CodeSonar
CodeSonar is a static code analysis tool from GrammaTech. CodeSonar is used to find and fix bugs and security vulnerabilities[1] in source and binary code.[2][3][4] It performs whole-program, inter-procedural analysis with abstract interpretation on C, C++, C#, Java, as well as x86 and ARM binary executables and libraries. CodeSonar is typically used by teams developing or assessing software to track their quality or security weaknesses. CodeSonar supports Linux, BSD, FreeBSD, NetBSD, MacOS and Windows hosts and embedded operating systems and compilers.
Developer(s) | GrammaTech |
---|---|
Stable release | 5.3p0
/ 15 June 2020 |
Operating system | Cross-platform |
Type | static code analysis |
License | Proprietary |
CodeSonar provides information for every weakness found, including the trace through the source code that would trigger the bug as well as a call-tree visualization that represents how the weakness is related to the wider application.
Functional safety compliance
CodeSonar supports compliance with functional safety standards like IEC 61508, ISO 26262, DO-178B/C, or ISO/IEC TS 17961. CodeSonar's warning classes also support several coding standard initiatives,[5] including MITRE's CWE, JPL, Power of 10, MISRA C/C++ and SEI CERT C.
Applications
CodeSonar is used in the defense/aerospace, medical, industrial control, automotive, electronic, tele/datacommunications and transportation industries. Some well known use cases are FDA Center for Devices and Radiological Health uses it to detect defects in fielded medical devices.[6][7] The NHTSA and NASA used CodeSonar to study on sudden unintended acceleration in the electronic throttle control systems of Toyota vehicles[8][9]
Supported programming languages, host platforms and compilers
Supported Programming Languages:
- C
- C++
- C#
- Java
- Python
- Binary code analysis supports Intel x86, x64 and ARM.
Supported Platforms:
- Microsoft Windows
- Linux
- FreeBSD
- NetBSD
- MacOS
Supported Compilers:
- Apple Xcode
- ARM RealView
- CodeWarrior
- GNU C/C++
- Green Hills Compiler
- HI-TECH Compiler
- IAR Compiler
- Intel C++ Compiler
- Microsoft Visual Studio
- Renesas Compiler
- Sun C/C++
- Texas Instruments CodeComposer
- Wind River Compiler
References
- Vitek, D. (2016). "Auditing Code for Security Vulnerabilities with CodeSonar". 2016 IEEE Cybersecurity Development (SecDev): 154. doi:10.1109/SecDev.2016.042. ISBN 978-1-5090-5589-0.
- Balakrishnan G., Gruian R., Reps T., Teitelbaum T. (2005). "CodeSurfer/x86—A Platform for Analyzing x86 Executables". Compiler Construction. CC 2005. Lecture Notes in Computer Science Volume 3443. Lecture Notes in Computer Science. Springer, Berlin, Heidelberg. 3443: 250–254. doi:10.1007/978-3-540-31985-6_19. ISBN 978-3-540-31985-6.CS1 maint: multiple names: authors list (link)
- Gopan, Denis and Driscoll, Evan and Nguyen, Ducson and Naydich, Dimitri and Loginov, Alexey and Melski, David (2015). "Data-delineation in Software Binaries and Its Application to Buffer-overrun Discovery". Proceedings of the 37th International Conference on Software Engineering - Volume 1. ICSE '15. Florence, Italy: IEEE Press: 145–155. ISBN 978-1-4799-1934-5.CS1 maint: multiple names: authors list (link)
- Lim, J.; Reps, T. (April 2008). "A system for generating static analyzers for machine instructions ". Proc. Int. Conf. on Compiler Construction (CC). New York, NY: Springer-Verlag. (Awarded the EAPLS Best Paper Award at ETAPS 2008.).
- Anderson, P. (2008). Coding standards for high-confidence embedded systems. MILCOM 2008 - IEEE Military Communications Conference. San Diego, CA. pp. 1–7. doi:10.1109/MILCOM.2008.4753206.
- Quinnell, Richard A. (2008-03-06). "Static analysis stomps on bugs". EETimes. Retrieved 2009-09-11.
- Jetley, Raoul Praful and Jones, Paul L. and Anderson, Paul (2008). "Static Analysis of Medical Device Software Using CodeSonar". Proceedings of the 2008 Workshop on Static Analysis. Tucson, Arizona: ACM: 22–29. doi:10.1145/1394504.1394507. ISBN 978-1-59593-924-1.CS1 maint: multiple names: authors list (link)
- Koopman, P. (2014-09-18). "A Case Study of Toyota Unintended Acceleration and Software Safety" (PDF). Carnegie Mellon University. Retrieved 2019-09-12.
- Barr, Michael (2011-03-01). "Unintended Acceleration and Other Embedded Software Bugs". Embedded Gurus. Retrieved 2019-09-11.