| This is a perfect example of how a source code analysis tool failed,
| because you let a developer tell it to NOT scan it. :) I wonder if
| there are flags like that in Fortify?
There are flags like that in *every* source code scanner I know of.  The
state of the art is just not at a point where you don't need a way to
turn off warnings for false positives.  The way you do it can be more or
less sophisticated, but even the most sophisticated can be fooled by
misunderstandings - much less deliberate lies - by the developer.  For
example, Coverity has a nice feature that lets you provide it with
information about the characteristics of functions to which the scanner
doesn't have access.  Rather than define a whole little language for
defining such things, Coverity has you write a dummy function that
simply undertakes the actions it will need to know about.  For example,
to tell Coverity that void f(char* p) will write to *p, you provide
the dummy function:

                void f(char* p) { *p = 0; }

If you accidentally - or deliberately - provide:

                void f(char* p) { *p; }

you've just told Coverity that f() dereferences p, but never writes
through it.  Needless to say, and subsequent analysis will be flawed.

Binary analysis doesn't, in principle, suffer from the problem of not
having access to everything - though even it may have a problem with
system calls (and of course in practice there may be other

"Unavailable source/binary" is a very simple issue.  There are all kinds
of things that are beyond the capabilities of current analysis engines -
and always will be, given the Turing-completeness of all languages
people actually use.  To take a simple example:  A properly-written
quicksort that, before scanning a subfile, sorts the first, middle, and
last element in place before using the middle element as the pivot, does
not need to do any array-bounds checking:  The element values will make
it impossible to walk "out of" the subfile.  This is trivial to prove,
but I doubt any scanner will notice.  It will complain that you *might*
exceed the array bounds.  You basically have two alternatives at this

        1.  Re-write the code to make it amenable to analysis.
        2.  Somehow tell the analyzer to back off.

The theoretically-correct approach is (1) - but it may not be practical
in particular cases.  For quicksort applied to a type with a fast
comparison operation, doing that can double the time spent in the inner
loop and kill performance.  In many cases, the performance or other
impact is minor, but someone has to go off and restructure and retest
the code.  How much such effort can be justified to deal with an
"impossible" situation, just because the analyzer is too stupid to
understand it?  Paradoxically, doing this can also lead to difficulty in
later maintenance:  Someone looking at the code will ask "why are we
testing for null here, the value can't possibly be null because of
XYZ..."  You don't want to be wasting your time going down such
pointless paths every time you need to change the code.  (Yes, comments
can help - but all too often they aren't read or updated.)

Finally, I've seen cases where adding a check to keep the analyzer happy
can encourage a later bug.  Consider a function that as part of some
computation we can prove always produces a non-negative value.  We take
the square root of this value without checking.  The analyzer complains.
So even though it can't matter, we use take the absolute value before
taking the square root.  All is well.  Later, the definition of the
function is changed, and the first computation *may* produce a negative
value, which is then used in some other way.  A quick check of the code
reveals that negative values "are already being handled", so no attempt
is made to update the code.  Boom.

                                                        -- Jerry

Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.

Reply via email to