Software Analysis PDF

Summary

This document discusses software analysis, focusing on different programming languages such as Java and Python, and comparing their respective features.

Full Transcript

09 SOFTWARE ANALYSIS

Different Languages - Java vs. Python

The basic semantics of expressions and statements are similar

Java...... requires semicolons at the end of statements... requires braces around if and while... uses curly braces around blocks instead of identation

DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 2
Types - Java vs. Python

The most important semantic difference is the declaration of the variable n

A type is a set of values with operations that can be performed on them

DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 3

Types in Java - Java vs. Python

Java has several types:

primitive types: boolean, byte, short, int, long, float,
double, char

Operations are functions

Operators (infix, prefix or postfix)

Methods of Objects

Functions

DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 4
Static Typing - Java vs. Python

Java is a statically-typed language

Types of all variables are known at compile time

The compiler can therefore deduce the type of expressions

Python is a dynamically-typed language

The type of expressions is deduced during runtime

DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 5

Static Checking

The bug is automatically found before the program even runs
Syntax errors

Wrong names, e.g. Math.sine(2);

Wrong number of arguments, e.g. Math.sin(2, 3);

Wrong types of arguments, e.g. Math.sin("2");

Wrong return types...

DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 6
Dynamic Checking

The bug is automatically found when the code is executed
Illegal argument values, e.g. x/y is only erroneous when y = 0

unrepresentable return values, e.g. "February 29, 1999"

out-of-range indices, e.g. the index is negative or too large

calling a method on a null object...

DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 7

Now, what?

Static and dynamic checking help to find bugs in a program. However, they can
not find every bug.
Testing can help to ensure the correct functioning of the program

There are several testing methods, e.g. statistical, structural, and behavorial
testing

However, sometimes a program technically behaves as intended, but leaves
room for bugs that you did not even anticipate

DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 8
Software Analysis

Software analysis tries to incorporate contextual information to find unwanted
behavior, even if it is technically correct.
Static software analysis analyzes the sourecode of a program, without
executing it

Dynamic software analysis analyzes the program by executing the it

DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 9

Static Software Analysis

For Software analysis, the program first needs to be translated into an
intermediate representation:
Based on the intermediate representation, a control flow graph is built

However, the intermediate representation abandons completeness

DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 10
Control Flow Graph

DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 11

Dynamic Software Analysis

However, a control flow graph gets quite large very qickly and becomes
unprocessable (that's why completeness is abandoned). Therefore, dynamic
software analysis executes the program with different sets of parameters and
keeps track of the values of (selected) variables.

DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 12
Explicit Information Flow

Explicit data flow happens when information finds its way through the memory
directly, for example by copying it or using it in an operation.

Consider the following example:
int a, b, c; // [a = ?, b = ?, c = ?]

a = 5; // [a = 5, b = ?, c = ?]
b = 7; // [a = 5, b = 7, c = ?]
c = a + b; // [a = 5, b = 7, c = 12]

[...]

c -= 3; // [a = 5, b = 7, c = 9]
System.out.println(c); // prints 9

DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 13

Implicit Information Flow (1 / 4)

Implicit data flow happens when information can be deduced from the behavior
of the program or the values of certain variables:

Example 1:
int a, b;

a = getValue();

if(a == 0) {
b = 0;
} else {
b = 1;
}

DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 14
Implicit Information Flow (2 / 4)

Example 2:
int a;

a = getValue();

while(a < 0) {
doSomething();
}

DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 15

Implicit Information Flow (3 / 4)

Example 3:
int a;

a = getValue();

if(a < 0) {
for(int i = 0; i < 10E6; i++>) {
doSomething();
}
}

DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 16
Implicit Information Flow (4 / 4)

Example 4:
int a;

a = getValue();

if(a < 0) {
throw new Exception("...");
}

DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 17