Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What is the subset of problems that static analysis cannot capture?

Tags:

security

static-analysis

dynamic-analysis

I am trying to understand the difference between static analysis and dynamic analysis for the purpose of program flow execution, for detection of security vulnerabilities.

It is fairly clear that dynamic analysis's primary weakness is that it cannot explore all possible states that a program can get into, because it relies on actually running the program with a particular set of inputs.

However, static analysis seems to reason about all possible program states, so I cannot envision a scenario where static analysis might fail, even though I am sure that such a scenario does exist. Most of the references I have looked at seem to vaguely say that the "abstract state analysis" is not as precise as what dynamic analysis can provide, but that is too fluffy for me.

Can anyone provide a simple explanation with concrete examples of where static analysis fails and dynamic analysis would be needed?

like image 965
merlin2011 Avatar asked Jun 08 '14 00:06

merlin2011

1 Answers

Static analysis cannot ever be complete for all programs given a Turing complete input format (this includes almost all programming languages) as one cannot in general determine whether a piece of code is ever executed or not: you cannot determine whether the code prior to it halts — i.e., finishes executing (if it goes into an infinite loop, then any "problem" beyond it is bogus as it is unreachable) — a problem known as the halting problem.

However, it is, in principle, possible to find all possible problems if you also permit the analysis to output "problems" that don't actually exist. This is what virtually all static analysis tools do — large amounts of engineering effort is spent on minimizing the number of false problems they report.

Furthermore, it is worthwhile to note that some state exploration systems essentially do execute the program for every state (typically stopping a new exploration if the state has become equivalent) — however, many programs have impractically large input state spaces (consider any program taking textual input!) making them practically impossible to fully explore all states.

like image 179
gsnedders Avatar answered Oct 12 '22 13:10

gsnedders
Sign in to Comment

Related questions

Storing Passwords in HTML5 LocalStorage
Why is Xcode trying to access 'cs193p.dyndns.org'
How to secure TeamCity deployment via Web Deploy service?
Hiding OAuth consumer secret in public github repository and other sensitive data
Cannot figure out how to publish public key generated on iPhone
WCF REST basic authentication on certain methods
How to correctly secure an application that uses in-app purchases and local DB
Spring security only for authorization. External authentication
How do I securely connect a Backbone.js app to a database?
Spring Security 3.1 - Automatically redirect to login page when session-timeout occurs
WCF in IIS, http basic authentication - Windows User "security" implications
Does javascript "fake privacy" pose a security risk?
How to set the key size for RSAProtectedConfigurationProvider from the code
Microsoft ISA Server Authentication in Android
How to give security voter access to current object
Does an iframe on a subdomain provide an adequate JS sandbox?
Certificate Loading Issue
Returning User Roles to an AngularJS app from ASP.NET Identity using OAuth and bearer tokens
Authorize.Net DPM fails with an SHA-256 SSL cert
How to store encryption key secure in C#

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!