Program Analysis

Software is transforming the way that we live and work. We communicate with friends via social media on smartphones and use websites to buy what we need and to learn about anything in the world. At work, the software helps us organize our businesses, reach customers, and distinguish ourselves from competitors. Unfortunately, it is still challenging to produce high-quality software, and much of the software we do use has bugs and security vulnerabilities.

Referring to recent examples of problems caused by the software with bugs include; uncontrollable acceleration in Toyota cars, personal information was stolen from Facebook by Cambridge Analytica and a glitch in Nest smart thermostats that left many homes without heat. 

So to improve these conditions and provide better services the term PROGRAM ANALYSIS comes into action. Program analysis is all about analyzing software code and learning about its properties. In computer science, it is the process of automatically analyzing the behaviour of computer programs regarding a property such as correctness, robustness, safety and liveness. It focuses on two major areas: program optimization and program correctness. The main focus is to improve the program's performance while reducing resources used and also keeping the ultimate goal of the program the same as its original one.

Program analysis can be performed without executing the program (static program analysis), during runtime (dynamic program analysis) or in a combination of both.

Static Program Analysis: 

Considering program correctness, static analysis can discover vulnerabilities during the phase of development of the program. It simply means debugging the program even before it is run. the Bugs are found easier in this as it goes to the root of the problem.

Due to many forms of static analysis being computationally undecidable, the mechanisms for doing it will not always end with the right answer – either because they sometimes return a false negative ("no problems found" when the code does have problems) or a false positive, or because they never return the wrong answer but sometimes never end. The first type of mechanism might reduce the number of vulnerabilities, while the second can sometimes give strong assurance of the lack of a certain class of vulnerabilities.

Only correct optimizations are highly desirable. Thus, for program optimization two main strategies are applied to tackle the problems of computationally undecidable analysis:

1. An optimizer that is expected to complete in a relatively short amount of time, such as the optimizer in an optimizing compiler, may use a shortened version of an analysis that is guaranteed to complete in a fixed amount of time, and guaranteed to only find correct optimizations.
2. A third-party optimization tool may be implemented in such a way as to never produce an incorrect optimization, but in some situations, it can continue running indefinitely until it finds one. In this case, the developer using the tool would have to stop the tool and avoid running the tool on that piece of code again or even modify the code.

Some components of this Static analysis are:

Control Flow -This analysis helps in identifying where a particular function is used. The control flow graphs as the name suggests collects the information of all these and represents it such that the nodes are the instructions and the edges are the flow of control.

Data Flow Analysis - This technique gathers information about values at particular positions and how they change over the program. One of the most known examples of data-flow analysis is taint checking which consists of considering all variables which contain user-supplied data – which is considered "tainted" and preventing those variables from being used until they have been cleaned/corrected. This technique is often used to prevent SQL injection attacks.

Abstract Interpretation - It can be also said like collecting information about the possible outcome of a program without actually running it. It helps compilers to predict possible errors and avoid certain bugs.

Type Systems - Type systems associate types to programs that fulfil certain requirements. It is used to how and what a program does. Type checking can also help prevent vulnerabilities by ensuring that a signed value isn't attributed to an unsigned variable.

Effect Systems - We can simply say that they are the systems that represent what effects running a program may have. 

Model Checking -  It refers to strict, formal, and automated ways to check if a model complies with a given specification.

Dynamic Program Analysis:

Dynamic analysis gathers runtime information to increase the precision of the analysis. It also provides runtime protection. As it has these advantages because it can analyze only a single execution and it interferes during the process it can affect the performance of the program.

Some components of this dynamic analysis are:

Similar to the static analysis dynamic analysis has some components as well. It has 3 components as follows:

Testing - A program has to be tested to ensure that its quality and performance are reliable while ensuring that it does not interfere with the functioning of the other applications or tools that it makes use of. This involves running the program with inputs and evaluating its behaviour based on the outputs it gives. The testing process also involves testing the security of the program so that no external sources can not do any kind of tampering with it.

Monitoring - Recording and logging all the information regarding the program like resource usage, events and interactions during the execution to check for any kind of abnormal behaviour in the program. Automated monitoring of programs is sometimes referred to as runtime verification which many of us must have definitely at least heard or read about.

Program Slicing - The term simply means that we have to reduce the program into one which performs all the functions of the previous one. The reduced program is called a "slice" whose execution remains faithful to the original program. It involves creating many such slices so that finding errors can be easier as errors in particular slices can be found and corrected.

Some Examples of Analysis Tools:

• Static analysis - Style checkers and data flow analysis.
• Dynamic analysis - Memory use monitors and profilers.

Now as we know what actually the static and dynamic analysis is we must know both their advantages and limitations:

Static analysis advantages:

1. It can find weaknesses in the code at the exact location.
2. It can be conducted by trained software assurance developers who fully understand the code.
3. It allows a quicker turnaround for fixes.
4. It is relatively fast if automated tools are used.
5. Automated tools can scan the entire code base.
6. Automated tools can provide mitigation recommendations, reducing the research time.
7. It permits weaknesses to be found earlier in the development life cycle, reducing the cost to fix.

Static analysis limitations:

1. It is time-consuming if conducted manually.
2. Automated tools do not support all programming languages.
3. Automated tools produce false positives and false negatives.
4. There are not enough trained personnel to thoroughly conduct static code analysis.
5. Automated tools can provide a false sense of security that everything is being addressed.
6. Automated tools only as good as the rules they are using to scan with.
7. It does not find vulnerabilities introduced in the runtime environment.

Dynamic analysis advantages:

1. It identifies vulnerabilities in a runtime environment.
2. Automated tools provide flexibility on what to scan for.
3. It allows for the analysis of applications in which you do not have access to the actual code.
4. It identifies vulnerabilities that might have been false negatives in the static code analysis.
5. It permits you to validate static code analysis findings.
6. It can be conducted against any application.

Dynamic analysis limitations:

1. Automated tools provide a false sense of security that everything is being addressed.
2. Automated tools produce false positives and false negatives.
3. Automated tools are only as good as the rules they are using to scan with.
4. There are not enough trained personnel to thoroughly conduct dynamic code analysis [as with static analysis].
5. It is more difficult to trace the vulnerability back to the exact location in the code, taking longer to fix the problem.

So, the above discussion was about the program analysis which is a major step before the deployment of programs. Even though it's not guaranteed that the output program that we receive will be a 100 per cent error-free one, but it ensures that some basic and avoidable errors can be removed and also that with upcoming advancement the analysis division we will definitely see major and drastic improvements.