Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is Dynamic Code Analysis?

What is Dynamic Code Analysis?

How is it different from Static Code Analysis (ie, what can it catch that can't be caught in static)?

I've heard of bounds checking and memory analysis - what are these?

What other things are checked using dynamic analysis?

-Adam

like image 738
Adam Davis Avatar asked Sep 08 '08 15:09

Adam Davis


People also ask

What does dynamic code analysis do?

Dynamic code analysis – also called Dynamic Application Security Testing (DAST) – is designed to test a running application for potentially exploitable vulnerabilities.

What is meant by dynamic analysis?

Dynamic analysis is the testing and evaluation of a program by executing data in real-time. The objective is to find errors in a program while it is running, rather than by repeatedly examining the code offline.

What is dynamic and static code analysis?

Static code analysis examines code to identify issues within the logic and techniques. Dynamic code analysis involves running code and examining the outcome, which also entails testing possible execution paths of the code.

What is the meaning of dynamic code?

Dynamic code analysis is the method of debugging by examining an application during or after a program is run. Since the source code can be run with a variety of different inputs, there isn't a given set of rules that can cover this style.


3 Answers

Simply put, static analysis collect information based on source code and dynamic analysis is based on the system execution, often using instrumentation.

Advantages of dynamic analysis

  • Is able to detect dependencies that are not possible to detect in static analysis. Ex.: dynamic dependencies using reflection, dependency injection, polymorphism.
  • Can collect temporal information.
  • Deals with real input data. During the static analysis it is difficult to impossible to know what files will be passed as input, what WEB requests will come, what user will click, etc.

Disadvantages of dynamic analysis

  • May negatively impact the performance of the application.
  • Cannot guarantee the full coverage of the source code, as it's runs are based on user interaction or automatic tests.

Resources

There's many dynamic analysis tools in the market, being debuggers the most notorious one. On the other hand, it's still an academic research field. There's many researchers studying how to use dynamic analysis for better understanding of software systems. There's an annual workshop dedicated to dependency analysis.

like image 160
Marcio Aguiar Avatar answered Sep 20 '22 05:09

Marcio Aguiar


Basically you instrument your code to analyze your software as it is running (dynamic) rather than just analyzing the software without running (static). Also see this JavaOne presentation comparing the two. Valgrind is one example dynamic analysis tool for C. You could also use code coverage tools like Cobertura or EMMA for Java analysis.

From Wikipedia's definition of dynamic program analysis:

Dynamic program analysis is the analysis of computer software that is performed with executing programs built from that software on a real or virtual processor (analysis performed without executing programs is known as static code analysis). Dynamic program analysis tools may require loading of special libraries or even recompilation of program code.

like image 31
David Schlosnagle Avatar answered Sep 19 '22 05:09

David Schlosnagle


You asked for a good explanation of "bounds checking and memory analysis" issues.

Our Memory Safety Check tool instruments your application to watch at runtime for memory access errors (buffer overruns, array subscript errors, bad pointers, alloc/free errors). The link contains a detailed explanation complete with examples. This SO answer shows two programs that have pointers into dead stack frame, and how CheckPointer detects and reports the point of error in the source code

A briefer example: C (and C++) infamously do not check accesses to arrays, to see if the access is inside the bounds of the array. The benefit: well-designed program don't pay the cost of such a check in production mode. The downside: buggy programs can touch things outside the array, and this can cause behavior which is very hard to understand; thus the buggy program is difficult to debug.

What a dynamic instrumentation tool like the Memory Safety Checker does, is associate some metadata with every pointer (e.g., the type of the thing to which the pointer "points", and if it is an array, the array bounds), and then check at runtime, any accesses via pointers to arrays, whether the array bound is violated. The tool modifies the original program to collect the metadata where it is generated (e.g., on entry to scopes in which arrays are declared, or as the result of a malloc operation, etc.) and modifies the program at every array reference (written both as x[y] where either x or y is an array pointer and the the value is some type of integral type, similarly for *(x+y)!) to check the access. Now if the program runs, and performs an out-of-bounds access, the check catches the error and it reported at the first place where it could be detected. [If you think about it, you'll realize the instrumentation for metadata collection and checking has to be pretty clever, to handle all the variant cases a language like C may have. Its actually hard to make this work completely).

The good news is that now such access is reported early where it is easier to detect the problem and fix the program. Such a tool isn't intended production use; one uses during development and testing to help verify absence of errors. If there are no errors discovered, then one does a normal compile and runs the programs without the checks.

This is an extremely good example of a dynamic analysis tool: the testing happens at runtime.

like image 35
Ira Baxter Avatar answered Sep 19 '22 05:09

Ira Baxter