Capabilities and Limitations of Static Analysis in Java

Creation Code 3 of 9 in Java Capabilities and Limitations of Static Analysis
Capabilities and Limitations of Static Analysis
Drawing ANSI/AIM Code 39 In Java
Using Barcode maker for Java Control to generate, create Code 3 of 9 image in Java applications.
When a security researcher discovers a new variety of attack, static analysis tools make it easy to recheck a large body of code to see where the new attack might succeed Some security defects exist in software for years before they are discovered, which makes the ability to review legacy code for newly discovered types of defects invaluable The most common complaint leveled against static analysis tools that target security is that they produce too much noise Speci cally, they produce too many false positives, also known as false alarms In this context, a false positive is a problem reported in a program when no problem actually exists A large number of false positives can cause real dif culties Not only does wading through a long list of false positives feel a little like serving latrine duty, but a programmer who has to look through a long list of false positives might overlook important results that are buried in the list False positives are certainly undesirable, but from a security perspective, false negatives are much worse With a false negative, a problem exists in the program, but the tool does not report it The penalty for a false positive is the amount of time wasted while reviewing the result The penalty for a false negative is far greater Not only do you pay the price associated with having a vulnerability in your code, but you live with a false sense of security stemming from the fact that the tool made it appear that everything was okay All static analysis tools are guaranteed to produce some false positives or some false negatives Most produce both We discuss the reasons why later in this chapter The balance a tool strikes between false positives and false negatives is often indicative of the purpose of the tool The right balance is quite different for static analysis tools that are meant to detect garden-variety bugs and static analysis tools that specifically target security-relevant defects The cost of missing a garden-variety bug is, relatively speaking, small multiple techniques and processes can be applied to make sure that the most important bugs are caught For this reason, code quality tools usually attempt to produce a low number of false positives and are more willing to accept false negatives Security is a different story The penalty for overlooked security bugs is high, so security tools usually produce more false positives to minimize false negatives For a static analysis tool to catch a defect, the defect must be visible in the code This might seem like an obvious point, but it is important to understand that architectural risk analysis is a necessary compliment to static analysis Although some elements of a design have an explicit representation
Generate Bar Code In Java
Using Barcode maker for Java Control to generate, create barcode image in Java applications.
2 Introduction to Static Analysis
Bar Code Reader In Java
Using Barcode recognizer for Java Control to read, scan read, scan image in Java applications.
in the program (a hard-coded protocol identi er, for example), in many cases, it is hard to derive the design given only the implementation
USS Code 39 Generator In Visual C#
Using Barcode generator for Visual Studio .NET Control to generate, create Code39 image in VS .NET applications.
Solving Problems with Static Analysis
Draw Code39 In VS .NET
Using Barcode printer for ASP.NET Control to generate, create Code 3/9 image in ASP.NET applications.
Static analysis is used more widely than many people realize, partially because there are many kinds of static analysis tools, each with different goals In this section, we take a look at some of the different categories of static analysis tools, referring to commercial vendors and open source projects where appropriate, and show where security tools fit in We cover: Type checking Style checking Program understanding Program veri cation Property checking Bug nding Security review
USS Code 39 Generator In Visual Studio .NET
Using Barcode creator for Visual Studio .NET Control to generate, create Code 3/9 image in .NET applications.
Type Checking The most widely used form of static analysis, and the one that most programmers are familiar with, is type checking Many programmers don t give type checking much thought After all, the rules of the game are typically de ned by the programming language and enforced by the compiler, so a programmer gets little say in when the analysis is performed or how the analysis works Type checking is static analysis nonetheless Type checking eliminates entire categories of programming mistakes For example, it prevents programmers from accidentally assigning integral values to object variables By catching errors at compile time, type checking prevents runtime errors Type checking is limited in its capacity to catch errors, though, and it suffers from false positives and false negatives just like all other static analysis techniques Interestingly, programmers rarely complain about a type checker s imperfections The Java statements in Example 21 will not compile because it is never legal to assign an expression of type int to a variable of type short, even though the programmer s intent is unambiguous Example 22 shows the output from the Java compiler This is an
Print Code-39 In VB.NET
Using Barcode printer for .NET Control to generate, create USS Code 39 image in Visual Studio .NET applications.
Data Matrix ECC200 Maker In Java
Using Barcode maker for Java Control to generate, create Data Matrix 2d barcode image in Java applications.
Creating EAN / UCC - 13 In Java
Using Barcode creator for Java Control to generate, create EAN 128 image in Java applications.
Barcode Creator In Java
Using Barcode creator for Java Control to generate, create barcode image in Java applications.
UPC - 13 Decoder In VS .NET
Using Barcode recognizer for Visual Studio .NET Control to read, scan read, scan image in .NET applications.
Generating Bar Code In .NET
Using Barcode maker for .NET framework Control to generate, create bar code image in Visual Studio .NET applications.
Code 128 Code Set B Drawer In .NET
Using Barcode drawer for ASP.NET Control to generate, create Code 128 Code Set B image in ASP.NET applications.
Make Bar Code In .NET Framework
Using Barcode printer for ASP.NET Control to generate, create bar code image in ASP.NET applications.