Abstract
Writing correct C programs is well-known to be hard, not least due
to the many interesting language features intrinsic to C. Writing
secure C programs is even harder and, at times, seemingly
impossible. To improve on this situation the US CERT has developed
and published a set of coding standards, the ``CERT C Secure Coding
Standard'', that enumerates a number of rules and recommendations
with the aim of making C programs (more) secure. Automated tool
support is essential for certifying that a given system is in
compliance with the rules and/or recommendations of the standards.
In this paper we report on work-in-progress with integrating two
state of the art analysis tools, Clang and Coccinelle, into a
combined tool perfectly suited for analysing and certifying C
programs according to, e.g., the CERT C Secure Coding standard or
the MISRA (the Motor Industry Software Reliability Assocation) C
standard. We further argue that such a tool must be highly adaptable
and customisable to individual software projects as well as to the
certification rules required by a given standard.
Clang is the C frontend for the LLVM compiler/virtual machine
project which includes a comprehensive set of static analyses and
code code checkers. Coccinelle is a program transformation tool and
bug-finder developed originally for the Linux kernel but has been
successfully used to find bugs in other Open Source projects such as
WINE and OpenSSL.
to the many interesting language features intrinsic to C. Writing
secure C programs is even harder and, at times, seemingly
impossible. To improve on this situation the US CERT has developed
and published a set of coding standards, the ``CERT C Secure Coding
Standard'', that enumerates a number of rules and recommendations
with the aim of making C programs (more) secure. Automated tool
support is essential for certifying that a given system is in
compliance with the rules and/or recommendations of the standards.
In this paper we report on work-in-progress with integrating two
state of the art analysis tools, Clang and Coccinelle, into a
combined tool perfectly suited for analysing and certifying C
programs according to, e.g., the CERT C Secure Coding standard or
the MISRA (the Motor Industry Software Reliability Assocation) C
standard. We further argue that such a tool must be highly adaptable
and customisable to individual software projects as well as to the
certification rules required by a given standard.
Clang is the C frontend for the LLVM compiler/virtual machine
project which includes a comprehensive set of static analyses and
code code checkers. Coccinelle is a program transformation tool and
bug-finder developed originally for the Linux kernel but has been
successfully used to find bugs in other Open Source projects such as
WINE and OpenSSL.
| Originalsprog | Engelsk |
|---|---|
| Titel | Proceedings of the Fourth International Workshop on Foundations and Tecniques for Open Source Software Certification (OpenCert 2010) |
| Redaktører | Luis S. Barbosa, Antonio Cerone, Siraj A. Shaikh |
| Antal sider | 18 |
| Publikationsdato | sep. 2010 |
| DOI | |
| Status | Udgivet - sep. 2010 |
| Begivenhed | 4th International Workshop on Foundations and Techniques for Open Source Software Certification - Pisa, Italien Varighed: 17 sep. 2010 → 18 sep. 2010 Konferencens nummer: 4 |
Konference
| Konference | 4th International Workshop on Foundations and Techniques for Open Source Software Certification |
|---|---|
| Nummer | 4 |
| Land/Område | Italien |
| By | Pisa |
| Periode | 17/09/2010 → 18/09/2010 |
| Navn | Electronic Communications of the EASST |
|---|---|
| Vol/bind | 33 |
| ISSN | 1863-2122 |