Difference between revisions of "Secure coding tools"

From Simson Garfinkel
Jump to navigationJump to search
Line 30: Line 30:


* [https://pubweb.eng.utah.edu/~cs5785/slides-f10/Dangerous+Optimizations.pdf Dangerous Optimizations and the Loss of Causality], CERT Technical Report CS 15-392, Robert C. Seacord
* [https://pubweb.eng.utah.edu/~cs5785/slides-f10/Dangerous+Optimizations.pdf Dangerous Optimizations and the Loss of Causality], CERT Technical Report CS 15-392, Robert C. Seacord
* [https://people.csail.mit.edu/nickolai/papers/wang-undef-2012-08-21.pdf Undefined Behavior: What Happened to my Code?], Xi Wang, Haogang Chen, Alvin Cheung, Zhihao Jia, Nickolai Zeldovich, M. Frans Kaashoek, APSys ’12, July 23–24, 2012, Seoul, S. Korea, Copyright 2012 ACM 978-1-4503-1669-9/12/07

Revision as of 18:06, 27 October 2018

C/C++:

  • Clang Thread Safety Analysis
  • Rosecheckers – perform static analysis on C/C++ source
  • Compiler-Enforced Buffer Overflow Elimination

Android:

  • DidFail – uses static analysis to detect potential leaks – Android

See also:

Formal Verification Tools

CompCert is a formally verified optimizing C compiler. "On typical embedded processors, code generated by CompCert typi­cally runs twice as fast as code generated by GCC without optimizations, and only 20% slower than GCC code at optimization level 3. Details about the benchmark mix used to obtain these numbers are avail­able on request."

CompCert is free for non-commercial use.

Optimization Based on Undefined Behavior

  • Undefined Behavior: What Happened to my Code?, Xi Wang, Haogang Chen, Alvin Cheung, Zhihao Jia, Nickolai Zeldovich, M. Frans Kaashoek, APSys ’12, July 23–24, 2012, Seoul, S. Korea, Copyright 2012 ACM 978-1-4503-1669-9/12/07