[racket] static analysis for finding vulnerabilities on non-executable and untyped language

From: Kevin Forchione (lysseus at gmail.com)
Date: Wed Jun 4 11:50:23 EDT 2014

Previous message: [racket] static analysis for finding vulnerabilities on non-executable and untyped language
Next message: [racket] raco pkg install with zipfile
Messages sorted by: [date] [thread] [subject] [author]

On Jun 4, 2014, at 7:05 AM, J. Ian Johnson <ianj at ccs.neu.edu> wrote:

> If you can't execute programs in the language, there are no vulnerabilities. So your analysis is 
> 
> (define (vulnerable? program) #f)
> 
> It just isn't "available" in the A of security's CIA (confidentiality, integrity and availability).
> 
> In all seriousness, you'll want to learn about semantics. What does your AST /mean/? How does it behave? Only then can you make predictions about its behavior with a static analysis.
> A good place to start is the PLT redex book
> http://www.amazon.com/Semantics-Engineering-Redex-Matthias-Felleisen/dp/0262062755/ref=sr_1_1?ie=UTF8&qid=1401889682&sr=8-1&keywords=plt+redex
> 


Is there an ebook version available for those of us visually-challenged? I’d hate to have to wait for Google.

—Kevin

Posted on the users mailing list.

Previous message: [racket] static analysis for finding vulnerabilities on non-executable and untyped language
Next message: [racket] raco pkg install with zipfile
Messages sorted by: [date] [thread] [subject] [author]