Static Code Analysis - A Behind-the-scenes Look • Arno Haase • GOTO 2022
Вставка
- Опубліковано 31 лип 2024
- This presentation was recorded at GOTO Amsterdam 2022. #GOTOcon #GOTOams
gotoams.nl
Arno Haase - Principal Engineer at Contrast Security
ABSTRACT
There is a wide range of tools to analyze program code and provide feedback on it - linters, IDE inspections, scanners to find bugs, check coding style or find vulnerabilities.
This session takes a technical look behind the scenes, exploring how these tools work and what challenges they face. Besides being fun to dive into, this may even help understanding the strengths and limitations of specific tools [...]
TIMECODES
00:00 Intro
01:03 File & text utilities
01:48 Challenge: Cross referencing
02:33 Abstract syntax tree
03:47 Which identifier refers to what?
05:33 Explicit support for all language features
06:26 Byte code
07:15 Which is the better choice?
08:35 Tracking flows
10:15 Assignment
11:00 Propagators
12:18 Conditional flows
14:24 Combinatorial explosion
16:08 Merging
16:53 Combinatorial explosion - Revisited
17:34 Merging - Limitations
18:37 Loops
20:15 Impossible to be precise
20:44 Function calls
21:40 Recursion
22:26 Virtual method calls
24:05 Call graph
26:33 Flow sensitivity
27:48 Aliasing
29:57 Framework / Library knowledge
31:58 Identifying unique findings
33:38 Quality of results
34:49 Levels of sophistication
35:58 Summary
37:10 Outro
Download slides and read the full abstract here:
gotoams.nl/2022/sessions/2016...
RECOMMENDED BOOKS
Gerardus Blokdyk • Static Code Analysis Strategy A Complete Guide • amzn.to/3pyZZFl
Eric Miller • Static Code Analysis for Security • amzn.to/3dNBj9G
William Shotts • The Linux Command Line • amzn.to/3kpLbrl
Blum & Bresnahan • Linux Command Line and Shell Scripting Bible • amzn.to/3kn4j9s
/ gotocon
/ goto-
/ gotoconferences
#Serverless #Security #StaticCodeAnalysis #CodeAnalysis #Programming #Commandline #CommandlineTools #Identifier #ByteCode #FlowSensitivity
Looking for a unique learning experience?
Attend the next GOTO conference near you! Get your ticket at gotopia.tech
Sign up for updates and specials at gotopia.tech/newsletter
SUBSCRIBE TO OUR CHANNEL - new videos posted almost daily.
ua-cam.com/users/GotoConf... - Наука та технологія
Thanks for the talk!
In between I had some thoughts of "oh, that's why rust is not doing X"
I was always curious about how much does the static analyzer really "understand" about the code. Great talk! Thank you.
Languages I'm used to, Objective-C 2.0 and Swift, have used static analysis successfully as a deterministic, automated memory management system at compile time, combined with reference counting, for quite some time on a mass scale. Curious why this hasn't become the norm for all higher-level languages as a replacement for garbage collection.