CSC 2045: Secure Software Tools Overview

Questions and Answers

What is Git primarily used for?

• Creating web applications
• Debugging code errors
• Managing and tracking source code history (correct)
• Designing software interfaces

Which feature of Visual Studio Code helps predict the next typed text?

• IntelliSense (correct)
• Extensions
• Syntax highlighting
• Git support

What is a primary benefit of using GitHub?

• It automatically repairs bugs in the code
• It is the only way to manage source code
• It offers cloud-based hosting for Git repositories (correct)
• It is only compatible with Windows operating systems

Which type of code analysis tool is used to examine the code while it is running?

Dynamic code analysis (C)

Which of the following does NOT typically get identified through static code analysis?

Run-time exceptions (A)

What is a limitation of static code analysis tools?

They may produce false positives and negatives. (C)

Which type of issues can static code analysis tools help developers identify?

Unreachable code and undeclared variables (A)

What distinguishes debugging from static code analysis?

Dynamic analysis involves real-time code observation (D)

Which of the following describes a key tip for effective debugging?

Use tracepoints to log messages for better insight (C)

What is the main purpose of debugging?

To remove bugs from your code (A)

What happens when you start your app in 'debug mode' in Visual Studio?

A debugger is attached to the app (A)

When should you consider using a debugger instead of other tools?

When trying to eliminate bugs or errors (C)

What is the role of a debugger in programming?

To control program execution and inspect the program state. (A)

Which statement best describes the concept of logging?

A process used to record significant program events. (A)

What does the 'step into' feature in debugging do?

Pauses execution after executing a line of code if it contains a function call. (B)

What does syntax refer to in programming?

The structure and rules governing the code (B)

What must happen for a compiler to translate a program successfully?

The program must be syntactically correct (A)

What characterizes a run-time error in programming?

It appears only after the program is run (A)

Which statement best describes the role of debugging?

To find and fix errors in the program (B)

Why are compilers considered less forgiving than human readers?

Compilers only accept perfectly structured programs (A)

Flashcards

Git

A version control system that tracks changes to your code and allows you to revert to previous versions.

GitHub

A web-based platform where you can host and manage your Git repositories.

VS Code

A popular, free code editor that supports multiple programming languages and offers features like auto-completion, debugging and Git integration.

Vulnerability Defects

Errors or flaws in software that can be exploited by attackers.

Buffer Overflow

A type of vulnerability defect that occurs when a program tries to write more data to a memory location than it can hold, potentially overwriting sensitive data or causing the program to crash.

What is Static Code Analysis?

A process of inspecting code for issues before or after compiling. It aims to catch potential problems like syntax errors, unreachable code, and security vulnerabilities.

Static Code Analysis Tools

These tools scan code for errors and inconsistencies, producing reports and suggesting fixes.

Flaws (in code)

Bugs that arise from design flaws or improper implementation in the code.

Compiler-Passing Errors

Errors that bypass the compiler and reveal themselves later, like incorrect variable types or uninitialized variables.

Graphical Analysis Results

Features of static code analysis tools that provide visual representations of code analysis results, making it easier to understand and diagnose issues.

What is Dynamic Code Analysis?

Dynamic code analysis involves running a program and observing its behavior to detect issues. It's like watching a house being built to see if anything goes wrong.

What is Debugging?

Debugging is a form of dynamic code analysis where you track code execution, find errors, and fix them. It's like finding and fixing a leaky faucet in your house.

What is a Breakpoint?

A breakpoint is a marker in your code that tells the debugger to pause execution when it reaches that point. This allows you to step through your code and see what's happening line by line.

What is a Tracepoint?

Tracepoints are markers in your code that log messages to the output window when they are reached. This helps you track the flow of execution and identify problems.

What is a debug configuration?

A debug configuration enables various debugging features, allowing you to find bugs in your application by attaching a debugger.

What is a release configuration?

A release configuration prepares your app for distribution, optimized for performance. It allows you to share your application with end users.

What is a debugger used for?

A debugger is a tool that lets you examine your code step-by-step while it's running, enabling you to identify and fix errors

When should I use a debugger?

Using a debugger is crucial for finding and fixing bugs. However, it should be used strategically. Sometimes, other tools or best coding practices might be more effective.

What is a syntax error?

A syntax error occurs when a statement is written incorrectly, violating the rules of the C++ language. The compiler will identify and report these errors.

What is a semantic error?

Semantic errors occur when a statement is written correctly but doesn't do what the programmer intended. The compiler won't catch these, and the program might produce unexpected results.

What is defensive programming?

Defensive programming is a coding technique where the programmer anticipates potential misuse of their code and builds safeguards to prevent unexpected behavior. It's like putting safety features on a product to prevent accidents.

What is a debugger?

A debugger is a powerful tool that allows programmers to step through their code line by line, examine the values of variables, and track the program's execution. It's like a magnifying glass for code.

Syntax Error

A programming error that prevents a program from compiling. These errors occur because the program violates the syntax rules of the programming language.

Runtime Error

A programming error that causes a program to behave unexpectedly during runtime. These errors occur when the program's code is syntactically correct but contains a logical flaw.

Debugging

The process of finding and fixing errors in a program. It involves carefully analyzing the code's behavior and identifying the root cause of the problem.

Defensive Programming

A programming technique that emphasizes anticipating and preventing errors by adding safeguards to the code. It helps to make programs more robust and less prone to crashes.

Semantic Error

Errors that occur when the compiler successfully translates the code but the program doesn't behave as intended. The code might use incorrect data types or operate on uninitialized variables.

Study Notes

CSC 2045: Secure Software Tools

• This course covers secure software tools, including development environments, code analysis, and debugging techniques.
• Objectives include becoming proficient with IDEs (Integrated Development Environments), source code analysis, and code review procedures.
• Students are expected to conduct thorough analysis using various tools and techniques, including both static and dynamic analysis tools, to identify potential issues in software code.

Course Agenda (Week 3)

• Fundamentals of Git and GitHub: Git is a version control system, and GitHub is a cloud-based hosting service for Git repositories. Git manages and tracks source code history, and GitHub allows for management of Git repositories.

• VSCode: A free, lightweight, and powerful source code editor with built-in support for JavaScript, TypeScript, Node.js, and extensions for other languages (C++, Java, etc.). Features include IntelliSense, Git support, syntax highlighting, and customizable themes, keyboard shortcuts, and preferences. Available for Windows, macOS, and Linux.

• Vulnerability Defects and Mitigation: Software flaws range from simple bugs to complex design issues. Mitigating these issues involves meticulous code analysis, testing, and quality control procedures. Vulnerabilities can result from incorrect input validation, buffer overflows, race conditions, unsafe system calls, and more. Specific types of issues include:

  • Bugs: Problems introduced during software implementation. Easily discovered and corrected.
  • Flaws: Problems stemming from design and code instantiation. More subtly designed within the code. Originate during design, error handling, and/or illogical access controls.

• Static Code Analysis: A process where developers examine source code for issues before compiling. Tools identify problems such as unreachable code, uninitialized variables, parameter type mismatches, uncalled functions, variables used before initialization, non-usage of function results, and potential array bounds errors. Static code analysis tools can speed up error detection, but can produce false positives.

• Dynamic Code Analysis (Debugging): This examines a running program to identify defects by observing behavior during execution. Debugging is crucial for removing bugs. A debugger is a tool that attaches to the running application, allowing inspection during execution.

• Tips for Debugging C++ Programs: Debugging techniques include setting breakpoints, using step commands, reviewing Output window messages, and using logged messages to isolate problematic code regions.

• Exploring VSCode Debugger: Instructions cover running and debugging C++ files, customizing the debugger experience using tutorials/resources, and short videos for getting started with C++ development in Visual Studio Code. Links for tutorials and development guides specific to Visual Studio Code for C++, and relevant videos are provided. Key resources for developing within the Visual Studio Code Environment: https://code.visualstudio.com/docs/cpp/config-msvc#_explore-the-debugger, and https://code.visualstudio.com/docs/cpp/introvideos-cpp#_debug-a-c-project.

• Secure Coding Tools: These tools assist in identifying and preventing vulnerabilities in code. The course emphasizes tools, methodology, and techniques related to secure coding practices.

Static Code Analysis Tools

• Tools can automatically analyze code, finding errors missed by compilers and speeding up the process.
• Tools may have false positives, but significantly aid in automating error detection.
• Microsoft Visual Studio Code offers analysis for C/C++ code highlighting potential issues and improvements.

Static Code Analysis Tools - Limitations

• Cannot automatically identify all coding problems, including design issues, cryptographic vulnerabilities, and embedded credentials.
• Primarily focuses on implementation issues rather than conceptual flaws.

Static Code Analysis - Capabilities

• Earlier implementation error detection reduces downstream problems.
• Reduced testing, operations, and maintenance time leads to higher-quality software.
• Helps find vulnerabilities relevant to security, like incorrect input validation, buffer overflows, race conditions, and unsafe system calls.
• Often used with other code analysis/testing methods for enhanced quality.