Sponsor: TrustInSoft

Recognized by the NIST, TrustInSoft Analyzer goes further than any other static analysis tool by using formal methods to do the equivalent of billions of tests in order to mathematically guarantee the absence of bugs like buffer overflow, divison by zero, integer overflow, use after free, etc. TrustInSoft Analyzer mathematically proves the absence of even the most hidden bugs and integrates easily in the CI process.

Check out this demo of TrustInSoft Analyzer on this popular C library ARM mbed TLS.

The SEI CERT Coding Standards are software coding standards developed by the Software Engineering Institute of Carnegie Mellon University. They are steadily becoming one of the key industry references for creating safe and secure software. One of these is SEI CERT C which has been updated for C11 but is also applicable to the earlier versions of the C language.

CERT C is primarily intended for software developers. However, it is also used by software integrators to define the requirements concerning code quality. There is a special interest for high-stakes and critical code developers who must build reliable code that is robust and resistant to attacks. That is why these standards are increasingly being used as a metric to evaluate the quality of the source code.

Exhaustive static analysis enables developers to find and eliminate 100% of undefined behaviors (defects like buffer overflow, uninitialized memory access, etc.) that can leave low-level code vulnerable to attack and runtime errors. It gives device manufacturers and their customers an iron-clad guarantee that their products are completely free of such vulnerabilities.

In the remainder of this white paper, we will examine in greater detail:

• The challenges of ensuring the security of low-level code in today’s environment,
• Why traditional code verification methods are not up to these challenges, and
• How exhaustive static analysis is able to meet those same challenges and guarantee cybersecurity and reliability in low-level code.