Static Code Analysis - A Behind-the-scenes Look • Arno Haase • GOTO 2022
This presentation was recorded at GOTO Amsterdam 2022. #GOTOcon #GOTOams
Arno Haase - Principal Engineer at Contrast Security
ABSTRACT
There is a wide range of tools to analyze program code and provide feedback on it - linters, IDE inspections, scanners to find bugs, check coding style or find vulnerabilities.
This session takes a technical look behind the scenes, exploring how these tools work and what challenges they face. Besides being fun to dive into, this may even help understanding the strengths and limitations of specific tools [...]
TIMECODES
00:00 Intro
01:03 File & text utilities
01:48 Challenge: Cross referencing
02:33 Abstract syntax tree
03:47 Which identifier refers to what?
05:33 Explicit support for all language features
06:26 Byte code
07:15 Which is the better choice?
08:35 Tracking flows
10:15 Assignment
11:00 Propagators
12:18 Conditional flows
14:24 Combinatorial explosion
16:08 Merging
16:53 Combinatorial explosion - Revisited
17:34 Merging - Limitations
18:37 Loops
20:15 Impossible to be precise
20:44 Function calls
21:40 Recursion
22:26 Virtual method calls
24:05 Call graph
26:33 Flow sensitivity
27:48 Aliasing
29:57 Framework / Library knowledge
31:58 Identifying unique findings
33:38 Quality of results
34:49 Levels of sophistication
35:58 Summary
37:10 Outro
Download slides and read the full abstract here:
RECOMMENDED BOOKS
Gerardus Blokdyk • Static Code Analysis Strategy A Complete Guide •
Eric Miller • Static Code Analysis for Security •
William Shotts • The Linux Command Line •
Blum & Bresnahan • Linux Command Line and Shell Scripting Bible •
#Serverless #Security #StaticCodeAnalysis #CodeAnalysis #Programming #Commandline #CommandlineTools #Identifier #ByteCode #FlowSensitivity
Looking for a unique learning experience?
Attend the next GOTO conference near you! Get your ticket at
Sign up for updates and specials at
SUBSCRIBE TO OUR CHANNEL - new videos posted almost daily.
1 view
0
0
1 month ago 00:09:36 1
Веселый Отдых/relaxing vacation
1 month ago 01:40:53 1
cs_deagle5 | Intelligent DnB / Jungle Mix
1 month ago 00:38:50 4
Get It Together, Intel: Core Ultra 9 285K CPU Review & Benchmarks vs. 7800X3D, 9950X, More
1 month ago 00:06:07 1
Страшное русское поле/The terrible Russian field
1 month ago 00:00:51 1
СРОЧНО требуется ВАКЦИНА
1 month ago 00:01:00 1
ШЕСТНАДЦАТЬ хвостиков и носиков ищут дом
1 month ago 00:09:27 1
Самая красивая Лохматая Душа/The most beautiful Shaggy Soul
1 month ago 00:08:55 4
Next JS Вводный Курс #1 - Преимущества , обзор проекта, установка
1 month ago 00:14:25 1
Доброта против Уродства души/Kindness vs. Ugliness of the soul
1 month ago 00:50:49 1
Practical advanced static analysis / Dave Liddament (Lamp Bristol)
1 month ago 00:51:03 1
NGINX Tutorial for Beginners
2 months ago 00:06:40 1
Ударили, отбросили, уехали/hit him, threw him off and drove away.
2 months ago 00:00:00 1
How Is Israel’s War Dividing NATO? | UPSC GS 2 | StudyIQ IAS
2 months ago 12:00:00 1
Java Full Course for free ☕
2 months ago 00:06:20 1
Ваша трогательная ДОБРОТА/Your touching kindness
2 months ago 00:11:20 1
Trump says Israel should ’hit’ Iran’s nuclear facilities | Know all about it | UPSC
2 months ago 00:08:40 1
Insane Scenes from Iran | Khameini Claims Israel will not Survive War | Direct War Possible
2 months ago 00:09:30 1
Israel suddenly BANNED UNITED NATIONS Chief | Throw Him In Jail if he enters Israel!
2 months ago 00:05:11 1
Fit For A King - TECHNIUM (feat. Landon Tewers of The Plot In You) [Official Music Video]
2 months ago 00:26:23 40
Windows11 24H2 vs 23H2 - 28+ Games Benchmarked on R7 5800X3D, R9 7900X3D & R9 9900X
2 months ago 00:25:57 2
RX 7800 XT vs RX 7900 GRE vs RTX 4070 Super - Rasterization, Ray Tracing & DLSS/FSR Benchmarks
2 months ago 00:11:05 1
HEZBOLLAH CHIEF DEAD?? Israel Claims Nasrallah did not survive Lebanon Air Strikes