Source Code Analysis Laboratory (SCALe) for Energy ... - CERT
Source Code Analysis Laboratory (SCALe) for Energy ... - CERT
Source Code Analysis Laboratory (SCALe) for Energy ... - CERT
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Each analyzer produces a set of flagged noncon<strong>for</strong>mities. Diagnostic <strong>for</strong>mats vary with each tool,<br />
but they typically include the following in<strong>for</strong>mation:<br />
• name of source file where the flagged noncon<strong>for</strong>mity occurs<br />
• flagged noncon<strong>for</strong>mity line number<br />
• flagged noncon<strong>for</strong>mity message (error description)<br />
Some diagnostic messages may indicate a violation of a secure coding guideline or security violation,<br />
and others may not. Analyzer diagnostic warnings that represent violations of secure coding<br />
guidelines are mapped to the respective guideline, typically using a regular expression. This mapping<br />
can be per<strong>for</strong>med directly by the tool or by the <strong>SCALe</strong> infrastructure. Analyzers that directly<br />
support a mapping to the <strong>CERT</strong> secure coding standards include Compass/ROSE, LDRA<br />
Testbed, 7 and Klocwork. 8<br />
When possible, <strong>SCALe</strong> also uses dynamic analysis and fuzz testing techniques to identify coding<br />
defects and <strong>for</strong> true/false positive analysis in addition to the routinely per<strong>for</strong>med static analysis.<br />
An example of this is the basic fuzzing framework (BFF) developed by <strong>CERT</strong>. The BFF has two<br />
main parts:<br />
• a Linux VM that has been optimized <strong>for</strong> fuzzing<br />
• a set of scripts and a configuration file that orchestrate the fuzzing run<br />
The VM is a stripped-down Debian installation with the following modifications:<br />
• The Fluxbox window manager is used instead of the heavy Gnome or KDE desktop environments.<br />
• Fluxbox is configured not to raise or focus new windows. This can help in situations where<br />
you may need to interact with the guest operating system (OS) while a graphical user interface<br />
(GUI) application is being fuzzed.<br />
• Memory randomization is disabled <strong>for</strong> reproducibility.<br />
• VMware Tools is installed, which allows the guest OS to share a directory with the host.<br />
• The OS is configured to automatically log in and start X.<br />
• The sudo command is configured not to prompt <strong>for</strong> a password.<br />
• The strip command is symlinked to /bin/true, which prevents symbols from being<br />
removed when an application is built.<br />
The goal of fuzzing is to generate mal<strong>for</strong>med input that causes the target application to crash. The<br />
fuzzer used by the BFF is Sam Hocevar’s zzuf application. 9 <strong>CERT</strong> chose zzuf <strong>for</strong> its deterministic<br />
behavior, number of features, and lightweight size. By invoking zzuf from a script (zzuf.pl),<br />
additional aspects of a fuzzing run are automatable:<br />
• Collect program stderr output, Valgrind memcheck, and gdb backtrace. This in<strong>for</strong>mation<br />
can help a developer determine the cause of a crash.<br />
7 http://www.ldra.com/certc.asp<br />
8 http://www.klocwork.com/solutions/security-coding-standards/<br />
9 http://caca.zoy.org/wiki/zzuf<br />
CMU/SEI-2010-TR-021 | 12