I’m a sales engineer with Rogue Wave Software, focused on helping our embedded customers protect their systems against cybersecurity flaws and malicious hackers. Klocwork static code analysis covers a wide range of security vulnerabilities and measures code against popular security standards, so here are some thoughts to understand how we can help by relating to recent news in the cybersecurity world.
This is probably the most widely publicized security vulnerability to date, namely because it affected so many machines in the Internet domain (the OpenSSL package) and had a potential direct impact on all of us. This is an example of a buffer overread defect, which means that a malicious attacker from the outside could read data from the system that should not be exposed. You can get all the gory details about Heartbleed here.
Klocwork is able to detect Heartbleed, but it needs some minor tuning to do so, which you can read about in this blog, Saving you from Heartbleed.
Another well-publicized flaw, again because of the wide-spread potential impact is Shellshock. This is what we generally think of as a code injection flaw, where arbitrary code can be executed on a remote system to perform malicious activities.
This was more in the enterprise and Internet domain but it’s one that can be detected by Klocwork relatively easily – this blog explains how: Reacting to Shellshock.
Last year, a water treatment plant was hacked to change the chemical mixtures used to treat tap water. This is a similar attack to Shellshock in that it’s an injection attack (this time SQL injection) but is more along the lines of what embedded software teams would be concerned about: critical control systems. These types of security flaws could be potentially devastating for a population in the wrong hands and is a concern for governments at all levels.
This kind of vulnerability is detected by Klocwork checkers out of the box.
Most embedded systems are less prone to attacks like Shellshock because they don’t provide “sophisticated” interfaces for exposure, such as Bash shells. However, embedded systems are becoming more connected to the outside world – think IoT – and offering more opportunities for malicious code attacks. One example is buffer overflows. Like injection attacks, buffer overflows also allow an external attacker to ‘put’ code or data into a system. If done correctly, it opens up that system to further instructions from the outside. The original Microsoft Xbox systems were cracked using such exploits within some games, for example.
Klocwork is very good at detecting these kinds of issues and they are widely used to guard against in security standards such as CERT and CWE. You can see a complete mapping between these standards and Klocwork checkers here.
To learn more about the new Klocwork built-in security reporting, visit klocwork.com. An easy to understand summary of the current vulnerabilities in their critical software projects to give managers and executives,