Software security

From the field: Code security and Klocwork

on May 17, 17 • by Steve Howard • with No Comments

Thoughts on how Klocwork static code analysis helps with code security, with examples pulled from the headlines...

Home » Software Security » From the field: Code security and Klocwork

I’m a sales engineer with Rogue Wave Software, focused on helping our embedded customers protect their systems against cybersecurity flaws and malicious hackers. Klocwork static code analysis covers a wide range of security vulnerabilities and measures code against popular security standards, so here are some thoughts to understand how we can help by relating to recent news in the cybersecurity world.


This is probably the most widely publicized security vulnerability to date, namely because it affected so many machines in the Internet domain (the OpenSSL package) and had a potential direct impact on all of us. This is an example of a buffer overread defect, which means that a malicious attacker from the outside could read data from the system that should not be exposed. You can get all the gory details about Heartbleed here.

Heartbleed in Klocwork

Heartbleed in Klocwork (click to expand)

Klocwork is able to detect Heartbleed, but it needs some minor tuning to do so, which you can read about in this blog, Saving you from Heartbleed.


Another well-publicized flaw, again because of the wide-spread potential impact is Shellshock. This is what we generally think of as a code injection flaw, where arbitrary code can be executed on a remote system to perform malicious activities.

This was more in the enterprise and Internet domain but it’s one that can be detected by Klocwork relatively easily – this blog explains how: Reacting to Shellshock.

Critical infrastructure

Last year, a water treatment plant was hacked to change the chemical mixtures used to treat tap water. This is a similar attack to Shellshock in that it’s an injection attack (this time SQL injection) but is more along the lines of what embedded software teams would be concerned about: critical control systems. These types of security flaws could be potentially devastating for a population in the wrong hands and is a concern for governments at all levels.

This kind of vulnerability is detected by Klocwork checkers out of the box.

Buffer overflows

Most embedded systems are less prone to attacks like Shellshock because they don’t provide “sophisticated” interfaces for exposure, such as Bash shells. However, embedded systems are becoming more connected to the outside world – think IoT – and offering more opportunities for malicious code attacks. One example is buffer overflows. Like injection attacks, buffer overflows also allow an external attacker to ‘put’ code or data into a system. If done correctly, it opens up that system to further instructions from the outside. The original Microsoft Xbox systems were cracked using such exploits within some games, for example.

Klocwork is very good at detecting these kinds of issues and they are widely used to guard against in security standards such as CERT and CWE. You can see a complete mapping between these standards and Klocwork checkers here.

To learn more about the new Klocwork built-in security reporting, visit An easy to understand summary of the current vulnerabilities in their critical software projects to give managers and executives, Klocwork Security Report GENIVI Components

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top