function is also overwritten so that it points to the start of the injected code [Music] um this is then executed uh how can we prevent this so there are various options one software attribute for example is a stu so uh a de guard is something like a Minefield that is created in the stack that means all addresses in the stack frame that do not contain any data are assigned arbitrary values and these are checked at runtime if the area is overridden by an attempted attack the application exist exceeds uh immediately so this is one of many ways to protect an application against attacks so are many others so I have listed an excerpt here uh uh so these attributes can be checked for their presence in the binary by a static analyzis tool and uh th statement can be made about the scope of the production so uh what are the areas of application of course um we have uh yeah application development such as uh dat database applications for instance Erp systems trading platforms and product development uh as well as uh yeah Vehicles meas machines consumer electronics and uh even for the use of standard software so it must be ensured that sensitive data cannot be extracted it is also important for license management to ensure that all software components are operated with a Val valid license and of course a license manager does not want to see an important software program shut down due to to an injunction so but this is something um a static analyzers tool is uh able to uh to in inform with uh if uh all the components have been been identified then uh we also have knowledge uh about uh licensing so uh we are providing a tool called code Sentry which is addressing uh all the requirements I’ve mentioned before so it uh performs a software composition analysis uh it established a soft Bild of materials after identify it has identified uh the components it uncovers nday and zero day vulnerabilities uh it’s able to check the binary um uh for security attributes and it gives you the the referring licensing information it’s uh also possible to use static analyzers Tools in order to uh increase the performance so many people are not aware that static analyzers can also be used to optimize performance so what are the possible approaches for uh improvements here so I have listed uh a few examples here but uh due to time constraints I would only like to go into one example in Greater detail so again I have here an example uh as pyto code I have created a slightly large Matrix Matrix here and would like to increment each element of this Matrix using an algorithm on the left hand side I proceed column by column and on the right hand side row by Row the right hand side uh that is the row by row access runs significantly faster so the reason for this is cach related so first I need to explain what a cach is a cach is a memory that is very fast so why is it very fast at first because it’s very small so the smaller the memory the faster the excess at second because it’s designed as a static rum and a static rum is up to 100 times faster than a dynamic rum and at third because the cach memory is normally installed directly on the cpu’s ship this means that the CPU can load the data directly into the registers without having to take the detour via the bus for these reasons so the cach is ult ultra fast how does the data get from the main memory in the cache so this is done by the prefetcher the prefetcher is a firmware on the CPU that examines the address stream and based on this it assumes which data is likely to be needed next so this data is then loaded from the main memory into the cache the cache is organized differently from what from the main memory so cach lines are not individual uh as cach lines not individual bites or data words are addressed in the cache so I’ve uh shown this on this slide so these are cach lines or should be cach lines um so uh on Intel systems a cach line usually consists of 64 bytes uh a cach line also has a header this consists of an address Tech as a reference to the associated memory area in the main memory and it uh contains a status TCH and this status TCH also known as uh dirty flag indicates whether the data in the cach line has been changed so the cach line is a copy of the data in the main memory and if the program overrides data in the cach line the cach line must be written back to main memory so that the changes are also implemented in the in the main memory if the cach line was only read or not accessed at all the status Tech does not change and the cach line can then be deleted from the cach without write back if required so uh but why is row by row access to the metrix faster this quite simply because the data is sted row by Row in the main memory the data and the cach lines are therefore also row oriented like the copies so if the CPU loads the content of the of a cach line into its registers it contains all the data required for processing on the left hand side the cach line contains only one usable data in the worst in the worst case so as cach memory is very small and can only hold a limited number of cach lines there is a high probability that the CPU will not have the required data available in the cach so this data must then be loaded from the main memory in a time consuming process I think this is uh just in real life so if you have access to urgently needed material directly on your desktop you can work quickly and efficiently however if you still have to get a material in the city and have to take the bus at rush hour which only runs every hour your performance will drop in our portfolio uh we can offer a tool named Codi coming from a pentra Solutions in Spain Codi uncovers such and other possibilities for performance optimization in the source code and makes recommendations for code changes in some cases Codi also carries out these changes independently so where it can it be used but time critical algorithm need to be implemented so uh for example manufacturers of uh trading systems so the more transactions that can be proceed Pro can be processed per day the greater the turnover fraud detection systems that must check a large volume of data overnight large data throughputs are also often required in the uh Telco sector so another area is control engineering so an aircraft attitude control system does not allow any dead times and uh for instance the electronic stability program of and bend engine management programs and vehicles contain time critical algorithms in safer technology so safety uh valves brakes airbags BS uh Etc uh must be triggered within a specified time frame so another uh topic another task for static analyis is uh the energy consumption optimization so energy uh optimizing energy uh consum consumption is a topic that uh increasingly coming into Focus this uh was former only uh an exclusive domain of Hardware so you may remember the leap from nmos technology to CMOS technology that saved significant energy now uh however more and more attention is being paid to software there’s a particularly High need for Savings in the field of supercomputing so these computers with several million CPUs sometimes have the power consumption of a medium-sized City and the electricity costs are enormous so an energy optimized uh application can save thousands of Euros in the meantime the topic has also reached the private sector you will certainly be familiar with apps on your cell phone that are real powergas and shorten battery life enormously so I’m not talking about the flashlight function but apps that really demand a lot of processing power energy optimization is particularly important for mobile devices in the medical field so these include portable insulin pumps or mobile dialysis machines for example which require long battery run times where is the energy actually consumed so let’s take a look at the electronics shown here is a simple memory cell made up of six transistors this is a by stable multiv vibrator also known as a flip-flop this is a standard circuit for storing one bit to store a bit in a static Ram or register you usually need six transistors so how does such a cell work the transistors are designed to be complementary you can see that this at the upper ones have small circlet here at the gate uh they open while the lower ones are closing and vice versa so in this case a logical one is thought the transistor I have highlighted in red here is blocked the one marked in green is open the upper transistor here is connecting to the operate operating voltage which is therefore present also at this point here and uh this means that the output uh Q here is at logic one the uh lower transistor being o opened and the upper is closed here in the uh in the second part here of this circuit and that means so uh that uh this point here uh Q Bar is uh connected the ground and so it’s uh it’s logically zero and you can uh switch this over so if you would like to store uh a logical zero so then it flips over here in this state or this state here and it STS logical one but uh Please be aware that uh the advantage of this complimentary technology is that uh one of the transistors is always blocked and therefore uh no cross current can flow here or or here this means that practically no energy is consumed so how does energy consumption occur so I have energy consumption when the state changes so uh this moment when uh the uh transistors are switching over then B are open for a brief moment it’s about one Nan and the cross current can flow so energy is consumed at the exact moment when the change of state is happening so when the bits flip over so how can you optimize quite simply you have to avoid unne unnecessary bit changes so this can be achieved for example by avoiding un necessary memory accesses so do you remember I already mentioned this problem in connection with the performance optimization so uh could it be that performance optimization also means energy consumption optimization unfortunately uh this is not quite simple that simple uh however if I carry out a cash related performance optimization then I usually also have uh say I usually also save energy uh if I use the processor vectorization options I also save energy but if I paralyze by creating more threats or more processes and perhaps by activating additional cost then I consume more energy but it is clear that you can use static analyzis to find algorithms with a possibility of optimizing energy consumption Cod identifies these places in the source code and uh will mark it so what is the actual order of magnitude of the Energy savings of an algorithm I thought I I would measure this taking the earlier example of Matrix excess so I found an old banana pie in the drawer this is equipped with an allwinner a20 controller with an arm cortex dual core CPU and a first level Cas of 2 * 64 kilobyte so why two * 64 kilobyte uh because this is a Harvard architecture and uh program code and data are stored in separate memories so I ran the metrix algorithm on it before and after optimization and measured the energy consumption for each case so uh the operating voltage was a was a constant 5.18 volt in both cases sorry and uh so the additional current consumption of the board when the algorithm is running was 170 mamp the result this results in a power consumption of uh six Watt as the algorithm was running 16. 87 seconds so the energy consumption was 10.22 Jewel after optimization uh the energy consumption was only 1.92 Je [Music]