This is a review of KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs by Cristian Cadar, Daniel Dunbar, and Dawson Engler and Finding Security Vulnerabilities in Java Applications with Static Analysis by V. Benjamin Livshits and Monica S. Lam for my CS 253 Computer Security class.
This is the first time that I have read thoroughly on the topic of code analysis. Usually, if I want to find an error in a program, I just use trial and error method. Enter some data and let’s see what will happen. I never bothered running the code through some code analyzer. So basically, I catch an error when the program is already running. It works for me so far but I think, I should start catching errors at the code level. Of course, I’m not saying that I’m coding dirty or carelessly. I always try to catch all possible sources of errors when coding. It’s just that an additional level of error catching doesn’t hurt.
I generally agree with the two papers. It’s even amazing that they found bugs using their methods and have them fixed almost immediately. However, just like in the previous papers, I felt like reading through some parts of a product commercial again. I’m beginning to dislike how some papers describe their works as far superior than others without in-depth comparison and in some cases, without even describing their works in full details. What I understood in KLEE is how to use it by passing command line arguments but I’m still confused on its inner workings or how it produces its output. Basically, I know the input and the output but not the process that connects them. I might have missed it in the paper though.
The Static Analysis paper, on the other hand, offers a more complete view of how it works. But I still found traces of self-promotion in it. I don’t know if this kind of promotion is just a side-effect of writing a paper, I’m just being picky, or really intended. Just like in the other paper, I haven’t fully understood how static analysis works. Part of my confusion, I guess, are the terms used like tainted objects, etc. I’m also not really familiar with this kind of approach in computer security although the causes of vulnerabilities mentioned are well-understood so I get static analysis more than symbolic execution.
In summary, I’m grateful to the two papers because they introduce me to topics that are relatively new to me or topics which I haven’t really explored yet. I think these are also the reasons why I have only a few things to say with regards to the contents of the papers. The two papers also inspire me to find or develop an analysis tool similar to what they discussed that I can apply to software projects that I’m working on. And rest assured that I will not promote it in a paper. Just joking.