Friday, September 09, 2011

Short note on static analysis and lobbying

After getting annoyed with Twitters 140-char limit to make a sane point, I switch back to an old-school medium that allows actual arguments ;)

I was commenting on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 dishonesty in lobbying for legally mandated static analysis with "cyber security" as an underlying argument.

I think this is a total bullshit argument.

Static analysis is good at removing a large number of low-hanging fruit when it comes to both reliability and security bugs. But: Static analysis alone fails to significantly increase cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 resilience of real-world systems against determined attacks (although it may increase cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 resilience to really casual attacks).

So I think it is good & sane to mandate static analysis for some pieces of code for reliability reasons. I'd racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r fly in an airplane with formally verified avionics code.

The reality is though that even cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most sophisticated static analysis systems nowadays are not terribly good at dealing with dynamically allocated memory, suffer from grotesque overapproximation as a result of summarizing dynamically allocated memory, and in general don't deal with many common programming patterns very well.

Avionics code without dynamic memory allocation and a team of people getting a static analyzer going profits a lot from static analysis. The browser that I am typing this in profits much less: It uses a gazillion programming idioms that are notoriously hard to analyze. No existing and generally available static analysis will significantly impact cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 difficulty of finding a remotely exploitable bug in this browser.

So, in short: Using SA can have great benefits in particular scenarios. Verifying an avionics system is a great example. Verifying a microkernel that allows me to safely sandbox my terribly buggy browser is anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r example. Mandating SA for general software development is insanity, though: The current state of research (let's not even speak about available products) isn't capable of impacting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 resiliency (against determined attack) of a browser or document viewer significantly. Let's not kid ourselves: The technology just isn't cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re, and won't be for anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r few years.