Comment by rubendev

8 days ago

With a capable static analyzer that is not true. In many common cases they can deduce the possible ranges of values based on branching checks along the data flow path, and if that range falls within the buffer then it does not report it.

4 comments

rubendev

Reply
tptacek  8 days ago

Be specific. Which analyzer are you talking about and which specific targets are you saying they were successful at?

  • canucker2016  8 days ago

    Intrinsa's PREfix static source code analyzer would model the execution of the C/C++ code to determine values which would cause a fault.

    IIRC they were using a C/C++ compiler front end from EDG to parse C/C++ code to a form they used for the simulation/analysis.

    see https://web.eecs.umich.edu/~weimerw/2006-655/reading/bush-pr... for more info.

    Microsoft bought Intrinsa several years ago.

    • tptacek  7 days ago

      I'm sure this is very interesting work, but can you tell me what targets they've been successful surfacing exploitable vulnerabilities on, and what the experience of generating that success looked like? I'm aware of the large literature on static analysis; I've spent most of my career in vulnerability research.

      1 reply →