Klocwork 2016.2: Analysis improved

on Jul 14, 16 • by Walter Capitani • with No Comments

An example of how Klocwork 2016.2 improves the performance of our continuous static code analysis engine ...

Home » Static Analysis » Klocwork 2016.2: Analysis improved

Klocwork 2016.2 released this week, kicking off a series of planned upgrades to our C/C++ analysis engine to improve accuracy, performance, and reduce false positives. The Klocwork team upgraded the engine’s internal representation of numeric ranges, how those ranges are affected by mathematical and logical operators, and added support for 64-bit integers and calculations.

These changes help you find more defects – let me explain how with a defect that Klocwork found in glibc as part of our QA testing (we run performance tests against many open source projects, including Boost, Postgres, and Python).

Getting wise to bits

Take the following piece of code, from glibc, where a potential buffer overflow condition is now caught by our improved engine.

Starting at line 130, the buffer namebuf is allocated with size 256. On line 148, its length is used a parameter to the RNDUP() macro which returns 256 – a value that’s stored in ad->ad_fullnamelen. On the next line, this is used to allocate 257 bytes (ad->ad_fullnamelen + 1) for ad->ad_fullname.

The problem occurs on line 163, where ad->ad_fullnamelen + 1 bytes are copied from namebuf to ad->ad_fullname. We get a buffer overflow condition because there’s an attempt to copy 257 bytes from namebuf that’s only 256 bytes long.

This type of defect is caught in Klocwork 2016.2 due to the improved tracking of numeric value ranges when processing bitwise operators, such as the bitwise and (&) and complement (~) on line 97. In previous versions, without the ability to track the entire range of possible values through operators, Klocwork wasn’t able to detect that the memcpy() operation on line 163 could access an out-of-range index to the namebuf array.

Now, you get an ABV.GENERAL defect like this:

As you can see, finding and reporting overflow conditions like this can be tricky as you not only have to account for data ranges but also inputs, conditional execution, macros, compiler directives, and many other constructs that make up an application. More importantly, buffer overflows are a large security risk and appear in many secure coding guidelines, including the CWE/SANS Top 25 Most Dangerous Software Errors, CERT, and DISA STIG – all of which we help achieve compliance for (learn more here).

There are other improvements like this in Klocwork 2016.2, improving detection performance for memory leaks, MISRA defects, unreachable code, uninitialized variables, tainted data, and more. For a complete list of updates, including the expansion of our industry-leading MISRA coverage, read our what’s new documentation.

Download Klocwork 2016 now or request a free trial

Also check out Klocwork static code analysis on Twitter: #CodeAnalysisLife

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top