INTRODUCTION:
The latest release of CodeSonar, version 4.5, has updates in key areas and innovations that include detecting insider attacks, a new Python API, and compiler model support. This is a significant new release of CodeSonar and this post provides an overview of the innovations and improvements.
Related:
- GrammaTech Releases CodeSonar 4.5 with Cybersecurity Focus
- CodeSonar Enters the World of iOS and Objective-C
- GrammaTech Announces Enhancements to CodeSonar Visualization
Python API
Python provides a cross platform, easier entry point into customization of CodeSonar 4.5 static analysis rules. In this new release, a complete Python API is available that provides a rapid development environment for static analysis rule checker creation and customization. The new API also provides compiler model access in Python (which is a fast way to make new compilers available.) Although the Python execution of a custom checker might be slower on a large code base than the equivalent C++ version, development and debugging is easier in Python. Checkers can be ported to C++ if higher performance is required.
Compiler Modeling
It is important that a static analysis tool understand the code exactly the way the compiler does. The same include files, include paths, #defines and such. Compiler models provide the glue between CodeSonar and your compiler. CodeSonar 4.5 provides new compiler models for Keil C51, Renesas ccrx, TASKING TriCore, PCP, and C166/ST10 compilers.
Insider Threat Detection
Insiders are people working inside the secure perimeter either as users, developers or other trusted personnel. The big difference from regular cyber-attacks is the insider is often on a trusted network or has physical access to the device or system. Advanced static analysis tools can detect different classes of security vulnerabilities such as buffer, numeric and stack overflows, command injection, and use of insecure library functions. For example, these new checkers include detecting the use of a untrusted network host, untrusted library load, untrusted network port and untrusted Process Creation. There are also checkers for detecting possible anti-debugging code, the use of chroot() without chdir() and potential timebombs. There will be more details on these new checkers in a later post.
Improved Floating Point Support
In the latest release of CodeSonar, there are significant improvements in handling of floating point arithmetic and a number of new library models for floating point operations. The improvement includes reducing false positives on paths that depend on floating point arithmetic. There are two new floating-point-related warning classes for detecting division by zero and the square root of a negative value. The API has also been extended to support floating point values.
Updates to Binary Code Analysis
CodeSonar’s unique binary code analysis capability gains support for Mac OS X binaries for x86/x64 and Microsoft Visual Studio extended object file format – XCOFF. Improvments have been made to code disassembly plus inline source information to improve the understanding of analyzed object code. The latest release has better recovery of function parameters and improved Windows library function scanning.
Other enhancements
CodeSonar 4.5 includes various performance upgrades and bug fixes as expected but also a varied list of other enhancements:
- MISRA rule checking performance improvements
- Improved C++ parsing and upgraded EDG parser
- Windows Secureboot support
- DISA STIG mappings
CodeSonar 4.5 is an important milestone for the product and provides various improvements and innovations. It’s available as a free upgrade for all customers with active support and maintenance.
