DYNAMIC PROGRAM ANALYSIS AND TOOLS

Dynamic Programming:

Dynamic Programming solves optimization problems by combining solution to sub-solutions

Steps:

• View the problem solution as the result of a sequence of decisions.

• Obtain a formulation for the problem state.
• Verify that the principal of optimality holds.
• Set up the dynamic programming recurrence equations.
• Solve these equations for the value of the optimal solution.
• Perform a traceback to determine the optimal solution.

What is Dynamic Code Analysis?

Dynamic code analysis is the process of analyzing an application or software during execution.
It is the practice of analyzing the source code for reliability, quality and security while the
application or software is running.

Performing dynamic code analysis for an application helps developers and testers find issues
related to the application’s integration with database servers, application servers and web
services. It also provides an analysis of how the application interacts with these services.

The primary goal is to find bugs and vulnerabilities present in the application or software so
they can be debugged. Dynamic code analysis also helps find other issues such as problems
related to authentication, session management, framework configuration, runtime privileges,
protocol parser and more. It is most effective when the application being tested is executed
with sufficient test inputs to achieve all possible outputs.

Therefore, a dynamic analysis should be performed once the software is functionally complete.
Additionally, doing dynamic analysis will:

§ Allow testers to perform application analysis without having access to the actual code.
§ Reveal errors that can crash the program.
§ Help testers ensure that the product/software works well.
§ Help quality enhancement by taking into consideration any drawbacks.
§ Require less expertise to perform; therefore, it is less expensive than static code
analysis. Static code analysis requires an expert in the language in which the application
has been developed.

1
Why Developers Use Dynamic Analysis

1. It’s fast.
Dynamic analysis is traditionally much faster than similar tools. This allows for
increased efficiency and faster time-to-product.
2. It’s flexible.
One of the major advantages of dynamic analysis is that it’s completely automated.
These automated tools often allow for scheduling which maximizes developer
efficiency. They also often have the capability to scan for more than one type of
vulnerability, allowing increased flexibility when searching for potential exploits.
3. It isn’t language dependent.
Dynamic analysis doesn’t analyze the source code; it simulates a malicious user. This
means a proper tool could test any web application regardless of the development
language (Java, PHP, etc.).
4. It confirms the results of static analysis.
Dynamic and static analysis techniques are most powerful when used in tandem. The
methods can be used as a system of checks and balances, acting as insurance against
false positives and false negatives.

Example of Dynamic Analysis

Assume there’s a team of developers writing a web application. They’re partially into the
development cycle when they realize they’re having an issue with the data structures created
by the program.

They decide to use a dynamic analysis tool, then instruct the tool to record the linkages among
heap-allocated storage cells. Afterwards, they use this data to find an issue with the shape of
the data structures, allowing them to move on with the development cycle.

List of Popular Dynamic Testing Tools:

Since the number of tools available in the market for dynamic testing are uncountable, it
becomes crucial for us to identify the best and popular tools that can help us achieve our goals
of testing rapidly and efficiently. Hence, to simplify this search for you, here is a list of popular
dynamic testing tools:

1. AddressSanitizer:

o An important dynamic testing/analysis tool, AddressSanitizer is also known as

ASan.

o It is an effective memory error detector for C/C++ that helps find stack buffer
overflow, global buffer overflow, heap buffer overflow, memory leaks,
initialization of order bugs, among others.

o It is a fast tool that consists of a compiler instrumentation module as well as a

runtime library, which replaces malloc function.

2
2. BoundsChecker:

o A part of MicroFocus’ DevPartner, BoundsChecker offers assistance in

automatically detecting defects in the software code, identifying memory leaks,
as well as performance bottlenecks.

o It is find the source of application instability, like heap and stack corruption,
overruns, and API overuse.

o BoundsChecker finds memory errors in Windows based applications.

3. Daikon:

o Diacon is an open source dynamic testing tool that detects likely invariants of a
program.

o It can be used to detect invariants in C, C++, Java, Perl programs, and more.

o The biggest advantage of this tool is that it is easily extendable to other

applications.

4. IBM Security AppScan:

o IBM’s AppScan offers remarkable security to web and mobile applications by

performing intensive static testing and dynamic testing.

o It identifies security risks, generates reports and takes necessary measures to fix
the vulnerabilities.

o With this dynamic testing tool you can reduce the probability of application
attacks and get effective application security solutions on Cloud.

5. Droidbox:

o Developed to perform dynamic assessment on a Android application, Droidbox

was first designed and introduced into the world by Patrik Lantz as part of GSoc
2011.

o It helps identify incoming and outgoing network data, information leaks vis the
network, cryptographic operations performed using Android API, etc.

6. Process Explorer:

o This dynamic testing tool, created by Winternals Software, is a freeware task

manager and system monitor for Microsoft Windows.

3
 o It offers various features like the ability to raise window attached to a process,
suspend selected process, display an icon and company name of each process,
among other things.

o Moreover, the unique capabilities of Process Explorer helps track DLL version
problems or to handle leaks.

7. Intel Inspector:

o Successor of Intel Thread Checker, Intel Inspector is an effective dynamic

testing tools that offer services for memory and thread debugger.

o With the assistance of this tool the team can check the reliability, security, and
accuracy of the product, while saving time and money.

o It perform dynamic analysis to find and debug intermittent and non-

deterministic errors.

8. PANDA:

o This is an open source platform for architecture neutral dynamic analysis.

o Built upon the QEMU whole system emulator, PANDA has the ability to record
and replay executions, which further promote iterative and thorough system
analysis.

o It can have a single dynamic taint analysis, that can support any CPU.

9. Cuckoo SandBox:

o Cuckoo Sandbox is a leading open source automated malware analysis system.

o It performs advanced dynamic and memory analysis of the infected virtualized

system through Volatility and helps trace API calls and general behavior of the
file and system.

o Cuckoo SandBox can easily integrate into your existing framework and
backend in the way you want as well as the format you want.

10. Parasoft JTest:

o Parasoft JTest is an important tool that accelerates the delivery of reliable and
secure Java applications. It minimizes risks introduced in the software code and
provides comprehensive analysis, guidance, and tools for the same.

o From conducting static analysis and security testing to coverage analysis and
traceability, this tools can be used for all important tasks.

4
 o It helps identify and fix code defects, while performing complete path analysis
for accurate violation detection.

11. ValGrind:

o An open source software, ValGrind is freely available under the GNU General
Public License, version 2.

o It is a vital intrumation framework for building dynamic analysis tools, such as

memory error detector, two thread detectors, cache and branch prediction
profiler, among others.

o ValGrind has the capability to run on various platforms, like X86/Linux,

X86/Darwin, AMD64/Linux, S390/Linux, ARM64/Android, etc.

12. Procmon:

o Procmon or as it is commonly known, Process Monitor is an advanced tool for

Windows that monitors and displays real time file system, registry and
processes or threads.

o It is a free tools from Windows Sysinternals that includes monitoring and

filtering capabilities.

o Moreover, it displays how applications use files and DLLs, detects critical
errors and defects in the system files, captures thread stacks for each operation,
among other things.

13. CIRCL Dynamic Malware Analysis Platform (DMA):

o A platform operated by CIRCL, Dynamic Malware Analysis Platform (DMA)

allows the analysis of potential malicious software or suspicious documents in
a secure and virtualized environment.

o Users can upload suspicious software or document with the assistance of a web
interface and select a specific target audience.

o At the end, a report is provided with complete dynamic analysis, memory

analysis, and other important and additional information.

14. TotalHash:

o Another important dynamic testing tool, TotalHash provides effective static and
dynamic analysis.

o It offers free services and data for non-commercial use.

5
 o You can effortlessly identify the static and dynamic characteristics of your
sample by simply running it through their ‘Search’, which is can be freely
accessed on the TotalHash website.

Advantages of Dynamic Testing

• It discloses very difficult and complex defects.

• It detects the defects that can’t be detected by static testing.
• It increases the quality of the software product or application being tested.
• Dynamic testing detects security threats and ensure the better secure application.
• It can be used to test the functionality of the software at the early stages of
development.
• It is easy to implement and does not require any special tools or expertise.
• It can be used to test the software with different input values.
• It can be used to test the software with different data sets.
• It can be used to test the software with different user profiles.
• It can be used to test the functionality of the code.
• It can be used to test the performance of the code.
• It can be used to test the security of the code.

Disadvantages of Dynamic Testing

• It is a time consuming process as in dynamic testing whole code is executed.

• It increases the budget of the software as dynamic testing is costly.
• Dynamic testing may require more resources than static testing.
• Dynamic testing may be less effective than static testing in some cases.
• It is difficult to cover all the test scenarios.
• It is difficult to find out the root cause of the defects.