Static Code Analysis - A Behind-the-scenes Look • Arno Haase • GOTO 2022

This presentation was recorded at GOTO Amsterdam 2022. #GOTOcon #GOTOams Arno Haase - Principal Engineer at Contrast Security ABSTRACT There is a wide range of tools to analyze program code and provide feedback on it - linters, IDE inspections, scanners to find bugs, check coding style or find vulnerabilities. This session takes a technical look behind the scenes, exploring how these tools work and what challenges they face. Besides being fun to dive into, this may even help understanding the strengths and limitations of specific tools [...] TIMECODES 00:00 Intro 01:03 File & text utilities 01:48 Challenge: Cross referencing 02:33 Abstract syntax tree 03:47 Which identifier refers to what? 05:33 Explicit support for all language features 06:26 Byte code 07:15 Which is the better choice? 08:35 Tracking flows 10:15 Assignment 11:00 Propagators 12:18 Conditional flows 14:24 Combinatorial explosion 16:08 Merging 16:53 Combinatorial explosion - Revisited 17:34 Merging - Limitations 18:37 Loops 20:15 Impossible to be precise 20:44 Function calls 21:40 Recursion 22:26 Virtual method calls 24:05 Call graph 26:33 Flow sensitivity 27:48 Aliasing 29:57 Framework / Library knowledge 31:58 Identifying unique findings 33:38 Quality of results 34:49 Levels of sophistication 35:58 Summary 37:10 Outro Download slides and read the full abstract here: RECOMMENDED BOOKS Gerardus Blokdyk • Static Code Analysis Strategy A Complete Guide • Eric Miller • Static Code Analysis for Security • William Shotts • The Linux Command Line • Blum & Bresnahan • Linux Command Line and Shell Scripting Bible • #Serverless #Security #StaticCodeAnalysis #CodeAnalysis #Programming #Commandline #CommandlineTools #Identifier #ByteCode #FlowSensitivity Looking for a unique learning experience? Attend the next GOTO conference near you! Get your ticket at Sign up for updates and specials at SUBSCRIBE TO OUR CHANNEL - new videos posted almost daily.