Why Dynamic Program Analysis is Superior.. Part One: In a Nutshell

OatsA few weeks ago while I was on vacation in the Outer Banks of North Carolina I was browsing through the media archives for DEF CON 15 since I missed the conference this year (I did make it out to Las Vegas, but not until September for the SANS Institute’s Network Security event.) While I was paging through the PDF-formatted slides for the presentations that I missed, one in particular immediately caught my eye; it was entitled “How I Learned to Stop Fuzzing and Find More Bugs.” Essentially, the presenter (Jacob West of Fortify Software) was playing on the fact that most (if not all) publicly available fuzzing utilities exhibit severely inadequate path coverage benchmarks. Personally, I agree with that assertion. I also believe that Jacob’s claims were somewhat slanted based on his employment at a software company that offers a static analysis product. Although I have not yet seen a practical solution for it, I do believe that it is possible to attain an optimal level of path coverage while utilizing dynamic analysis techniques.

The qualm I have with static analysis is its nature by definition. It doesn’t execute the program being scrutinized. Okay, fine. Static analyzers have their place. Maybe the tester is caught in a situation where he or she doesn’t have permission to execute the program. Regardless, I feel such a predicament is rare and if the tester is capable of executing the program, then why not do so? Why not explore all avenues of possibility? In addition to code execution, dynamic analysis can reap all the benefits of static analysis as well. Static analysis is restricted to read-only access; this is what makes static code analysis an inferior approach to software assurance. Dynamic analyzers can get the best of both worlds.. They have their cake and eat it, too!

What’s in a nutshell? The kernel of course.. but you won’t get inside the kernel if you just stare at the shell..

Not just a cliche–an analogy that sums up the dynamic versus static debate.



  1. seancomeau said

    I read that one too. I think Jacob had some fair points, but he says “each conditional adds exponentially to the number of input permutations required to hit a bug” which is really not so. Not unless you’re using a dumb fuzzer… but that’s all that’s out there… so I don’t blame him for saying it.

  2. Combinatoric input set generation for executables is always based upon Set Theory’s Power Set (the set of all subsets) and Cartesian Product (match up all elements of set A with all of set B) algorithms. Permutations help sometimes if there’s an input argument sensitive to sequence (sets have no sequences which is why they never have duplicates). The case where permutations really help is if the executable being tested has an interactive command parser or sloppy configuration file. I tend to use permutations most with network protocol and file format fuzzing. I’m not saying you can’t use permutations when generating input attack sets for a getopt() string–I just don’t think they’re very effective since the order of argument values, environment variables and other executable inputs rarely make a difference in call flow, i.e. test case path coverage (including direction and state-transition order) tends to be duplicated.

  3. Great beat ! I wish to apprentice while you amend your web site, how could i subscribe for a blog website?
    The account aided me a acceptable deal. I had been a little bit acquainted of this
    your broadcast provided bright clear concept

  4. While some may experience gout pain by intermittent flashes of attack, some sufferers on the other hand
    experience the discomfort of gout during cold temperature or from immobility.
    Flat feet have various degrees of arch degradation when the body’s weight is on them.
    Sometimes, more than one viral culture test may be requested by the physician to diagnose herpes infection as the lesion may have very little active virus and the test may produce
    a ‘false negative.

RSS feed for comments on this post · TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: