Re: Immunity Debugger on eWeek

[Julien Vanegue <jv274 () cl cam ac uk>]

> I'm sure that almost any static analysis will find SOME bugs. My
> opinion is that static analysis is not a game changing event, and
> never will be.

Many problems in static analysis are undecidable (which is a result
known as "Rice's theorem", derived from the result of the Turing
machine halting problem). So that was never my intension to claim
the opposite.

My opinion is that automated analysis is not a substitute for
manual analysis, but a complement, which can divide by 10 the
time of audit. It can also strongly reduce the time of exploit
development (if the automated analysis platform provides the
capacity of refinement). You could argue that expert exploit
writers take just a few hours already to develop something
reliable, but I believe this time is increasing as the exploiting
conditions get more complicated (for inherant reasons due to
the exploited bug, or because extra protections are forbidding
obvious ways of exploitation : non-exec, ASLR, canaries, etc).

> In the source code world you have Microsoft's Prefix/Prefast and
> Fortify (comes free with the Static Analysis book!) and their
> competitors. These are all quite well engineered and have strong
> academic credentials, but none of them work. But I have yet to run the
> ERESI stuff! So perhaps I will change my entire opinion next week when
> I get a chance to do so. :>

One of the reason why there is so few communication about the static
analysis primitives in ERESI is because it is still in development (we
are not a commercial project and it takes more time for us !). Also
ERESI is not intended to bring a ./ program, but an environment with
which you can develop your own static analysis very fastly, but I
guess you assumed that.

Julien
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave