Static analysis is any method by which the source code or binary code of a system is analysed, without the code being run. Static analysis tools are used to discover weaknesses that cause potential vulnerabilities. These tools determine if a code has an error by comparing the given code with a database of known flaws.
However, these tools do not ensure code is completely error-free, most security vulnerabilities cannot be simply categorised to find automatically as they are more complex than simple errors with a line of source code. These static analysis tools have no way of understanding complex errors like the incorrect implementation of cryptography, verification problems, permission issues, etc. They are intended to be used for simple mistakes that may have been overlooked by the programmer.
These systems also have no understanding of the purpose of code. Take the following example:
int perimeter(int length, int width) {
return (length * width * 2);
}
Static analysis tools may return the risk of an integer overflow, but they have no way of understanding that the code does not correctly calculate perimeter as intended.
For use in industry, these tools cannot replace manual code review, however, these save a significant amount of time stamping out the simple errors that would otherwise impede the reviewer’s ability to efficiently identify more subtle, complex errors. As such, large companies such as Facebook have begun implementing static analysis tools alongside manual review.
Facebook implemented static analysis tools ‘Infer’ and ‘Zoncolan’ to identify problems that may cause crashes or jeopardise the security of their services. While implementing these systems into the workflows of their engineers, it was crucial that productivity was not negatively impacted to ensure that its deployment was profitable. They state in their paper that the implementation of static analysis tools was successful, and their system flagged a substantial number of bugs.
They conclude with the following quote:
“To industry professionals we say: advanced static analyses, like those found in the research literature, can be deployed at scale and deliver value for general code. And to academics we say: from an industrial point of view the subject appears to have many unexplored avenues, and this provides research opportunities to inform future tools.”
If Facebook’s success with static analysis tools is anything to go by it is likely that the use of these systems may soon become industry standard. This will, in turn, forward the benefits of improved security to the consumer.
ily's Blog 