Static program analysis
Static program analysis is the analysis of computer software that is performed without actually executing programs, in contrast with dynamic analysis, which is analysis performed on programs while they are executing. In most cases the analysis is performed on some version of the source code, and in the other cases, some form of the object code.
The term is usually applied to the analysis performed by an automated tool, with human analysis being called program understanding, program comprehension, or code review. Software inspections and software walkthroughs are also used in the latter case.
Rationale
The sophistication of the analysis performed by tools varies from those that only consider the behaviour of individual statements and declarations, to those that include the complete source code of a program in their analysis. The uses of the information obtained from the analysis vary from highlighting possible coding errors to formal methods that mathematically prove properties about a given program.Software metrics and reverse engineering can be described as forms of static analysis. Deriving software metrics and static analysis are increasingly deployed together, especially in creation of embedded systems, by defining so-called software quality objectives.
A growing commercial use of static analysis is in the verification of properties of software used in safety-critical computer systems and
locating potentially vulnerable code. For example, the following industries have identified the use of static code analysis as a means of improving the quality of increasingly sophisticated and complex software:
- Medical software: The U.S. Food and Drug Administration has identified the use of static analysis for medical devices.
- Nuclear software: In the UK the Office for Nuclear Regulation recommends the use of static analysis on reactor protection systems.
- Aviation software
A study from 2010 found that 60% of the interviewed developers in European research projects made at least use of their basic IDE built-in static analyzers. However, only about 10% employed an additional other analysis tool.
In the application security industry the name Static Application Security Testing is also used. SAST is an important part of Security Development Lifecycles such as the SDL defined by Microsoft and a common practice in software companies.
Tool types
The OMG published a study regarding the types of software analysis required for software quality measurement and assessment. This document on "How to Deliver Resilient, Secure, Efficient, and Easily Changed IT Systems in Line with CISQ Recommendations" describes three levels of software analysis.; Unit Level: Analysis that takes place within a specific program or subroutine, without connecting to the context of that program.
; Technology Level: Analysis that takes into account interactions between unit programs to get a more holistic and semantic view of the overall program in order to find issues and avoid obvious false positives. For instance, it is possible to statically analyze the Android technology stack to find permission errors.
; System Level: Analysis that takes into account the interactions between unit programs, but without being limited to one specific technology or programming language.
A further level of software analysis can be defined.
; Mission/Business Level: Analysis that takes into account the business/mission layer terms, rules and processes that are implemented within the software system for its operation as part of enterprise or program/mission layer activities. These elements are implemented without being limited to one specific technology or programming language and in many cases are distributed across multiple languages, but are statically extracted and analyzed for system understanding for mission assurance.
Formal methods
Formal methods is the term applied to the analysis of software whose results are obtained purely through the use of rigorous mathematical methods. The mathematical techniques used include denotational semantics, axiomatic semantics, operational semantics, and abstract interpretation.By a straightforward reduction to the halting problem, it is possible to prove that, finding all possible run-time errors in an arbitrary program is undecidable: there is no mechanical method that can always answer truthfully whether an arbitrary program may or may not exhibit runtime errors. This result dates from the works of Church, Gödel and Turing in the 1930s. As with many undecidable questions, one can still attempt to give useful approximate solutions.
Some of the implementation techniques of formal static analysis include:
- Abstract interpretation, to model the effect that every statement has on the state of an abstract machine. This abstract machine over-approximates the behaviours of the system: the abstract system is thus made simpler to analyze, at the expense of incompleteness. If properly done, though, abstract interpretation is sound. The Frama-C value analysis plugin and Polyspace heavily rely on abstract interpretation.
- Data-flow analysis, a lattice-based technique for gathering information about the possible set of values;
- Hoare logic, a formal system with a set of logical rules for reasoning rigorously about the correctness of computer programs. There is tool support for some programming languages and the Java Modeling Language—JML—using ESC/Java and ESC/Java2, Frama-C WP plugin for the C language extended with ACSL.
- Model checking, considers systems that have finite state or may be reduced to finite state by abstraction;
- Symbolic execution, as used to derive mathematical expressions representing the value of mutated variables at particular points in the code.
Data-driven static analysis