Codemind CSI/CQI, a source code diagnostic tool, discovers security vulnerabilities inherent in the source code and detects potential errors that could occur during software execution in advance.
The technology of analyzing software itself without executing it to proactively identify inherent errors is known as static analysis. Static analysis encompasses various techniques such as type analysis, data flow analysis, control flow analysis, information flow analysis, memory shape analysis, and more
Abstract interpretation is a formal method to enable various static analysis techniques to be designed within a single framework. It has become a standard in static analysis because it allows for the systematic implementation of various semantic analyses
The principle of abstract interpretation is to calculate abstract values through abstract operations for a specific program. For example, in a simple program like the following, it involves creating a system of equations to determine the possible ranges of x values at each point.
The value to these equations serves as a fixed point, which is computed iteratively through a repetitive process.
In this way, it calculates variable values or predicts the configuration of memory allocations.
The second figure illustrates the process of computing the memory layout of a given program through abstract interpretation. It serves as an example of the process of detecting Use-after-free errors which occur when a program continues to use a pointer after it has been freed.
Furthermore, CODEMIND has implemented a static analysis engine using a graph database. It allows for real-time inspection of analysis results during analysis and enables the creation of defect tracking graphs on-the-fly.
Static Analysis Team
- We are developing a static analysis tool based on abstract interpretation. It diagnoses secure coding and quality using various analysis techniques, including syntax analysis, control flow analysis, memory analysis, and value analysis.
- We primarily use functional languages like Scala and object-oriented languages like Java for development.
- We offer on-the-fly diagnosis and defect tracking graphs, which we have implemented as the first of their kind in South Korea by integrating graph database-based analysis and semantic analysis.
- We prioritize providing customized tools to meet the unique development environment and diagnostic requirements of each customer, aiming to ensure customer satisfaction in software security and safety.