Developers aim to rid source code of bugs

Free Newsletters

Log-in | Register

Developers aim to rid source code of bugs Dawson Engler and Ben Chelf of Coverity share their dedication to effective analysis
By Jon Udell October 30, 2004			E-mail Printer Friendly Reprints Slashdot It!

Dawson Engler is chief scientist with Coverity and Ben Chelf is chief evangelist. We asked them to elaborate on the advances to source code analysis that they orginally developed at Stanford.

Free IT resource

Hear how top CIOs turn change into a competitive advantage.

Sponsored by Microsoft

IW: To what extent have security concerns motivated the current wave of interest in source code analysis?

DE: It wasn’t really an impetus for us when we started five or six years ago. And when Intrinsa made the first serious commercial play back in the late 1990s -- they were used in a lot of places like Cisco -- most of the errors they looked for weren’t security errors. Of course there’s a much clearer monetization story these days. You see a whole bunch of VCs doing static analysis, where before they wouldn’t have touched it at all. Nowadays you can make a much stronger business case to people with checkbooks.

IW: How do you control the high false-positive rate that has made developers so skeptical of lint-like solutions?

BC: Let’s say you know that a parameter passed to a function should never be negative. We can’t always know when it will be negative, but we can often infer that from context. A lot of our work has gone into making sure that when we report an error, we have hard evidence to show you the place we inferred that a certain variable or structure had a value, the place where that value was used incorrectly, and the path between those two points.

IW: How much knowledge of the operating system or the environment is needed for effective analysis?

DE: Very little, fortunately. We’ve checked lots of code that we don’t even understand. You just have to be able to describe the sentence fragment that expresses the rule. So in Linux, for example, one of the rules is that if you’re between cli and sti (disable and enable interrupts), then you can’t call copy_from_user. It’s heavily system-specific, but I just told you the rule, and if you can express that pattern, you’d be all set to go.

BC: You can find bugs in code when the code contradicts itself -- for example, if it uses values one way, and checks them in another. We get a lot of mileage out of that. If you contradict yourself in two places, one of them has to be wrong.

DE: It’s often hard to figure out if something about a system is true. But it’s often very much easier to figure out what the programmer believes to be true. So you look for what the programmer believes, and then check that belief system for contradictions. It’s surprisingly effective.

E-mail

Printer Friendly

Reprints

Slashdot It!


	Jon Udell is lead analyst and blogger in chief at the InfoWorld Test Center. • More of Jon Udell's column • Jon Udell's Weblog Newsletter Check out all of our free newsletters! Enter e-mail address:

TOP NEWS:

» Antitrust review of Google-Yahoo deal no surprise
While serious antitrust problems are unlikely, both Google and Yahoo expected their partnership to be subjected to instense DOJ scrutiny

» Top 10: Coreflood, more Microsoft-Yahoo, iPhone plans
This week's wrapup of the top tech news stories includes more Microsoft-Yahoo rumors, iPhone updates, Flash searches, Oracle's BEA roadmap, and more

» Four 'important' Microsoft patches due Tuesday
Not rated "critical," fixes apply to "Elevation of Privileges" and "spoofing" bugs for Windows, Exchange, and SQL

» Judge grants RIM a stay in Visto patent trial
Trial delayed from beginning next week while patent office studies validity of certain parts of e-mail provider Visto's patents as requested by RIM

» Developers satisfied with Apple's enterprise work
Mac developers feel that Apple shouldn't try to make a broad attempt to win over enterprises and should instead focus on certain areas within the enterprise

» Opera patches multiple bugs in flagship browser
Opera 9.5.1 fixes several flaws, including one ranked 'highly critical'

Solutions to the Toughest IT Challenges in Remote Offices
Though small in size, remote offices face many of the same IT challenges as larger central offices. This Webcast zeroes in on the top line challenges to deliver information that can provide immediate benefits to your business. Sponsor: AMD and Dell

» Click here to view this Webcast

Zombie PCs Are Attacking Your LAN
A recent study showed that malware-infected zombie PCs are now a bigger threat to ISPs and Web infrastructure than DoS attacks. As this brand new IT Strategy Guide explains, an increased use of peer-to-peer techniques by the attackers has made it harder to fight back. Download now, compliments of Verio:

» Click here to download now

- Special Advertising Partners -

WHITE PAPERS

Going mobile with today's technology - Mobile applications are transforming how companies operate. With new ways to work flexibly, employees are becoming more ...
Measuring mobile productivity - Companies must be able to measure productivity gains from mobile working. Productivity is notoriously difficult to measure...
Thinking about IMS - IMS's increased flexibility and the potential it offers for new services will create a fundamental shift in the way that...
Agile Development: 5 Steps to Continuous Integration - As more and more organizations adopt agile development, the need for continuous integration of a build can be a daunting...
Leading Analysts: Pen Testing is a Requirement - In a newly-published case study, Gartner's John Pescatore, one of the most respected analysts covering the IT security market...
Get more from your Electronic Software Delivery investment - Electronic software delivery (ESD) offers software vendors the potential for significant business benefits. By enabling ...

» Technology White Papers Library

Technology White Papers by Topic

Technology White Papers E-mail Alert

Find out when the latest white paper is available:

INFOWORLD MARKETPLACE

Deliver REMOTE SUPPORT Easily. Try WebEx FREE! - DOWNLOAD WEBEX SUPPORT CENTER FREE! Deliver efficient, effective support. CRUSH SUPPORT LOG JAMS!
Migrating to an IP-VPN? XO Can Make It Happen - Learn the five critical success factors with a free whitepaper from XO Enterprise Solutions.
Sign up to TRY WEBEX SUPPORT CENTER FOR FREE! - Get your FULL FEATURED trial here. Share documents and applications, address support challenges.
IP Networks Boost Secure Health Communications - AT&T provides secure communication to keep health care moving forward.
Why a CMDB? - IT best practices (ITIL) have shown the benefits of a CMDB. Click for whitepapers.

» BUY A LINK NOW

TECH WATCH

What's the 411 on GOOG-411?
Just as Google has become synonymous with "performing a Web search," 411 is understood to mean "information" -- as in "what's the 411?" I was thus surprised to discover, from a billboard, no less, that the king of search is taking on the ...

Apple HTML source reveals 'iPhone Extreme'
"This one's a stretch..." reports AppleInsider. Um, yeah. Reporting on HTML code sightings of product names could be called a stretch, but iPhone Extreme has a ring to it. Now, that sounds like the product Apple should have released first, rather ...

COLUMNISTS

Unified under law

(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...

» MORE COLUMNISTS

MORE INFOWORLD BLOGS

Open Sources

Product Management
When I joined MySQL four years ago, there was quite a lot of debate about product management. We didn't actually have ...

Zero Day

Botnet herders tending smaller flocks
New research backs up the theory that botnet operators are keeping their networks smaller in a continued effort to keep ...

• Advice Line
• Database Underground
• The Deep End
• Enterprise Mac
• Geeks in Paradise
• Grid Meter
• The Gripe Line
• InfoWorld Daily
• Inside IT
• IT Troubleshooter
• ITXtreme
• Open Sources
• ProdBlog
• Real World SOA
• Reality Check
• Security Adviser
• SMB IT
• The Storage Network
• Tech Watch
• Virtualization Report
• Zero Day

RESOURCE CENTER	advertisement
Ads by techwords beta See your link here

GOVERNMENT IT & POLICY
•	'If you don't go after the network, you're never going to stop these guys. Never.'
•	From the State Department, All the News for Inquiring Minds
•	TechPresident, the Internet Citizenry's New Consensus Taker

Sponsored Technology Links
Symantec - Whitepaper: Secure, recover, and archive critical information Microsoft - {Open Source} Heroes Happen Here Symantec - Whitepaper: Protecting Microsoft(R) Applications Riverbed - Five Ugly Truths about WAFS and Caching InterSystems - Use Ensemble - quickly create composite applications. AT&T - Factors to consider when comparing DSL or Cable Cirba - Advanced Workload Analysis Techniques CA - Manage your IT more effectively. Efficient - Flexible - Compliant HP/Intel - If you don't have enough I/O, your VMs aren't going to go. Rackspace - Go Green Without Sacrificing Server Performance AT&T - Measuring mobile productivity AT&T - Thinking about IMS CA - Plan IT better, Manage IT better. AT&T - Refine your company's plan for a Business Disruption Event AT&T - Going mobile with today's technology Cirba - Consolidating Workloads onto Mainframes AT&T - What to expect from a Technology Assessment. AT&T - Class of Service: Myths and Misconceptions AT&T - Enhancing security through Quantum Cryptography		Riverbed - Wide Area Data Services Microsoft - Microsoft Forefront makes defending your systems easier. Learn how. HP - Explore the interactive whitepaper: Rightsizing Blades for the mid-market. Symantec - Webcast: Beyond AntiVirus AMD - Renowned Engineering Institution Chooses AMD Processor-Based Servers AMD - Watch this flash demo of the Quad-Core AMD Opteron Processor EMC - EMC and VMware help you build your virtualized infrastructure. AMD - HP and Oracle deploy unbreakable computing infrastructure Qwest - Learn how Qwest voice and data solutions can save you time. MKS - The Power of UNIX/Linux on Windows with MKS Toolkit Vision Solutions - Is your smaller organization ready for High Availability? Vision Solutions - Is system maintenance doing more harm than good? HP - NEW HP LaserJet P4014n printer Starting at $699 after $100 IS. HP - HP LaserJet M3035 MFP series Starting at $1,599. SHOP NOW HP - Speed, agility, flexibility - The HP BladeSystem c-Class. Vkernel - Resolve Capacity Bottlenecks and Enhance Your Virtual Environment Nokia - Restore Your Mobile Devices With One Click Oracle - The Power of Two with SOA and BPM

	HOME NEWS BLOGS PODCASTS VIDEOS TECHNOLOGIES TEST CENTER EVENTS CAREERS	About \| Advertise \| Awards \| RSS \| Contact Us
Copyright © 2008, Reprints, Permissions, Licensing, IDG Network, Privacy Policy, Terms of Service. All Rights reserved. InfoWorld is a leading publisher of technology information and product reviews on topics including viruses, phishing, worms, firewalls, security, servers, storage, networking, wireless, databases, and web services. CIO :: ComputerWorld :: CSO :: Demo :: GamePro :: Games.net :: IDG Connect :: IDG World Expo Industry Standard :: IT World :: JavaWorld :: LinuxWorld :: MacUser :: Macworld :: Network World :: PC World :: Playlist