INCORPORATING CERT SECURE CODING STANDARDS IN TERMS OF UNDEFINED BEHAVIOR AND USELESS CONDITIONS INTO THE CPPCHECK PROJECT A thesis submitted to Kent State University in partial fulfillment of the requirements for the degree of Master of Science in Computer Science By Anwar Alsulaiman August 16th, 2014 Thesis written by Anwar Alsulaiman B.S., King Faisal University, KSA 2009 M.S., Kent State University, USA 2014 Approved by Dr. Michael Rothstein , Advisor Dr. Javed I. Khan , Chair, Department of Computer Science Dr. James Blank , Dean, College of Arts and Sciences    ii TABLE OF CONTENTS LIST OF FIGURES ........................................................................................................ VI   LIST OF TABLES ......................................................................................................... VII   ACKNOWLEDGEMENTS ........................................................................................ VIII   CHAPTER 1 INTRODUCTION ....................................................................................... 1   1.1   Open Source Software ................................................................................................ 1   1.1.1   History .............................................................................................................. 1   1.1.2   What is Open Source? ...................................................................................... 2   1.1.3   Open Source vs. Closed Source ....................................................................... 3   1.2   CPPCHECK ................................................................................................................ 5   1.2.1   How Does CPPCHECK Work? ....................................................................... 6   1.2.1.1 Control Flow Analysis ...................................................................................... 6   1.2.2.2 Token List Method ......................................................................................... 10   1.3   CERT ........................................................................................................................ 13   1.3.1   What is CERT? ............................................................................................... 13   1.3.2   CERT Secure Coding Standards .................................................................... 13   CHAPTER 2 STATIC CODE ANALYSIS TOOLS ..................................................... 15   2.1   What is Static Code Analysis? .................................................................................. 15   2.2   Static Code Analysis Methods .................................................................................. 15   2.3   Advantages and Disadvantages of Static Code Analysis ......................................... 16   2.4   Most Popular Commercial Static Code Analysis Tools ........................................... 17   2.4.1   PC-Lint ........................................................................................................... 17 2.4.2   Klockwork Insight .......................................................................................... 18   2.4.3   Coverity Prevent ............................................................................................. 18   2.5   Static Code Analysis Types ...................................................................................... 18   2.5.1   Non-Annotated Static Code Analyzers .......................................................... 19   2.5.2   Annotated Static Code Analyzers ................................................................... 20   2.5.2.1 Splint .............................................................................................................. 20   2.5.2.2 CSSV .............................................................................................................. 21   2.5.2.3 CQUAL .......................................................................................................... 22   2.5.2.4 Meta-Complication (MC) ............................................................................... 22   2.5.2.5 CPPCHECK ................................................................................................... 22   2.6   Why CPPCHECK? ................................................................................................... 23   CHAPTER 3 CONTRIBUTION TO CPPCHECK ....................................................... 24   3.1   CPPCHECK Environment ........................................................................................ 24   3.2   The Procedure of New Checks Implementation ....................................................... 25   3.3   Implemented CERT Rules Checks ........................................................................... 27   3.3.1   ARR02-C/C++ (Explicitly specify array bounds, even if implicitly defined by an initialize) ................................................................................................................ 27   3.3.2   EXP01-C/C++ (Do not take the size of a pointer to determine the size of the pointed-to type): ......................................................................................................... 30   3.3.3   FIO01-C/C++ (Be careful using functions that use file names for identification) ............................................................................................................. 32   3.3.4   FIO17-C/C++ (Prefer streams to C-style input and output) ........................... 36      iv 3.3.5   INT06-C/C++ (Use strtol ( ) or a related function to convert string token to an integer) ................................................................................................................... 38   3.3.6   CON30-C/C++ (Clean up thread-specific storage) ........................................ 39   3.3.7   SIG32-C/C++ (Do not call longjmo ( ) from inside signal handler) .............. 41   3.3.8   STR32-C/C++ (Do not pass a non-null-terminated character sequence to a library function that expects a string) ......................................................................... 43   CHAPTER 4 FUTURE WORKS .................................................................................... 45   4.1   Adding a Setting in CPPCHECK Library ................................................................ 45   Example (string copy) ................................................................................................ 47   Example (buffer size smaller than size parameter) .................................................... 47   CHAPTER 5 CONCLUSION .......................................................................................... 48   APPENDIX A ................................................................................................................... 49   APPENDIX B ................................................................................................................... 52   REFRENCES ................................................................................................................. 155        v LIST OF FIGURES Figure 1.1: Token list method mechanism ........................................................................ 10   Figure 1.2: Example of token list method process ............................................................ 12   Figure 3.1: Flowchart of ARR02 rule ................................................................................ 29 Figure 3.2: Flowchart of EXP02 rule ................................................................................ 30 Figure 3.3: Flowchart of FIO01_1 rule ............................................................................. 33 Figure 3.4: Flowchart of FIO01_2 rule ............................................................................. 34 Figure 3.5: Flowchart of FIO17 rule ................................................................................. 36              vi LIST OF TABLES Table 1.1: Open source software project vs. closed source software project ...................... 4   Table 2.1: Average cost of fixing defects depending on the time they were detected ...... 17 ACKNOWLEDGEMENTS My master degree thesis would not have been possible without the support of many caring individuals in my life including supporting faculties and family members. First in the list is my advisor, Dr. M. Rothstein, who helped me to make sense by directing my thinking to the right path and paving the road for this study. As a result, he added value to my work in order to accomplish this important milestone toward fulfilling my objective. Of course, many thanks go to my supporting thesis committee members, Dr. M. Austin, and Dr. H. Peyravi, who valued and accepted my study. Moreover, I would not forget the support of my husband, parents, and numerous friends who endured this long process with me, always offering support and love. Cheers to all of them!         Anwar Alsulaiman June 14, 2014, Kent, Ohio  v  iii CHAPTER 1 Introduction In this thesis, we propose a way to make the open source software project called CPPCHECK as secure as possible by adding high-potential static checkers for program vulnerabilities. Therefore, we are looking to implement static checkers with high-level security standards. The Computer Emergency Response Team (CERT) secure coding standards meet our requirements. In particular, this thesis will address the security limitation of CPPCHECK in the detection of undefined behavior and useless conditions. We will use new techniques of modeling these more elaborate rules’ checkers using the token list and initial rule file methods, which are feasible for this project, as discussed in chapter 3. This chapter gives a basic background of open source, CPPCHECK, and CERT secure coding standards. In chapter 2, we survey static code analysis tools and explain why CPPCHECK has been chosen for this thesis. In chapter 3, we show our contribution to CPPCHECK and in chapter 4 we give suggestions for future work. 1.1 Open Source Software 1.1.1 History Before the birth of the earliest form of the Internet, computer programs were freely distributed with their source code. They were shared and used with no cost. Software users could access and modify source code according to their needs. However, 1 2         in 1969, IBM started to unbundle its products and charge separately for its software [2] [3]. These were the first non-free computer programs. Since then, accessing and modifying source code has become restricted. In the 1980s, many users started to share computer program with source code through the Bulletin Board System (BBS) network [1]. Wayne Bell, creator of the WWIV BBS system, notably shared his modifications of software’s source code on his system [1]. After that, the shared source code concept spread through Unix-to-Unix Copy (UUCP), Usenet, Internet Relay Chat (IRC), and Gopher protocol [1]. In the early 1998s, a free software movement group called Netscape Communications Corporation chose the term “Open Source” when they released their own source code under the Netscape Public License (NPL) [4]. Many other terms have been used thereafter, such as “Open Software,” “Open Domain,” “Free Open-Source Software,” and “Commercial Open-Source Software.” In addition, many open source software projects have emerged [1]. 1.1.2 What is Open Source? The term “open source” refers to a computer program in which the source code is freely accessible for use or modification. Such modifications include adding new features, fixing bugs, reporting bugs, or submitting documentation [6]. Initially, this kind of software comes with information from the developers, such as files, features, news, support, and documentation giving users the proper environment for any development.