SOURCE: THE PROGRAMMING RESEARCH GROUP

THE PROGRAMMING RESEARCH GROUP

May 02, 2011 12:24 ET

PRQA Introduces a New Approach to Defect and Security Vulnerability Detection

QA-C 8.0 Identifies Complex Failure Conditions in Critical Embedded and System Software

HERSHAM, UNITED KINGDOM--(Marketwire - May 2, 2011) - PRQA | Programming Research today announced a new release of its industry leading QA-C product with sophisticated technology to perform deep-flow dataflow analysis. QA-C 8.0 identifies critical coding issues relating to control-flow, variable state and library usage.

"The embedded software industry, dominated by the use of C and C++ languages, welcomes our new dataflow analysis capability," said Fergus Bolger, Chief Technical Officer at PRQA. "QA-C 8.0 overcomes a limitation of many current static analysis tools, since it focuses on detailed code semantics rather than abstracting summary data and analyzing it at the software interface layers. QA-C 8.0 provides a precise and detailed functional analysis, literally on the bits and bytes of critical software-based systems."

The new dataflow analysis technology contains an advanced industry-proven Satisfiability Modulo Theories (SMT) solver engine, a first for deep-flow static analysis products. The combination of SMT solver technology and in-house language and parsing expertise in function control flow and detailed semantics takes analysis checks for C code to a new level.

The strength of the PRQA solution is seen in the set of analysis checks available. These cover all the well-known language vulnerabilities, as well as additional value-sensitive operations that are particularly relevant to embedded applications:

  • Invalid Pointer Operations: dereference and arithmetic operations on a null pointer, computing or dereferencing an invalid pointer value, e.g. buffer under- and overrun, pointer operations on unrelated pointers.
  • Dangerous Arithmetic Operations: division by zero, arithmetic operations resulting in overflow or wraparound, converting a negative value to unsigned and other representation issues in conversions, bit-shifting operations that result in truncation or invalid values.
  • Flow control anomalies: redundant initializations or assignments, invariant logical operations and flow-control expressions, unreachable code, infinite loops, unset variables, return value mismatches.

QA-C 8.0, with its dataflow solution, includes analysis of standard library API calls; coupled with pointer checking, this delivers a comprehensive language-based detection of security vulnerabilities. Upon detecting a coding defect, path and value trace is provided by means of sub-messages.

Utilizing the strength of a commercially-hardened SMT solver, QA-C 8.0 delivers a number of sophisticated code-modeling capabilities:

  • Interdependencies between variables are included in the code modeling, both for assignments and in determination of conditional expressions (control flow).
  • Modeling includes a bi-directional approach, where, for example, later conditional tests can identify earlier suspicious variable usage.
  • Loop iterations are modeled accurately, including increments by other than '1,' multiple loop control variables, and nested loops.
  • Bit-fields are modeled exactly as the compiler will handle them, matching the true size of all types, and yielding intelligence on unions and bit-field operations.

Software engineers and their organizations need to address quality of code, in terms of prevention-oriented coding standards compliance as well as accurate and precise bug-detection. QA-C 8.0, with its advanced deep-flow dataflow DF^2 module, and now enhanced with 118 new diagnostic messages addresses this important need. The product is available immediately through PRQA and its worldwide partner network.

About PRQA | THE PROGRAMMING RESEARCH GROUP

Established in 1986, PRQA is recognized throughout the industry as "the coding standard expert." PRQA pioneered coding standard inspection and now delivers its expertise through industry-leading software inspection and standards enforcement technology, worldwide. PRQA has corporate offices in UK, USA, India, Ireland and The Netherlands, complemented by a worldwide distribution network.

PRQA's industry-leading tools, QA-C and QA-C++, offer the closest possible examination of C and C++ code. Both contain powerful, proprietary parsing engines which deliver high fidelity language analysis and comprehension. They identify problems caused by language usage that is dangerous, overly complex, non-portable, or difficult to maintain. Plus, they include the basic building blocks for coding standard enforcement.

Find out more at programmingresearch.com

Contact Information

  • Media Contacts
    PRQA | THE PROGRAMMING RESEARCH GROUP
    Paul Blundell
    Email: Email Contact
    Tel: +44 1932 888 080

    Candia Communications LLC
    Tanya Candia
    PR Agent for Programming Research
    Email: Email Contact
    Tel: +1 408 402 5812