|
Static program analysis is the analysis of computer software that is performed without actually executing programs (analysis performed on executing programs is known as dynamic analysis). In most cases the analysis is performed on some version of the source code, and in the other cases, some form of the object code. The term is usually applied to the analysis performed by an automated tool, with human analysis being called program understanding, program comprehension, or code review. Software inspections and Software walkthroughs are also used in the latter case. == Rationale == The sophistication of the analysis performed by tools varies from those that only consider the behavior of individual statements and declarations, to those that include the complete source code of a program in their analysis. The uses of the information obtained from the analysis vary from highlighting possible coding errors (e.g., the lint tool) to formal methods that mathematically prove properties about a given program (e.g., its behavior matches that of its specification). Software metrics and reverse engineering can be described as forms of static analysis. Deriving software metrics and static analysis are increasingly deployed together, especially in creation of embedded systems, by defining so-called ''software quality objectives''.〔("Software Quality Objectives for Source Code" ) (PDF). ''Proceedings: Embedded Real Time Software and Systems 2010 Conference'', ERTS2010.org, Toulouse, France: Patrick Briand, Martin Brochet, Thierry Cambois, Emmanuel Coutenceau, Olivier Guetta, Daniel Mainberte, Frederic Mondot, Patrick Munier, Loic Noury, Philippe Spozio, Frederic Retailleau.〕 A growing commercial use of static analysis is in the verification of properties of software used in safety-critical computer systems and locating potentially vulnerable code.〔(''Improving Software Security with Precise Static and Runtime Analysis'' ) (PDF), Benjamin Livshits, section 7.3 "Static Techniques for Security". Stanford doctoral thesis, 2006.〕 For example the following industries have identified the use of static code analysis as a means of improving the quality of increasingly sophisticated and complex software: # Medical software: The U.S. Food and Drug Administration (FDA) has identified the use of static analysis for medical devices. # Nuclear software: In the UK the Health and Safety Executive recommends the use of static analysis on Reactor Protection Systems.〔Computer based safety systems - technical guidance for assessing software aspects of digital computer based protection systems, http://www.hse.gov.uk/nuclear/operational/tech_asst_guides/tast046.pdf〕 # Aviation software (in combination with dynamic analysis)〔(Position Paper CAST-9. Considerations for Evaluating Safety Engineering Approaches to Software Assurance ) // FAA, Certification Authorities Software Team (CAST), January, 2002: "Verification. A combination of both static and dynamic analyses should be specified by the applicant/developer and applied to the software."〕 A study in 2012 by VDC Research reports that 28.7% of the embedded software engineers surveyed currently use static analysis tools and 39.7% expect to use them within 2 years.〔 〕 A study from 2010 found that 60% of the interviewed developers in European research projects made at least use of their basic IDE built-in static analyzers. However, only about 10% employed an additional other (and perhaps more advanced) analysis tool.〔Prause, Christian R., René Reiners, and Silviya Dencheva. "Empirical study of tool support in highly distributed research projects." Global Software Engineering (ICGSE), 2010 5th IEEE International Conference on. IEEE, 2010 http://ieeexplore.ieee.org/ielx5/5581168/5581493/05581551.pdf〕 In the application security industry the name ''Static Application Security Testing'' (SAST) is also used. Actually, SAST is an important part of Security Development Lifecycles (SDLs) such as the SDL defined by Microsoft 〔M. Howard and S. Lipner. The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software. Microsoft Press, 2006. ISBN 978-0735622142 I〕 and a common practice in software companies.〔Achim D. Brucker and Uwe Sodan. (Deploying Static Application Security Testing on a Large Scale ). In GI Sicherheit 2014. Lecture Notes in Informatics, 228, pages 91-101, GI, 2014. https://www.brucker.ch/bibliography/download/2014/brucker.ea-sast-expierences-2014.pdf〕 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Static program analysis」の詳細全文を読む スポンサード リンク
|