Intel Static Security Analysis (SSA)

  1. Overview
  2. Platforms and Locations
  3. Quick Start
  4. Tutorials
  5. Documentation and References

Overview

Note: SSA has been deprecated and will not run in the Intel version 16 and above compilers, and results cannot be viewed in the Inspector version 2016 and above. It can still be run in older compiler and Inspector versions.

The Intel compiler includes a tool called Static Security Analysis (SSA), which is a static, source code analyzer. It can identify security vulnerabilities in source code, including buffer overflows, use of uninitialized variables, and misuse of pointers, and it can also identify general coding errors, including memory leaks and incorrect usage of programming models and languages. It supports C, C++, and Fortran.

The SSA tool, as with static analysis tools generally, can be valuable to run prior to any code release or at any time during the code development process. A static analysis tool catches many coding errors that might not lead to major problems but that are bugs nonetheless. It also catches some latent bugs that have gone unnoticed or have been silently causing incorrect execution. Because it uses static analysis, it may also catch bugs in code paths that have slipped past an application's regular regression testing.


Platforms and Locations

Note: SSA has been deprecated and will not run in the Intel version 16 and above compilers, and results cannot be viewed in the Inspector version 2016 and above. It can still be run in older compiler and Inspector versions.

    Platform Location Notes
    x86_64 Linux Included with Intel compilers  
    BG/Q Not available  

Quick Start

Note: SSA has been deprecated and will not run in the Intel version 16 and above compilers, and results cannot be viewed in the Inspector version 2016 and above. It can still be run in older compiler and Inspector versions.

The Intel compilers can be accessed with the icc, icpc, and ifort commands for C, C++, and Fortran, respectively. These commands will run the LC "default" version. MPI wrappers exist for each command and can be accessed by prefixing the compiler command with "mpi" (i.e., mpiicc, mpiicpc, and mpiifort). Additional versions can be run by appending the version number to the compiler command, such as icc-14.0.174 or mpiifort-14.0.174, or the by using version specific dotkits (i.e., use ic-16.0.150) and then invoking icc, mpiifort, etc.

The SSA tool is run by using the Intel compiler and adding the -diag-enable sc# flag, where # can be either 1 (i.e., -diag-enable sc1), 2, or 3, depending on the level of diagnostics desired. A value of "1" requests that only critical errors be reported, a value of "2" requests that all errors be reported, and a value of "3" requests all errors and warnings be reported. You may optionally specify the -diag-enable sc-include flag, which requests that analysis also be performed on system include files.

The -diag-enable sc# flag needs to be present on both the compile line and the link line. During the compilation phase, the compiler will analyze the source code within the current source file and generate separate "pseudo object modules" in addition to normal object files. During the link phase, SSA will automatically use the pseudo object modules and perform the actual analysis across source file boundaries, similar to inter-procedural optimizations. Do not use the -no-ipo flag because that will disable the necessary infrastructure. Note that your application need not be able to run correctly with the Intel compiler; the only requirement is that the Intel compiler be able to build your code without a compilation error. Thus, using another vendor's compiler due to run-time behavior, run-time errors, etc., should not be an impediment to running Intel's SSA.

When using the Intel 11 compiler, the analysis is output as text to the terminal by default. The output can be directed to a file with the -diag-file option. The -diag-file flag takes an optional =filename specification (i.e., -diag-file=output.txt); otherwise it will create a file named BASENAME.diag, where BASENAME is the base name of the first source file specified on the link line.  When using the Intel 12, 13, 14, or 15 compiler, the output is saved to a directory that you can then open with the Intel Inspector GUI using the inspxe-gui command.  The directory by default will be named rXYZsc, where XYZ is an incremented number starting with 000. After launching the Inspector GUI, select the "Open Result" option, choose the rXYZsc directory, and then select the rXYZsc.inspxe file.

Tutorials

Note: SSA has been deprecated and will not run in the Intel version 16 and above compilers, and results cannot be viewed in the Inspector version 2016 and above. It can still be run in older compiler and Inspector versions.

A tutorial for Intel's SSA tool can be found on LC CHAOS Linux clusters in /usr/local/tools/inspector-2015/documentation/en/tutorials/static_security/C++/index.htm.  Example C++ code is available in /usr/local/tools/inspector-2015/samples/en/C++/tachyon_ssa.tgz, and example Fortran code is available in /usr/local/tools/inspector-2015/samples/en/Fortran/FortranDemo_ssa.tgz. 

Documentation and References

Note: SSA has been deprecated and will not run in the Intel version 16 and above compilers, and results cannot be viewed in the Inspector version 2016 and above. It can still be run in older compiler and Inspector versions.

Documentation for SSA is included in Intel Inspector's documentation, which can be found in /usr/local/tools/inspector-2015/documentation/en/documentation_inspector.htm.

Top