Introduction

This document describes the individual problem types detected by the compiler when running in static security analysis mode.

Static security analysis is the process of finding errors and security weaknesses in software through detailed analysis of source code.

Static security analysis requires the full Intel® Parallel Studio XE or Intel® C++ Studio XE product. The analysis itself is performed by the compiler, but the results can only be viewed with the Intel® Inspector XE GUI. Analysis can be performed on one machine and the results viewed on another. In this case, only the compiler need be installed on the analysis machine. Both the compiler and Intel® Inspector XE must be installed, along with a valid Intel® Parallel Studio XE or Intel® C++ Studio XE license, on the viewing machine.

Static security analysis finds a wide range of problems that can compromise application security and correctness. This document explains each problem type in detail, and provides some examples that illustrate the problem or suggest ways it can be repaired. Not all instances of a particular problem type can be detected, so the absence of a diagnostic does not ensure that a program is completely free of that type of problem.

Static security analysis often detects several different forms of the same kind of problem. For example, suppose an integer variable is set to zero and then used as the divisor a divide operation. This would be reported as a "divide by zero" error. Now suppose that same divide operation is preceded by an "if" statement that either sets the integer to zero or something non-zero. This would be reported as a "possible divide by zero" error, since the divide operation might or might not divide by zero, depending on which execution path was taken. Both of these errors are described by a single section in this document.

These descriptions presume the reader is viewing the diagnostic in the GUI.

In the GUI, source references associated with diagnostics are expressed as "observations." Each observation has an observation type that describes its role in the problem. For example, in a use-after-free error, there will be two observations: the place where storage was deallocated and the place it was subsequently used. In this section, these two observations are described in a table that looks like this:

ID

Observation

Description

1

Deallocation site

The place the storage was deallocated

2

Memory access

The place the storage was referenced

Static security analysis often combines related problems into a single problem set. For example, suppose an assignment statement that sets a pointer to zero is followed by an "if" statement. Both branches of that "if" statement could use the same pointer value, and both of these would result in a null pointer dereference. Static security analysis would combine these two null pointer diagnostics in a single problem set with one "Memory write" observation and two "Null dereference" observations. Generally speaking, the observation set of a problem set is the union of the observations from the individual problems with duplicates removed.

Copyright © 2010, Intel Corporation. All rights reserved.