Code Analysis for Software and System Security Using Open Source Tools

ABSTRACT

Software security helps in identifying and managing risks. One of the effective ways to identify software vulnerabilities is to analyze its code. Code analysis (Chess & West, 2007 Chess, B. and West, J. 2007. Secure programming with static analysis, Boston, MA: Addison-Wesley.  [Google Scholar]) helps in catching common coding mistakes such as buffer overflow, unused variables, memory leaks, and various race conditions, which in turn optimizes computer programs, both in storage and computation aspects. Software developers use either open source tools or commercial tools for verification and validation of software. Without proper validation of a software/system using some standard guidelines, potential attackers can find ways to exploit vulnerabilities and bugs and then can gain control over a system, if they are successful. In this paper, we discuss some of the open source static code analysis and dynamic analysis tools, their merits, and limitations with respect to some target codes that contain possible threats. We consider C/C++ and Java programming languages for our experiments. For static code analyzers, we consider Flawfinder, Splint, and Cppcheck; PMD, Findbugs, and Valgrind for dynamic code analysis, and its plug-in, Memcheck, to perform dynamic analysis on executables. We provide our observations in a comparison table, highlighting these tools strengths and weaknesses.     

Service Oriented Approach State of the Art

For many years, computer systems have emerged; they now occupy an important place in our daily lives. The growing needs and ever increasing use of computer systems have made application development more and more complicated, The complexity of these applications poses problems such as reuse, installation, administration and evolution of applications. The development of applications is related to the evolution of paradigms and approaches to developing them. This paper presents different approaches and paradigms of development starting with the procedural approach, coming up for service, through the component and object-oriented approaches. Also, for each of the approaches we determine the advantages and limitations.     

Limited carry-in technique for real-time multi-core scheduling

Schedulability analysis has been widely studied to provide offline timing guarantees for a set of real-time tasks. The so-called limited carry-in technique, which can be orthogonally incorporated into many different multi-core schedulability analysis methods, was originally introduced for Earliest Deadline First (EDF) scheduling to derive a tighter bound on the amount of interference of carry-in jobs at the expense of investigating a pseudo-polynomial number of intervals. This technique has been later adapted for Fixed-Priority (FP) scheduling to obtain the carry-in bound efficiently by examining only one interval, leading to a significant improvement in multi-core schedulability analysis. However, such a successful result has not yet been transferred to any other non-FP scheduling algorithms. Motivated by this, this paper presents a generic limited carry-in technique that is applicable to any work-conserving algorithms. Specifically, this paper derives a carry-in bound in an algorithm-independent manner and demonstrates how to apply the bound to existing non-FP schedulability analysis methods for better schedulability.     

金沙江梯级水电站群联合发电运行三种常规调度方法研究

采用常规调度图、蓄能调度图和调度函数三种常规调度方法对金沙江中游梯级水电站群的联合发电运行进行分析、计算,在同一条件下对三种调度方法的模拟结果与发电量最大模型及保证出力最大模型的结果进行了对比。从不同侧面对这3种方法进行了分析比较,给出了较为客观的评价,为水电站寻找调度规律、拟定运行指导准则提供重要的参考价值,为未来中长期发电计划的制定提供可靠依据。     

采用随机有限断层法生成最大可信地震

本文依据基于地震学理论合成地震动的随机方法和能够细致描述震源复杂性的有限断层模型,采用随机有限断层法直接生成最大可信地震。重点比较了随机有限断层法的静拐角频率和动拐角频率理论,开发基于静拐角频率方法的Fortran程序SFFMSIM,作为对比,引进了动拐角频率程序EXSIM。选用1994年Northridge地震数据检验本文采用的随机有限断层模拟方法和程序。最后以大岗山水电站工程为例,采用随机有限断层法生成磨西断裂发震时工程场址可能产生的最大可信地震的加速度时程曲线。结果显示：随机有限断层法合成时程的放大系数谱均值与80条基岩记录平均谱的一致性较好。预测震源位错分布形式未知的地震时,动拐角频率和静拐角频率方法的模拟结果有差异。     

地震待载作用下地下韵筋混凝土结构 报伤破杯模拟研究

综合运用钢筋混凝土和土体两种材料非线性本构模型,对某工程实例进行地震破坏的模拟研 究。分析结果表明,结构内部在强震作用下产生了混凝土开裂、钢筋屈服等损伤和破坏,通过与采用 弹性结构模型的计算结果进行对比,发现采用弹性结构模型虽然可以得到与非线性模型相近的结构位 移,但是会显著低估结构内发生的变形,并且无法准确指示结构内部发生损伤的部位。因此,采用非 线性结构模型分析地下结构的抗震安全性是非常必要的。     

宁东能源化工基地水土保持生态环境动态监测分析

通过采用卫星遥感、地面定点和野外查等监测技术手段,对宁东基地开发建设前（2000年）和开发建设初期（2007年）两个时段土地利用、植被盖度、土壤侵蚀、水土保持措施等水土保持生态环境影响因子分别进行监测。综合分析结果表明,宁东基地自2000年以来土地利用结构改善,植被覆盖呈好转趋势,虽然局部水土流失加重,但整体土壤侵蚀强度降低,整体生态环境处于好转状态。     

亭子口重力坝表孔坝段地震动力响应分析

亭子口重力坝坝基岩层近于水平,分布有各类软弱夹层。为科学评价其坝体结构抗震安全性与地震动力抗滑稳定性,采用黏弹性人工边界模拟地基辐射阻尼效应,以有厚度接触单元模拟坝基软弱夹层,对亭子口重力坝的表孔坝段进行了三维有限元时程动力分析。计算结果表明,在水工抗震规范谱人工地震波作用下,大坝上下游表面产生了明显的动应力响应,但动静叠加后,坝体竖直向在地震过程中没有出现拉应力;以泥化夹层JS2-1-2为底滑面的滑动模式为大坝深层动力抗滑稳定的控制工况,设置齿槽后大坝动力深层抗滑稳定性显著提高,大坝在地震过程中不会发生整体失稳。     

动态规划模型在灌溉泵站群布局优化中的应用

针对具有耦合约束的多维动态规划模型提出了一种改进的递推方法,即改变相应各阶段对应状态变量的离散范围,以达到降维的目的。以灌溉泵站群总能耗最小为目标函数,以农田灌溉和河道引水能力为约束条件,对动态规划模型进行了求解,确定开机灌溉的泵站组合,并据此对灌溉泵站群及配套渠系的布局进行了调整。结果显示,采用此方法布局的泵站群,既能满足农田灌溉供水及河道最小生态流量的要求,又能使整个泵站群的耗能率最小。     

阿海水电站人工砂石系统筛分楼动力计算

阿海水电站人工砂石系统筛分楼动力计算,是在静力设计所选定结构截面的基础上,按照结构动力学的计算方法,计算支承结构的固有振动频率及筛分机周期性振动力作用下的动位移,要求支承结构不发生共振,控制动位移值在允许范围之内,并核算主要支承结构的动内力和疲劳强度。一般情况下,若筛梁及主梁满足最大动位移控制条件,则动弯矩和疲劳强度可自动满足。简要介绍了筛分楼支承结构的简化动力计算方法,其计算结果与实际运行情况基本一致,能够满足目前水利水电工程中的砂石加工系统筛分楼的设计要求。