industry news
Subscribe Now

PRQA Introduces a New Approach to Defect and Security Vulnerability Detection

HERSHAM, UK, May 2 2011 / — PRQA | Programming Research today announced a new release of its industry leading QA·C product with sophisticated technology to perform deep-flow dataflow analysis. QA·C 8.0 identifies critical coding issues relating to control-flow, variable state and library usage. 

 “The embedded software industry, dominated by the use of C and C++ languages, welcomes our new dataflow analysis capability,” said Fergus Bolger, Chief Technical Officer at PRQA. “QA·C 8.0 overcomes a limitation of many current static analysis tools, since it focuses on detailed code semantics rather than abstracting summary data and analyzing it at the software interface layers. QA·C 8.0 provides a precise and detailed functional analysis, literally on the bits and bytes of critical software-based systems.”

The new dataflow analysis technology contains an advanced industry-proven Satisfiability Modulo Theories (SMT) solver engine, a first for deep-flow static analysis products. The combination of SMT solver technology and in-house language and parsing expertise in function control flow and detailed semantics takes analysis checks for C code to a new level.

The strength of the PRQA solution is seen in the set of analysis checks available. These cover all the well-known language vulnerabilities, as well as additional value-sensitive operations that are particularly relevant to embedded applications:

  • Invalid Pointer Operations: dereference and arithmetic operations on a null pointer, computing or dereferencing an invalid pointer value, e.g. buffer under- and overrun, pointer operations on unrelated pointers.
  • Dangerous Arithmetic Operations: division by zero, arithmetic operations resulting in overflow or wraparound, converting a negative value to unsigned and other representation issues in conversions, bit-shifting operations that result in truncation or invalid values.
  • Flow control anomalies: redundant initializations or assignments, invariant logical operations and flow-control expressions, unreachable code, infinite loops, unset variables, return value mismatches.

QA·C 8.0, with its dataflow solution, includes analysis of standard library API calls; coupled with pointer checking, this delivers a comprehensive language-based detection of security vulnerabilities. Upon detecting a coding defect, path and value trace is provided by means of sub-messages.

Utilizing the strength of a commercially-hardened SMT solver, QA·C 8.0 delivers a number of sophisticated code-modeling capabilities:

  • Interdependencies between variables are included in the code modeling, both for assignments and in determination of conditional expressions (control flow).
  • Modeling includes a bi-directional approach, where, for example, later conditional tests can identify earlier suspicious variable usage.
  • Loop iterations are modeled accurately, including increments by other than ‘1’, multiple loop control variables, and nested loops.
  • Bit-fields are modeled exactly as the compiler will handle them, matching the true size of all types, and yielding intelligence on unions and bit-field operations.

Software engineers and their organizations need to address quality of code, in terms of prevention-oriented coding standards compliance as well as accurate and precise bug-detection. QA·C 8.0, with its advanced deep-flow dataflow DF^2 module, and now enhanced with 118 new diagnostic messages addresses this important need. The product is available immediately through PRQA and its worldwide partner network.

About PRQA | THE PROGRAMMING RESEARCH GROUP

Established in 1986, PRQA is recognized throughout the industry as “the coding standard expert”. PRQA pioneered coding standard inspection and now delivers its expertise through industry-leading software inspection and standards enforcement technology, worldwide.   PRQA has corporate offices in UK, USA, India, Ireland and The Netherlands, complemented by a worldwide distribution network. 

PRQA’s industry-leading tools, QA·C and QA·C++, offer the closest possible examination of C and C++ code. Both contain powerful, proprietary parsing engines which deliver high fidelity language analysis and comprehension. They identify problems caused by language usage that is dangerous, overly complex, non-portable, or difficult to maintain. Plus, they include the basic building blocks for coding standard enforcement.

Leave a Reply

featured blogs
Jul 24, 2021
Many modern humans have 2% Neanderthal DNA in our genomes. The combination of these DNA snippets is like having the ghost of a Neanderthal in our midst....
Jul 23, 2021
The Team RF "μWaveRiders" blog series is a showcase for Cadence AWR RF products. Monthly topics will vary between Cadence AWR Design Environment release highlights, feature videos, Cadence... [[ Click on the title to access the full blog on the Cadence Community...
Jul 23, 2021
Synopsys co-CEO Aart de Geus explains how AI has become an important chip design tool as semiconductor companies continue to innovate in the SysMoore Era. The post Entering the SysMoore Era: Synopsys Co-CEO Aart de Geus on the Need for AI-Designed Chips appeared first on Fro...
Jul 9, 2021
Do you have questions about using the Linux OS with FPGAs? Intel is holding another 'Ask an Expert' session and the topic is 'Using Linux with Intel® SoC FPGAs.' Come and ask our experts about the various Linux OS options available to use with the integrated Arm Cortex proc...

featured video

DesignWare Controller and PHY IP for PCIe 6.0

Sponsored by Synopsys

See a demo of Synopsys’ complete IP solution for PCIe 6.0 technology showing the controller operating at 64GT/s in FLIT mode and the PAM-4 PHY in 5-nm process achieving two orders of magnitude better BER with 32dB PCIe channel.

Click here for more information about DesignWare IP for PCI Express (PCIe) 6.0

featured paper

Long-term consistent performance matters for humidity sensing applications

Sponsored by Texas Instruments

The exposed polymer of humidity sensors can be impacted by the environment, leading to drift over time. This article from Texas Instruments discusses the accuracy and long-term drift of humidity sensors and how these parameters affect system performance and lifetime.

Click to read more

featured chalk talk

Time Sensitive Networking for Industrial Automation

Sponsored by Mouser Electronics and Intel

In control applications with strict deterministic requirements, such as those found in automotive and industrial domains, Time Sensitive Networking offers a way to send time-critical traffic over a standard Ethernet infrastructure. This enables the convergence of all traffic classes and multiple applications in one network. In this episode of Chalk Talk, Amelia Dalton chats with Josh Levine of Intel and Patrick Loschmidt of TTTech about standards, specifications, and capabilities of time-sensitive networking (TSN).

Click here for more information about Intel Cyclone® V FPGAs