Static Analysis

• Some approaches
  • Automatic testing
  • Code inspection
  • Static Analysis combines best of both of the above
• SAST = Static Application Security Testing
• Rice’s Theorem — Static Analysis can’t find all the paths for nontrivial property.
• Either over-estimation or under-estimation of behaviors of program.
• Sound vs Complete Analysis

Flow Analysis

• Many vulnerabilities are caused by untrusted inputs.
• Taint Analysis — from source to sink
  • Know where the sinks are
  • Mark user inputs as tainted