Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

3 Understanding Coding Issues Numerous automated code checking utilities are ava

ID: 638087 • Letter: 3

Question

3 Understanding Coding Issues

Numerous automated code checking utilities are available on the market today. Most of these utilities operate in the same way that a virus checker scans for known viruses and allow the user to catch many more errors than would be possible with a hand-checked static analysis of the same code. The output of these utilities is a listing of the statements that could constitute weaknesses or outright vulnerabilities in the software.

The tool you will be using in this exercise is not a static source code analyzer. Instead, it consolidates the output that multiple code checking tools would typically produce-bug listings. The expectation is that you will be able to use this output to make targeted judgments about the state of the application you are analyzing.

For this assignment, assume you are part of the Patch Management Group (PMG) for your IT organization. The chief information security office (CISO) has just called you into his office and told you that he has gotten a report that the web browser that is used throughout the company (Mozilla Firefox) might have a buffer overflow problem. He has told you that if there is a problem he wants it patched right away.

You are back at your desk and you have opened Bugzilla, the consolidation utility that the company uses to identify and track bugs in Firefox. Even though it is freeware, a number of organizations such as Ford Motor Company and NASA use this utility to control their application development and maintenance processes. This utility catalogs all known bugs associated with your target application. These reports encompass everything from the output of static code analysis tools to software community reports from places like the United States Computer Emergency Readiness Team (US-CERT).

For this Discussion you will use Bugzilla to identify known bugs that cause security issues. You will also analyze the differences between this bug-reporting tool and static code analyzers available on the market.

To begin your assignment, go to Bugzilla and search for "buffer overflow firefox" into the search box. You will find a list of instances where buffer overflow is an issue in Firefox.

Then, using the resources provided for this unit or your own Internet research, locate information about a static source code analyzer and become familiar with its features and capabilities, benefits and limitations.

In your post, identify the analyzer you found, and discuss the following:

Explanation / Answer

Static program analysis is the analysis of computer software that is performed without actually executing programs (analysis performed on executing programs is known as dynamic analysis).[1] In most cases the analysis is performed on some version of the source code, and in the other cases, some form of the object code. The term is usually applied to the analysis performed by an automated tool, with human analysis being called program understanding, program comprehension or code review.

The sophistication of the analysis performed by tools varies from those that only consider the behavior of individual statements and declarations, to those that include the complete source code of a program in their analysis. The uses of the information obtained from the analysis vary from highlighting possible coding errors (e.g., the lint tool) to formal methods that mathematically prove properties about a given program (e.g., its behavior matches that of its specification).

Software metrics and reverse engineering can be described as forms of static analysis. Deriving software metrics and static analysis are increasingly deployed together, especially in creation of embedded systems, by defining so-called software quality objectives.

A growing commercial use of static analysis is in the verification of properties of software used in safety-critical computer systems and locating potentially vulnerable code.For example the following industries have identified the use of static code analysis as a means of improving the quality of increasingly sophisticated and complex software:

Static code analysis is a powerful way of improving the quality of source code. Using tools
such as Klocwork, issues in source code can be automatically detected. Some of those issues
represent defects injected during implementation activities or even during earlier development phases. These issues should be properly tracked and analyzed.
The goal of Static Code Analysis varies from tool to tool. Some of the most demanded ways
of Static Code analysis are

Related Questions

3 Simon Company\'s year-end balance sheets follow 2017 At December 31 Assets Cas
Question #342212
3 Stable Marriage Consider a set of four men and four women with the following p
Question #2257183
3 Students and a Image of three vectors: A is along the +x axis, B is along the
Question #249967
3 Sun 1:58 PM Angelica Silas a rk Chapter 10-36 Help Save& Exit Submit Check my
Question #2333729
3 Suppose that the probability of exposure to the flu virus during flu season is
Question #3071749
3 Suppose the instruction mix is 20% loads, 20% stores, 20% branches, 15% jumps,
Question #663717
3 Suppose you have a far dice and a forr c What is the probobility of rolng a tu
Question #3061371
3 Svahn, AB, is a Swedish manufacturer of sailing yachts. The company has assemb
Question #2528570

Navigate

Previous
3 Uink to Pubisher Materials Minap-Cengage Learning C Cheg Study Quided Solutiox
Next
3 Use the data in problem in 4-22 and develop a regression model to predict sell

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.