undefined | Better HN

0 pointsUncleMeat2y ago0 comments

Static analysis as a bugfinding tool has proven to be insufficient, especially for large C++ binaries and JS programs. Both languages are nightmares for precise and scalable analysis.

Coverity exists. They've got a great product. But it doesn't solve the problem.

0 comments

pjmlp2y ago

It doesn't solve everything, it solves even less when it isn't used.

UncleMeatOP2y ago

Of course. But these issues will remain near the top of the list indefinitely if people just leverage traditional analysis tools.

I love static analysis. I did my PhD in it. But we'll still be talking about use after free in 2073 if we just try to chase higher K in our analysis implementations.

pjmlp2y ago

Naturally static analysis alone doesn't fix use after free in all possible cases, however it already does fix several of them when the analyser can see everything on the existing source code.

The main issue is the community sub-culture of not adopting tooling as it isn't perfect 100% of the time.

Many of the C++ security conscious folks end up being polyglot, as this subculture eventually wears one out.

1 more reply

j / k navigate · click thread line to collapse

0 pointsUncleMeat2y ago0 comments

Static analysis as a bugfinding tool has proven to be insufficient, especially for large C++ binaries and JS programs. Both languages are nightmares for precise and scalable analysis.

Coverity exists. They've got a great product. But it doesn't solve the problem.

0 comments

pjmlp2y ago

It doesn't solve everything, it solves even less when it isn't used.

UncleMeatOP2y ago

Of course. But these issues will remain near the top of the list indefinitely if people just leverage traditional analysis tools.

I love static analysis. I did my PhD in it. But we'll still be talking about use after free in 2073 if we just try to chase higher K in our analysis implementations.

pjmlp2y ago

Naturally static analysis alone doesn't fix use after free in all possible cases, however it already does fix several of them when the analyser can see everything on the existing source code.

The main issue is the community sub-culture of not adopting tooling as it isn't perfect 100% of the time.

Many of the C++ security conscious folks end up being polyglot, as this subculture eventually wears one out.

1 more reply

j / k navigate · click thread line to collapse