네이버블로그 페이스북 유튜브

Static Analysis

CODEMIND CSI/CQI, a source code diagnostic tool, detects security weaknesses inherent in the source code and detects possible errors during execution in advance.

The technology that predicts software’s behavior beforehand without execution of the software is so-called static analysis. Static analysis can be presented in a variety of techniques, including type analysis, data flow analysis, control flow analysis, information flow analysis, and memory shape analysis.

The abstract interpretation technology is the one devised to design various static analysis techniques within one framework. It has established itself as a standard of the static analysis as it can systematically implement various semantic analysis based on summary analysis.

The principle of the abstract interpretation is to compute abstracted values through abstracted arithmetic operation of a given program. For example, a simultaneous equation that can calculate the scope that each position’s x value can have with the simple program below. The solution of the simultaneous equation is called the “fixed point,” and the fixed point is calculated with a repetitive method.
In this way, variable values are computed, or memory allocation configuration is predicted. The second figure is the process of calculating the memory shape of a given program through summary analysis. Here is an example of detecting a use after free error returned from a memory analysis result.

Beside, CODEMIND has implemented a static analysis engine using graph DB. The analysis result can be checked during analysis in an on-the-fly method, and it is also useful for creating convenient defect tracking graphs.

Static Analysis Team

  • We develop summary interpretation-based static analysis tools. We provide secure coding diagnosis and quality diagnosis using the syntax analysis, flow analysis, memory analysis, and value analysis.
  • For the development environment, we use a function language such as Scala and object-oriented language including Java in a complex way.
  • We were very first in Korea to integrate graph DB-based analysis and semantic-based analysis to implement on-the-fly diagnosis and provide defect tracking graphs.
  • As each customer presents various development environments and diagnosis requirements recently, offering a customized tool becomes important. We will do our best to meet customer needs on software security and safety.

We will be responsible for
software safety and security while putting
the highest priority on customer value