[Cryptography] Ada vs Rust vs safer C

Sun Sep 18 04:33:12 EDT 2016

* Peter Gutmann:

> Florian Weimer <fw at deneb.enyo.de> writes:
>
>>* John Denker:
>>> Another line of attack is to add /annotations/ to make static
>>> analysis more effective.
>>
>>We have some very powerful tools, but my impression is that in order to use
>>them, I need to manually massage my source code and feed it to the tool
>>outside of the build process.  This may certainly give important insights,
>>but by its nature, it's just a snapshot (like a source code audit, or a
>>typical fuzzing effort).  What I want is something that runs as part of the
>>regular build process, just like a test suite, and that narrows the set of
>>available tools quite significantly (and most have you deal with license
>>management *yuck*).
>
> You've just described PREfast (for an annotation-guided analyser) [0] and
> Coverity/Fortify/whatever (plus the somewhat more limited clang analyser) for
> a non-guided analyser.

I'm not sure.  PREfast is explicitly targeted at “small code bases”:

| Users commonly run PREfast over a section of code, view results,
| make fixes, and then run PREfast again. It is recommended that you
| divide your build into small (10 MB or less) sections, and run
| PREfast on each section.

The Clang analyzer works reasonably well only on a single translation
unit.  In both cases, source code massaging is still needed (but maybe
less so PREfast's case if the “10 MB” figure refers to actual source
code, and not produced binaries with debugging information).

The PREfast web site says it performs intraprocedural analysis, which
means that source code rewriting (or annotations) might be required as
well (but I don't really now what it does).

Coverity is somewhat different.  It performs interprocedural analysis
across translation units.  But the inter-translationpunit analysis
also assumes a certain way code is built, which may or may not apply
to typical build environments, so annotations or code restructuring is
still needed.

Coverity does find relevant bugs (“relevant” in the sense that they
had to be fixed after shipping the product).  But the results are just
not good enough to aggressively compel its use.  The other issue is
that Coverity has been designed for an advisory role.  There are
basically three ways to address a report: mark it for suppression in
the future, fix the underlying issue, or change things in such a way
that Coverity no longer addresses the bug.  Even if you rule out the
first option, with a sufficiently nasty code base, you can
accidentally end up in the last cast while aiming for the second.  I
still think Coverity is quite useful (despite the non-technical issues
surrounding its use), but I don't think it will bring us closer to a
“safer C”.

I haven't used Fortify.

> PREfast has the advantage that it's free, but also the
> disadvantage that it's somewhat under-documented, so the annotations for more
> complex things like pointer derefs are kind of trial-and-error (if anyone from
> MS is reading this and can answer some questions on PREfast annotations or can
> update the documentation, it'd be a great help, there's a pile of stuff around
> DEREF that's so sparsely documented it's pure guesswork on how to apply it).

If there are annotations that are really helpful and not utterly
Windows-specific, we can put them into GCC.  We just need
documentation.

> [0] And for the people who are going to say "but that's Windows only", you've
>     got the source code for gcc/clang/whatever, what's the problem? :-).

We have a code base which uses C99/C11 features heavily. :-/